AIS Exam #3 (CH. 11/12)

definitions of examples of security risks and attacks

**** spywayre, spoofing, etc

COSO stands for Committee of Sponsoring Organizations. It composes of 5 organizations: ________, ________, _______, IMA and AICPA

IIA, AAA, FEI

what is an example of IT general controls? (ITGC)

IT control environment

COBIT defines the overall IT control frame work, and _________ provides the details for IT service management which is released by the UK office of government commerce (OGC) and is the most widely accepted models for IT service management`

ITIL

relevant technologies in performing continuous auditing

XML and XBRL, data analytics/data mining, CAATs

given your understanding of COSO ERM, what are factors regarding internal environment

a firm's organizational structure, board of directors, and the audit committee a firm's risk management philosophy and risk appetite a firms human resource policies/practices and development of personnel a firm's integrity and ethical values

what is a message digest?

a result of a hashing procsss such as using the SHA-256 algorithm

visualization and cloud computing

a virtual machine containing system applications and data backups is often resides in the cloud off-side or at various locations

VPN

access points stations

ISO 27000 series

address information security issues

asymmetric-key encryption methods

also called two key encryption also called public key encryption slow and is not appropriate for encrypting large data sets

common computer frauds include:

altering computer-readable records and files misuse of computer hardware altering the logic of computer software

management selects risk responses according to the entity's risk tolerances and risk ________

appetite

parallel simulation

attempts to simulate the firm's key features or processes

management is responsible for fraud risk assessments, while the ________ ____________ typically has an oversight role in the process

audit committee

authentication process

authentication can prevent repudiation while conducting transactions online

what is the common practice in using symmetric key encryption and asymmetric key encryption methods in conducting e-business?

both parties use the asymmetric key encryption method to distribute the symmetric key securely both parties use the asymmetric key encryption method to authenticate each other

when using asymmetric key encryption method in ebuisness, a _______ authority (CA) is a trusted entity that issues and revokes digital certificates. a digital certificate indicates the subscriber identified in the certificate with sole control and access to the private key, an binds the name of a subscriber to a public key

certificate

control environment

managment establishes with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives

to create a digital signature, the document creator must use his or her own private key to encrypt the ___________ ________ (MD), so the digital signature also authenticates the document creator

message digest

data ________ is the process of searching for patterns in the data and analyzing these patterns for decision making

mining

Per COBIT 5, IT management includes, planning, building, running and __________, activities in alignment with the direction necessary to achieve the firm's objectives

monitoring

to support a firm in its efforts to achieve internal control objectives, COSO 2013 suggests 5 components of internal control including

monitoring information & communication control activities control environment risk assessment

examples of detective controls

monthly bank reconciliations, monthly trial balances

why do we need to use digital signature in conducting e-business?

obtain data integrity

continual service improvement

ongoing improvement of the service and the measurement of process performance required for the service

using the two key encryption method for authentication, we need to be careful about how the keys are used.

only the pair of one users two keys is used to encryption and decryption public key management is very important because we use public keys to authenticate others in conducting business

the ___________ system is the most important system software because it performs the tasks that enable a computer to operate

operating

the COSO ERM framework indicates that an effective internal control system should consist of four categories of objectives:

operation objectives strategic objectives reporting objectives compliance objectives

required a signed source document before recording a transaction is a _________ control

preventive

to authenticate the receiver(B), the sender(A) emails a challenge message to B. B will use her ________ key to encrypt the challenge message and send it to A. if A is able to use B's ________ key to decrypt and get the plaintext of the challenge message, A has authenticated B successfully

private, public

during the objective setting stage, management should have a _________ in place to set strategic, operations, reporting, and compliance objectives.

process

since 2003, information security management has been ranked as the top one technology issues for CPA's. according to AICPA information security management is "an integrated, systematic approach that coordinates people, policies, standards, __________, and ___________ used to safeguard critical systems and information from internal and external security threats"

processes, controls

COBIT

provides the best IT security and control practices for IT management

ITIL

provides the concepts and practice for IT service management

disaster _________ planning (DRP) is a process that identifies significant events that may threaten a firm's operations and outlines the procedures to ensure that the firm will resume operations when the events occur

recovery

according to the COSO 2.0 framework, reporting objectives are about the ________ of a firm's internal and external financial reporting

reliability

cloud computing refers to a service model were third-party service providers offers computing _____________ including hardware and software applications to cloud users over the internet, and the service provider charges a per-user basis

resources

vulnerability management and risk management have the same objective: to reduce the probability of the occurrence of detrimental events. what are the differences between them?

risk management is often a most complex and strategic process that should be a long-term process

internal and external events affecting achievement of a firm's objectives must be identified. when using COSO ERM framework, management must distinguish between ________ and ________ after identifying all possible events

risks, opportunities

information technology controls involve processes that provide assurance for information and help to mitigate _____ associated with the use of ______. firms need such controls to protect information assets, remain competitive, and control costs in implementing IT projects

risks, technology

monitoring component of the COSO ERM framework

the ERM components and internal control process should be monitored continuously and modified as necessary it is the process of evaluating the quality of internal control design and operation and the effectiveness

what are the main purposes of corporate governance?

to protect the interests of a firm's stakeholders to promote accountability and transparency in a firm's operations to encourage the efficient use of the resources a firm has

firms continue to monitor system availability. fault _________ uses redundant units to provide a system with the ability to continue to function when part of the system fails. many firms implement a redundant array of independent drive (RAID) so tha`t if one disk drive fails, important data can still be accessed from another disk

tolerance

true or false: the internal environment of the COSO ERM framework provides the discipline and structure for all other components of enterprise risk management. it is the most critical component in the framework

true

test data technique

uses a set of input data to validate system integrity

we often define ______ as weaknesses or exposure in IT assets or process that may lead to a business risk, compliance risk, security risk

vulnerability

digital signature

we use it to ensure data integrity we need to use a hashing process and encryption technology to get a digital signature we use it to authenticate the data/document sender

define vulnerability

weaknesses or exposures in IT processes that may lead to a business risk, compliance risk, or security risk characteristics of IT resources that can be exploited by a threat to cause harm to a firm

what are the main concerns of cloud user companies on the cloud service providers?

whether the cloud service providers internal controls are properly designed and effective the security of the cloud computing systems and networks the cloud service providers financial viability

What is the impact of Sarbanes-Oxley Act 2002 (SOX) on the accounting profession?

SOX established the PCAOB to regulate and audit public accounting firms. Under SOX, the PCAOB replaces AICPA to issue audit standards.

integrated test facility

enables test data to be continually evaluated during the normal operation of a system

the main factors in encryption are key length, encryption algorithm, and key management. what is the correct statement regarding encryption?

establishing a policy on key management is essential for information security

organizations derive their code of __________ from cultural values, societal traditions, and personal attitudes on issues of right and wrong

ethics

given the popularity of the internet, mobile devices, and the complexity of computer technologies, business information and IT assets are exposed to risks and attacks from ___________ parties such as hackers and _________ parties such as disgruntled employees

external, internal

true or false: COBIT is one of the generally accepted internal control frameworks for enterprises. COSO is a generally accepted framework for IT governance and management.

false

true or false: each company should use only one of the control/governance frameworks in corporate an IT governance

false

true or false: given the popularity of the internet, mobile devices, and the complexity of computer technologies, important business information and IT assets are exposed to risks and attacks from external parties such as hackers, foreigners, competitors, etc. today's employees are well trained and always support the firm to prevent the attacks

false

true or false: the control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security and control practices and is required by PCAOB to be used for SOX section 404 audit

false

true or false: vulnerability assessment and management are often required by laws. hence, managements commitment and support are not as critical as in enterprise risk assessment and management

false

WAN

firewalls routers

what is fraud?

frauds are perpetrated by organizations to avoid payment or loss of services frauds are perpetrated by parties to obtain money, property, or services frauds are perpetrated by parties to secure personal or business advantage

LAN

hubs switches

accounting documents and records

to maintain audit trails and accuracy of the financial data

segregation of duties

to prevent fraud and mistakes

the IT infrastructure library is a de facto standard in europe for the best practices in IT infrastructure management and service delivery. ITIL adopts a ________ ______ approach to IT services

life cycle

to authenticate the reciever (B), the sender (A), emails a challenge message to B. B will use ___________ private key to encrypt the challenge message and send it to A. if A is able to use ________ public key to decrypt and get the plain text of the challenge message, A has authenticated B successfully

B's, B"s

correct statements about COBIT

COBIT is a generally accepted framework for IT governance and management COBIT 5 integrates other frameworks and standards such as ITIL an ISO 27000 series COBIT 5 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interests of stakeholders

CIA

Confidentiality, Integrity, Availability

COSO ERM framework indicates that:

ERM provides reasonable assurance regarding the achievement of the firms objectives ERM manages risk to be within the firms risk appetite

PCAOB

Public Company Accounting Oversight Board

information and communication

The organization obtains or generates and uses relevant, quality information to support the functioning of internal control

control activities

The organization selects and develops general control activities over technology to support the achievement of objectives

both disaster recovery planning (DRP) and business continuity management (BCM) are the most critical _________ controls, and DRP is a key component of BCM

corrective

____________ controls find problems when they arise

detective

a computer fraud risk assessment focuses on fraud schemes and scenarios to determine whether the controls exist and how the controls can be circumvented. list computer fraud risk assessments in sequence

identifying relevant IT fraud risk factors identifying and prioritizing potential IT fraud schemes mapping existing controls to potential fraud schemes and identifying gaps testing operating effectiveness of fraud prevention and detect controls assessing the likelihood and impact of a control failure and/or fraud incident

authentication is a process that establishes the origin of information or determines the ________ of a use, process, or device. it is critical in e-business because it can prevent _________ while conducting transactions online

identity, repudiation

according to the fraud triangle, 3 conditions exist for a fraud to be perpetrated:

incentive or pressure, opportunity, rationalize

the AICPA has indicated that issues on information security are critical to certified public accountants as one of the top 10 technologies that accounting professionals must learn. international organization for standardization 27000 series is designed to address ____________ __________ issues

information security

IT vulnerabilities can be categorized depending on whether they exist in the physical IT environment, within an __________ _______, or within the processes of IT operations

information system

IT application controls are activities specific to a subsystem's or an application's ________, processing, and output

input

Concepts on internal control defined under COSO 2.0

internal control is a process consisting of ongoing tasks and activities internal control is affect by people. it is not merely about policy manuals, systems, and forms. internal control can provide reasonable assurance, not absolute assurance to an entitys management and board internal control is geared toward the achievement of objectives in one or more separate but overlapping categories internal control is adaptable to the entity structure

black box approach in auditing systems

it is also called auditing around the computer

what are the purposes of the standards of ISO 27000 series?

it is designed to address information security issues

what is a digital signature?

it is encrypted using the private key of the creator of document or data file it is a message digest (MD) of a document or data file the process of getting a message digest (MD) is called hashing

computer frauds also happen during the systems development _______ cycle (SDLC)

life

A fraud prevention and detection program starts with a fraud risk assessment across the entire firm. What are the correct statements on the roles of the audit committee on fraud risk assessment?

the audit committee works with the internal audit group to ensure that the fraud prevention/detection program remains an ongoing effort the audit committee interacts with external auditor to ensure that fraud assessment results are properly communicated the audit committee has an oversight role in the fraud risk assessment process

service design

the design and development of IT services and service management processes

service operation

the effective and efficient delivery and support of services, with a benchmarked approach for event, problem, and access management

monitoring

the organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors as appropriate

risk assessment

the organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

residual risk

the product of inherent risk and control risk

inherent risk

the risk related to the nature of the business activity itself

service strategy

the strategic planning of IT service management capabilities and the alignment of IT service and business strategies

control risk

the threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system

service transition

the transition from strategy to design, and maintaining capabilities for the ongoing delivery of a service

supervision

to compensate imperfect segregation of duties

independent verification

to double check for errors and misrepresentions

access control

to ensure only authorized personnel have access to physical assets and information

authorization

to ensure transactions are valid