AIS Final Exam

steps risk response

(1) Reduce risks: implement effective internal control (2) Share risks: buy insurance, outsource, or hedge (3) Avoid risks: do not engage in the activity (4) Accept risks: Do nothing, accept likelihood and impact of risk

Organization Capital

- investment in creating a unique corporate identity and culture -Ensuring that employees know and are aligned with the organization's strategic objectives

Human Capital

- investment in people -Ensuring the right people with the right skills are available

Proof of stake (how blockchain works)

-A set of validators who propose the next block lock up an amount of their cryptocurrency as a deposit to ensure honest behavior. -It reduced computer costs and centralization risks

Database Systems

-Accountants increasingly participate in designing internal control systems and improving business and IT processes in a database environment -shared collection of logically related data which meets the information needs of a firm -the core asset of many companies

Proof of work (how blockchain works)

-All miners compete to create the next block to be committed to the blockchain. This is done by solving a complex mathematical problem. -It requires the miners use computer power so it can prevent attacks as it requires tons of computer powers to overcome

Descriptive Analysis

-Analysis performed that characterizes, summarizes and organizes past performance. -Ex: Did we make a profit last year?How much did we pay in federal taxes last year?How long have the existing accounts receivable been past due?

Prescriptive Analytics

-Analysis performed which identifies the best possible options given constraints or changing conditions - ex: What is the level of sales needed to breakeven? How can revenues to maximized if there is a trade war with China? Should the company lease or buy its headquarters office? Should the company make its own products or outsource production to another company?

Physical Intrusion (threat physical IT environment)

-External parties entering facilities without permission and/or providing access information -Unauthorized hardware changes (vulnerability)

excessive heat or humidity (threat physical IT environment)

-Humidity alarm not in place -Outdated devices not providing information on temperature and humidity levels (vulnerability)

Interruption of a system (threat IT system)

-Improper system configuration and customization -Poor service level agreements (SLAs) monitoring on service providers (vulnerability)

Unintentional disclosure of sensitive information by employee (threat Processes of IT Operations)

-Inappropriate data classification rule -Poor user access management allows some users to retrieve sensitive information not pertaining to their roles and responsibilities

Inappropriate end-user computing (threat Processes of IT Operations)

-Ineffective training as to the proper use of computer -End-user computing policy has not been reviewed -Poor firewall rules allowing users to access illegitimate websites

disruption/blackout (threat physical IT environment)

-Insufficient backup power supply -No voltage stabilizer (vulnerability)

4 perspective BS

-Learning & Growth Perspective (Improve process) -Business Process Perspective (lower costs; enhance customer value) -Customer perspective (grow revenue) -Financial perspective

3 concepts traditional transactions (blockchain)

-Middleman -Delay -Service fee

Natural disasters (threat physical IT environment)

-No regular review of a policy that identifies how IT equipment is protected against environmental threats -Inadequate or outdated measures for environmental threats (vulnerability)

Intentional destruction of information (threat Processes of IT Operations)

-Not requiring approval prior to deleting sensitive data -Poor employee morale -Writable disk drive containing data which shall not be deleted such as transaction logs

Audit Data Standards Benefits

-Reduces the time and effort involved in accessing data by -Works well with standard audit and risk analytic tests often run against datasets in specific accounts or groups of accounts (such as inventory or accounts receivable or sales revenue transactions). -Allows software vendors (such as ACL Inc.) to produce data extraction programs for given enterprise systems to help facilitate fraud detection and prevention and risk management. -Facilitates testing of the full population of transactions, rather than just a small sample. -Connects/interacts well with XBRL GL Standards (to be introduced in Chapter 10).

water in data center (threat physical IT environment)

-Server room located in the basement -Clogged water drain (vulnerability)

system intrusion (threat IT system)

-Software not patched immediately -Open ports on a main server without router access -Outdated intrusion detection/prevention system (vulnerability)

Proof of authority (how blockchain works)

-The administrator identities who creating blocks are known and reputable. -The rest of the network can vote for admin removal in case of malicious behavior found in the network.

blockchain system - differences

-The transactions are done without any middleman involved .-Much faster transaction time (minutes vs days). -Lower service fee.

Logical access control failure (threat IT system)

-Work performed not aligned with business requirements -Poor choice of password -Failure to terminate unused accounts in a timely manner (vulnerability)

Computer Fraud Risk Assessment

-a systematic process that assists management and internal auditors in discovering where and how fraud may occur and whom may commit the specific fraud. -a component of a firm's enterprise risk management (ERM) program. -focuses on fraud schemes and scenarios to determine whether the controls exist and how the controls might be circumvented.

Data analytics

-defined as the science of examining raw data, removing excess noise and organizing the data with the purpose of drawing conclusions for decision making. -often involves the technologies, systems, practices, methodologies, databases, and applications used to analyze diverse business data to help organizations make sound and timely business decisions.

Local Networks

-group of computers, printers, and other devices connected to the same network that covers a limited geographic range. -Includes hubs and switches

Information Capital

-investment in information -Ensuring required access to information and the ability to communicate

Criteria 1 ( Cybersecurity Risk Management)

-nature of business and operations, -nature of information at risk, -cybersecurity objectives, -factors significantly affecting inherent cybersecurity risks, -cybersecurity risk governance structure, -cybersecurity risk assessment process, -cybersecurity communications and quality of cybersecurity information, -monitoring of the cybersecurity risk management program, and -cybersecurity control processes.

3 objective internal control (COSO 2013)

-operations: effectiveness and efficiency of a firm's operations -reliability: reliability of reporting -compliance: adherence to applicable laws and regulations

switches

-provides a path for each pair of connections -provide a significant improvement over hubs: each device connected via the network only sees traffic that has been directed to it via its designated MAC (Media Access Controls) address and cannot eavesdrop on network traffic intended for other recipients

Vulnerability

-the characteristics of IT resources that can be exploited by a threat to cause harm. -as weaknesses or exposures in IT assets or processes that may lead to a business risk, compliance risk, or security risk.

Operating System

-the most important system software - Ensure the integrity of the system. -Control the flow of multiprogramming and tasks of scheduling in the computer. -Allocate computer resources to users and applications. -Manage the interfaces with the computer. -Part of IT governance

A - AMPS

1. Ask the Question •"Your Data Won't Speak Unless You Ask It the Right Questions." •The AMPS model starts with asking questions that can be addressed with data and that lead to a better decision making.

5 components COSO 2013

1. Control environment 2. risk assessment 3. control activities 4. Information and communication 5. Monitoring activities

Steps in preparing data

1. Get data 2. Set relationships among tables 3. Select attributes for the visualization 4. Select and modify the visualization

Steps to establish ISMS (ISO 27000)

1. Scope 2. Security Policy 3. Risk Assessment 4. Connotes 5. Risk Treatment ; statement applicability 6. ISMS 7. Internal Audits, Monitoring Reviews, Surveillance Audits

Cybersecurity Risk Management Criteria (by AICPA)

1. description of the company's cybersecurity risk management system. 2. an evaluation of the company's cybersecurity controls

AMPS Model

1.Ask the Question2.Master the data3.Perform the analysis4.Share the story

Vulnerability management prerequisites (2)

1.Determine the main objectives of its vulnerability management, as the firm's resource for managing vulnerabilities is limited (in some cases, it could be to comply with applicable laws, regulations, and standards) 2.Assign roles and responsibility for vulnerability management.

steps computer fraud (risk assessment)

1.Identifying relevant IT fraud risk factors. 2.Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact. 3.Mapping existing controls to potential fraud schemes and identifying gaps. 4.Testing operating effectiveness of fraud prevention and detection controls. 5.Assessing the likelihood and business impact of a control failure and/or a fraud incident

OS control objectives

1.Protect itself from users 2.Protect users from each other 3.Protect users from themselves 4.Be protected from itself 5.Be protected from its environment

Data Visualization Process

1.Understand the data 2.Select the data visualization tool •Excel •Tableau •Power BI •Others 3.Develop and present the visualization •Create or reinforce knowledge •Choose the right chart

AMPS Model: Perform the Analysis

1.What Happened? - Descriptive Analysis 2.Why Did it Happen? - Diagnostic Analysis 3.Will it Happen in the Future? - Predictive Analysis 4.What Should We Do, Based on What We Expect Will Happen? - Prescriptive Analysis

Key length

128-bit and longer key length are sufficient to secure data

M - AMPS

2. Master the data

P - AMPS

3. Perform the analysis

S - AMPS

4. Share the story

botnet (bot)

A collection of software robots that overruns computers to act automatically in response to the bot-herder's control through Internet.

Digital certificate (asymm key factor)

A digital document issued and digitally signed by the private key of a Certificate Authority that binds the name of a subscriber to a public key.

System Availability

A key component of IT service delivery and support is making sure the data is available at all times or, at a minimum, in the moment it is needed.

trojan horse

A non-self-replicating program that has a useful purpose in appearance, but in fact has a different, malicious purpose.

Virus

A self-replicating program that runs and spreads by modifying other programs/files

Worm

A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.

Public Key Infrastructure (asymm key factor)

A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs to issue, maintain, and revoke public key certificates.

Certificate Authority (asymm key factor)

A trusted entity that issues and revokes digital certificates.

WANs 2 compnents

Access point, station

Consensus (how blockchain works)

All parties will be aware of transactions that take place on the network and agree to the transactions being written to the blockchain.

Predictive Analytics

Analysis performed to provide foresight by identifying patterns in historical data. -ex: What is the chance the company will go bankrupt?What is our expected sales and income next year?Can we predict if the financial statements will be misstated?Will the borrower pay us back the loan we've granted her?

Fraud

Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force.

Asymmetric-key Encryption Key Factors

Certificate Authority (CA), Digital Certificate, Public Key Infrastructure (PKI)

SAS (Statement of Auditing Standards) fraud

Consideration of Fraud in a Financial Statement Audit states that an entity's management has primary responsibility for establishing and monitoring all aspects of the entity's fraud risk-assessment and prevention activities, and has both the responsibility and the means to implement measures to reduce the incidence of fraud.

Learning & Growth Perspective (BS)

Describes the firm's objectives for improvements in tangible and intangible infrastructure

Social engineering (threat Processes of IT Operations)

Employee training not providing information about social engineering attempts

COSO ERM Framework

Expands COSO framework taking a risk-based approach •Internal environment •Objective setting •Event identification •Risk assessment •Risk response •Control activities •Information and communication •Monitoring

COSO Internal Control Framework

For evaluating, reporting, and improving internal control, widely accepted. 1.Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. 2.Internal control is affected by people. It is not merely about policy manuals, systems and forms. Rather, it is about people at every level of a firm that impact internal control. 3.Internal control can provide reasonable assurance, not absolute assurance, to an entity's management and board. 4.Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. 5.Internal control is adaptable to the entity structure.

Univariate Data

Histograms show the distribution of a single variable across a range of values, grouped into bins that show the frequency or percentage of values in that bin.

systems integrity

If users can perform the intended functions of a system without being degraded or impaired by unauthorized manipulation

Top tech issues CPAs

Information security management issue

Main factors of encryption

Key length, key management, encryption algorithm

Time Trends

Line charts are used to show values over time for one or more categories.

Framework Vulnerability Assessment and management

Maintenance, Identification, Assessment, Remediation

Risk Response

Management selects risk responses and develops a set of actions to align risks with the entity's risk tolerances, its risk appetite and cost versus benefit of potential risk responses

social engineering

Manipulating someone to take certain action that may not be in that person's best interest such as revealing confidential information or granting access to physical assets, networks, or information.

storage

Many companies choose to use a cloud platform to lower the cost of data storage.

Benefits WANs

Mobility, Rapid deployment, flexibility and scalability

2009 - History of block chain

Nakamoto used a distributed ledger system through resource intensive mining to eliminate the need for intermediaries in trustless, online, peer-to-peer digital currency transactions.

COSO Enterprise Risk Management—Integrated Framework

Objectives: -Strategic—high-level goals, aligned with and supporting the firm's mission and vision -Operations—effectiveness and efficiency of operations -Reporting—reliability of internal and external reporting -Compliance—compliance with applicable laws and regulations

Immutability (how blockchain works)

Once transactions are confirmed on the blockchain, they are tamperproof and cannot be altered.

3 main functions internal controls

Preventive controls, Detective controls, Corrective controls

Proportional

Proportion charts, such as pie or doughnut charts, show shares of a total at a single point in time. These charts should be limited to a few slices with clear differences in size.

scatter plot

Scatter plots show correlations between two continuous variables, such as height and weight, or GPA and SAT scores. Scatter plots present detailed data for the two variables; each dot represents a single data point.

Spoofing

Sending a network packet that appears to come from a source other than its actual source.

Spam

Sending unsolicited bulk information

Spyware

Software secretly installed into an information system to gather information on individuals or organizations without their knowledge of; a type of malicious code.

key management

Strong policy on key management are essential for info security

Encryption algorithm

Symmetric-key encryption methods;Asymmetric-key encryption methods

Distributed and decentralized (how blockchain works)

The data are distributed and synchronized among all the participants in the network.

Popularization - History of Blockchain

The internal data structure of transactions in the system is packaged in blocks and chained together, thus, this technology eventually became blockchain.

Denial-of-Servie (DoS)

The prevention of authorized access to resources (such as servers) or the delaying of time-critical operations.

Virtual Private Networks

VPNs

Categorical Charts

Vertical or horizontal bar charts present categorical information.

Info Security risks and attacks

Virus, worm, trojan horse, spam, botnet (bot), denial-of-service (DoS), Spyware, spoofing, social engineering

opportunity

_____ for fraud to be perpetrated

Uninterruptible power supply

a device using battery power to enable a system to operate long enough to back up critical data and shut down properly during the loss of power.

Encryption

a preventive control providing confidentiality and privacy for data transmission and storage. Main factors of encryption are key length, key management, and encryption algorithm.

Embedded audit module (white-box approach)

a programmed audit module that is added to the system under review.

Station

a wireless endpoint device equipped with a wireless Network Interface Card (NIC)

rationalize

an attitude that enables the individuals committing the fraud to rationalize

Criteria 2 ( Cybersecurity Risk Management)

an evaluation of the company's cybersecurity controls. It provides the trust services criteria and principles for security, availability, processing integrity, confidentiality, and privacy.

information security management

an integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external security threats.

Types of Learning

applications are designed to perform either: -Classification -regression

integrated test facility (white-box approach)

approach is an automated technique that enables test data to be continually evaluated during the normal operation of a system.

Application controls (Computerized environment)

are specific to a subsystem or an application to ensure the validity, completeness and accuracy of the transactions.

Parallel simulation (white-box approach)

attempts to simulate the firm's key features or processes.

2009 - History of block chain

blockchain 2.0 emerged as a more robust and sophisticated technology to pull together logic and business rules into contracts represented in code called "smart contracts" through Ethereum.

Generally Accepted Auditing Standards (GAAS; CAATs)

broad guidelines regarding an auditor's professional responsibilities

Hubs

broadcasts through multiple ports

M - Data Accessibility

can we get the needed data to answer the question posed?

Security WANs and LANs

confidentiality, integrity, availability, access control

Corrective controls

correct and recover from the problems that have been identified (Backup files to recover corrupted data)

Big Data

datasets that are too large and complex for businesses' existing systems to handle using their traditional capabilities to capture, store, manage and analyze these data sets.

preventive controls

deter problems from occurring (Authorization)

hashing process

different from encryption. Hashing result is irreversible. Encrypted messages can be decrypted and become readable again.

detective controls

discover problems that are not prevented (Bank reconciliations and monthly trial balances)

IT general controls (ITGC)

enterprise-level controls over IT + IT control environment + Access controls + Change management controls + Project development and acquisition controls + Computer operations controls

Inherent risk

exists already before plans are made to address it

Input controls:

field checks, size checks, range checks, validity checks, completeness checks, reasonableness checks, check digit verifications, closed-loop verifications

Virtualization (Cloud computing)

good alternatives to backup data and applications.

Disaster recovery planning (DRP)

identifies significant events that may threaten a firm's operations, outlining the procedures that ensure the firm's smooth resuming of operations in the case this event occurs. -most critical corrective controls

Computer-assisted Audit Techniques (CAATs)

imperative tools for auditors to conduct an audit in accordance with heightened auditing standards.

3 conditions for fraud

incentive, opportunity, reationalize

Feed-forward neural networks

information moves in one direction.

IIA standard section (1220.A2)

internal auditors must consider the use of computer-assisted, technology-based audit tools and other data analysis techniques when conducting internal audits.

Message Digest (MD)

is a short code (256 bits or 32 characters) generated through a process called hashing, where the original document passes through an algorithm such as SHA-256 or MD-5.

M - Data Integrity

is the data accurate, valid and consistent over time?

M - Data Reliability

is the data clean?

M - Data Type

is the data structured? is the data internal? are there privacy concerns with the data?

access point

logically connects stations to a firm's network.

physical controls (control activities)

mainly manual but could involve the physical use of computing technology. + proper authorization of transactions and activities + segregation of duties + project development and acquisition controls + change management controls + design and use of documents and records + safeguarding assets, records, and data + independent checks on performance

risk management

more complex and strategic process, mostly conducted using a top-down, risk-based approach

Continual Service Improvement (ITIL 5 categories)

ongoing improvement of the service and the measurement of process performance required for the service.

General controls (Computerized environment)

pertain to enterprise-wide issues (controls over accessing the network, developing and maintaining applications, etc.)

Processing controls

pre-numbered documents, sequence checks, batch totals, cross-footing balance tests, concurrent update controls

Smart contracts - History of block chain

programmable in Ethereum. This flexibility drew the attention of corporations and government agencies.

Main objective ISO (27000)

provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS) using a "process approach"

IT controls (control activities)

provide assurance for information and help to mitigate risks associated with the use of technology.

incentive

provides a reason to commit fraud

Information Systems Auditing Standards (ISASs)

provides guidelines for conducting an IS/IT audit (issued by ISACA)

Service Transition (ITIL 5 categories)

realizing the requirements of strategy and design, and maintaining capabilities for the ongoing delivery of a service

Business continuity management (BCM)

refers to the activities required to keep a firm running during a period of interruption of normal operations. **DRP is is a component of BCM -most critical corrective controls

Velocity

refers to the fact that the data comes in at quick speeds or in real time, such as streaming videos and news feeds.

Volume

refers to the massive amount of data involved.

Veracity

refers to the quality of the data including extent of cleanliness (without errors or data integrity issues), reliability and representationally faithful

Variety

refers to unstructured and unprocessed data, such as comments in social media, emails, global positioning system (GPS) measurements, etc.

Output controls

required number of copies printed

Classification

seeks to assign labels, dividing the input into output groups, such as: -Yes or No -Spam or Not Spam

Regression

seeks to predict real numbers, such as: -The price of a house -The revenue in next quarter

limiting factors Big Data

storage and processing

Regulatory and social processes (process perspective)

such as financial reporting, accounting, and those that manage environmental, safety and health, employment, and community issues.

Innovation processes (process perspective)

such as identifying opportunities, research and development, product design and development, and product launch.

Operations management processes (process perspective)

such as supply, production, distribution, and risk management.

customer management processes (process perspective)

such as those involved with the selection, acquisition, and retention of customers, and growth of the firm's market.

Vulnerability Management

tactical and short-term effort, frequently conducted using an IT asset-based approach.

processing power

the ________ required to obtain information valuable to the company could be enormous or even impossible.

Recurrent neural networks

the connections between neurons include loops.

Service Design (ITIL 5 categories)

the design and development of IT services and service management processes

Service Operation (ITIL 5 categories)

the effective and efficient delivery and support of services, with a benchmarked approach for event, incident, request fulfillment, problem, and access management.

Bitcoin

the first cryptocurrency

residual risk

the product of inherent risk and control risk (risks that is left over after controlling it)

Service Strategy (ITIL 5 categories)

the strategic planning of IT service management capabilities and the alignment of IT service and business strategies

control risk

the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system.

test data technique (white-box approach)

uses a set of input data to validate system integrity.

fault tolerance

using redundant units to provide a system the ability to continue functioning when part of the system fails.

the four Vs

volume, velocity, veracity and variety—are often used to represent the defining features of Big Data.

TechnicalChallenges (Continuous Auditing)

• Access to all relevant data in a timely manner • Accumulating and quantifying the risks and the exposures that have been identified • Defining the appropriate analytic that will effectively identify exceptions to controls • Developing a suitable scoring/weighting mechanism to prioritize exceptions • Balancing the costs and efforts of reviewing large volumes of exceptions against the exposures of the exceptions themselves

Non-technicalBarriers (Continuous Auditing)

• Perceived negative impact of continuous auditing on the firm. • Priority of implementation in determined key areas. • Readiness of the internal audit group to develop and adopt continuous auditing • Unrealistic expectations of the benefits of continuous auditing

Continuous Audit Benefits (most firms)

• can reduce errors and frauds • increase operational effectiveness • better comply with laws and regulations • increase management confidence in control effectiveness and financial information

Wide Area Networks

• link different sites together, transmit information across geographically and cover a broad geographic area. -to provide remote access to employees or customers -to link two or more sites within the firm -to provide corporate access to the Internet routers and firewalls

Continuous Audit Benefits (Allows internal and external auditors)

• monitor transaction data in a timely manner • better understand critical control points, rules, and exceptions • perform control and risk assessments in real time or near real time • notify management of control deficiencies in a timely manner • reduce efforts on routine testing while focus on more valuable investigation activities

Balanced Scorecard Problem

•40% of financial executives say their company's IT investments are proving little or no ROI •A formal, structured approach that links IT investments to business performance can avoid problems •The balanced scorecard is a widely-used tool that can help companies link their IT investments to strategic performance

Continuous Audit

•A continuous audit is performing audit-related activities on a continuous basis. •Testing in continuous audits often consists of continuous controls monitoring and continuous data assurance. •Technology plays a key role in analyzing trends and patterns of transactions, identifying exceptions and anomalies, and testing controls.

Cryptocurrency Applications

•A cryptocurrency that eliminates the ability to double spend. •Anonymous peer-to-peer transactions, no middleman involved. •Public blockchain -anyone can join or leave at any time. •Validation through proof of work and rewards as an economic incentive via a resource intensive computation called mining. •Immutable history of transactions. •Distributed ledger. •One block is added to the blockchain approximately every 10 minutes. •The First-Mover - the first blockchain application in production.

ITIL (control framework)

•A de facto standard in Europe for the best practices in IT infrastructure management and service delivery. •value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives. •adopts a lifecycle approach to IT services, and organizes IT service management into five high-level categories. •Information Technology Infrastructure Library

(3) Control Activities

•A firm must establish control policies, procedures, and practices that ensure the firm's objectives are achieved and risk mitigation strategies are carried out. •Occur throughout a firm at all levels and in all functions.

Strategy Maps

•A one-page representation of the firm's strategic priorities •Shows the cause-and-effect linkages among strategic priorities •Allows organizations to assess and prioritize gaps between current and desired performance levels

Corporate governance

•A set of processes and policies in managing an organization with sound ethics, internal and external control mechanisms to safeguard the interests of its stakeholders. •Promotes accountability, fairness, and transparency in the organization's relationship with its stakeholders.

Balanced Scorecard

•A strategic planning and management system •Used extensively in business and industry, government, and nonprofit organizations worldwide •Aligns business activities to the vision and strategy of the organization •Improves internal and external communications •Monitors organization performance against strategic goals

Impact of Data Analytics -Business

•A study from McKinsey Global Institute estimates that Big Data could generate up to $3 trillion in value per year in just a subset of industries impacted. •In addition to producing more value externally, studies show that data analytics affects internal processes, improving productivity, utilization, and growth.

Management responsibility

•According to SOX, the establishment and maintenance of internal controls who's responsibility?

black-box approach

•Auditing around the computer •First calculating expected results from the transactions entered into the system •Then comparing these calculations to the processing or output results •The advantage of this approach is that the systems will not be interrupted for auditing purposes. could be adequate when automated systems applications are relatively simple.

white-box approach

•Auditing through the Computer •The white-box approach requires auditors to understand the internal logic of the system/application being tested. •The auditing through the computer approach embraces a variety of techniques: test data technique, parallel simulation, integrated test facility (ITF), and embedded audit module.

Extract, Transform, and Load

•Before data can be analyzed and be useful, it must be scrubbed from extraneous data and noise. •Reformatting, cleansing, and consolidating large volumes of data from multiple sources and platforms can be especially time consuming. Data analytics professionals estimate that they spend between 50 percent and 90 percent of their time cleaning data for analysis. •The cost to scrub the data includes the salaries of the data analytics scientists and the cost of the technology to prepare and analyze the data. As with other information, there is a cost to produce these data.

Encryption and Authentication

•Both the sender and receiver use asymmetric-key encryption method to authenticate each other. •Either the sender (or the receiver) generates a symmetric key (called session key because it is valid for a certain timeframe only) to be used by both parties. •Use asymmetric-key encryption method to distribute the session key. (For example, the sender uses the receiver's public key to encrypt the session key and sends it to the receiver. The receiver uses his/her own private key to decrypt to get the session key.) •After both parties have the session key, use the session key to transmit confidential data/information. This is because using symmetric key for encryption is faster in data transmission.

Cognitive Technologies

•Cognitive technologies employ self-learning algorithms that allow computers to examine connections and notice patterns without human intervention •Examples: -Machine learning -Neural networks -Robotic process automation (RPA) -Bots-Natural language processing

Financial Perspective

•Confirms the success of the firm's investments and its ability to deliver value to customers •Overall objective is shareholder value (for-profit companies) •Other objectives usually related to: -Long-term growth -Productivity

Using TABLEAU for data analysis

•Connect to the data •Review the data and join the tables •Prepare visualizations in worksheets •Use Show Me to find appropriate options •Use tools to modify the visualization •Combine multiple visualizations in a Dashboard

COBIT (control framework)

•Control Objectives for Information & related Technology •For the governance and management of enterprise IT •generally accepted framework for IT governance and management •Defines the scope and ownership of IT process and control •Is consistent with accepted IT good practices and standards •Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders •Meets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors.

key criteria business requirements for info

•Effectiveness - relevant and timely •Efficiency -produced economically •Confidentiality -protection of sensitive information •Integrity -valid, accurate and complete •Availability -available when needed• Compliance -complying with the laws and regulations •Reliability -reliable for daily decision making

Usefulness Blockchain

•Enable multiple parties that do not fully trust each other to collaborate with a shared source of truth. •Accelerate transaction settlement and verification by eliminating intermediaries. •Help cut costs and resources that would be spent on manual verification (help auditors collecting and evaluating evidence to support transactions).

Public Company Accounting Oversight Board (PCAOB)

•Established under SOX to provide independent oversight of public accounting firms. •PCAOB Auditing Standard No. 5 (AS 5) encourages auditors to use a risk-based, top-down approach to identify the key controls •analyzing control at financial statement level and focus on entity-level control

Why code of Ethics?

•Ethical behavior prompted by a code of ethics can be considered a form of INTERNAL CONTROL .•Employees with different culture backgrounds are likely to have different values → to promote ethical behavior within a group -Ex: AICPA, ISACA, IIA, IMA,

Using excel for data analysis

•Examine the data and determine how the tables connect •Insert tables for data in each worksheet -Rename the tables -Adjust the format as desired •Set the relationships between tables -Data > Relationships -Link the table with the foreign key to the table with the primary key •Summarize with a PivotTable -Format fields appropriately -Change names were desired -Add slicers as filters -Chart the results in a PivotChart

Implementation of Continuous Auditing

•Extensible Markup Language (XML) •Extensible Business Reporting Language (XBRL) •Database management systems •Transaction logging and query tools •Data warehouses •Data mining or computer-assisted audit techniques (CAATs)

Symmetric-key encryption

•Fast •Suitable for large data set •Key distribution and key management are problematic + difficult to distribute key in secure way +managing one key is not cost effective

Generalized Audit Software (GAS)

•Frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis. •Directly read and access data from various database platforms •Provides auditors an independent means to gain access to data for analysis and the ability to use high-level, problem-solving software to invoke functions to be performed on data files. -Audit Control Language (ACL) -Interactive Data Extraction and Analysis (IDEA)

Risk Assessment

•Given AS 5, is also a first step in developing an audit plan to meet the mandate of SOX Section 404. •Types of risk: Inherent risk, control risk, residual risk

exposures

•Given an identified possible fraud, management's estimates of the potential loss from the fraud

(2) Risk Assessment

•Identifying and analyzing a firm's risks from external and internal environments. •Allows a firm to understand the extent to which potential events might affect corporate objectives. •Risk is assessed from two perspectives: -+ Likelihood -Probability that the event will occur -+ Impact -Estimate potential loss if event occurs

Event Identification

•Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives •Must distinguish between risks and opportunities •Opportunities are channeled back to strategy or objective-setting processes and identified risks should be forwarded to the next stage

Impact of Data Analytics -Accounting

•In financial accounting, data analytics may be used to scan the environment—that is, by scanning social media to identify potential risks and opportunities to the firm. •Data analytics plays a very critical role in the future of audit. •Data analytics also expands auditors' capabilities in services such as testing for fraudulent transactions and automating compliance-monitoring activities (e.g., filing financial reports with the SEC or IRS).

IT application controls (control activities)

•Input controls: field checks, size checks, range checks, validity checks, completeness checks, reasonableness checks, check digit verifications, closed-loop verifications •Processing controls: pre-numbered documents, sequence checks, batch totals, cross-footing balance tests, concurrent update controls •Output controls: required number of copies printed

Artificial Intelligence

•Intelligence exhibited by machines rather than humans. •The ability of computers to perform tasks that associated with human intelligence, such as: -thinking logically, acting rationally, visual perception, speech recognition, language translation • also called cognitive technologies. •AI can create up to $5.8 trillion annual value across all business sectors.

(1) Control Environment

•Management's philosophy, operating style •Commitment to integrity, ethical values, and competence •Internal control oversight by Board of Directors •Organizing structure •Methods of assigning authority and responsibility •Human resource standards

Control Concepts

•Processes implemented to provide assurance that the following objectives are achieved: -Safeguard assets-Maintain sufficient records -Provide accurate and reliable information -Prepare financial reports according to established criteria -Promote and improve operational efficiency -Encourage adherence with management policies -Comply with laws and regulations

Asymmetric-key Encryption

•Slow •Not suitable for large data set •Key distribution and key management are solved + public key is widely used while private key is kept secret + transmit confidential information

(4) Information and Communication

•Supports all other control components by communicating effectively -+ to ensure information flows within the firm •Down •Across •Up -+ to interact with external parties and inform them about related policy positions •customers •suppliers •regulators •shareholders

Blockchain Traditional system

•System is centralized. •Requires a middleman to approve and record transactions. •Only one copy of the ledger

Blockchain system

•System is decentralized, distributed ledger •No middleman needed, multiple copies •When a new transaction occurs, all nodes are in sync. •Information cannot be added or deleted without the knowledge of the entire network. •A write-once, read-many system.

Using CAATs

•Test of details of transactions and balances •Analytical review procedures •Compliance tests of IT general and application controls •Operating system and network vulnerability assessments •Application security testing and source code security scans•Penetration Testing

(5) Monitoring Activities

•The design and effectiveness of internal controls should be monitored by management in an ongoing basis. •Findings should be evaluated and deficiencies must be communicated in a timely manner. •Necessary modifications should be made to improve the business process and the internal control system.

Data Visualization

•The process of presenting information graphically •One way of sharing the story and turning data into information •Presenting relevant information to decision makers

common computer fraud (GTAG)

•The theft, misuse, or misappropriation of assets by altering computer-readable records and files. •The theft, misuse, or misappropriation of assets by altering the logic of computer software. •The theft or illegal use of computer-readable information. •The theft, corruption, illegal copying, or intentional destruction of computer software. •The theft, misuse, or misappropriation of computer hardware.

Customer Perspective

•The value proposition differentiates from the competition -Product attributes -Service attributes -Brand image •Creates customer satisfaction, retention, and new customer acquisition

creating digital signiture

•To create the document creator must use his/her own private key to encrypt the MD, so it also authenticates the document creator.

digital signature

•a message digest(MD) of a document (or data file) that is encrypted using the document creator's private key. •To create we need to use both hashing and encryption process. •can ensure data integrity and Prevent repudiation of Transactions •To create the document creator must use his/her own private key to encrypt the MD, so it also authenticates the document creator.

Audit Data Standards (ADS)

•a set of standards for data files and fields typically needed to support an external audit in a given financial business process area. •If both the provider and the user (e.g., a company and its external auditor) of the data had the same, this cost of cleaning and formatting the data could be alleviated

ISO (control framework)

•designed to address information security issues. •I particularly ISO 27001 and ISO 27002, have become the most recognized and generally accepted sets of information security framework and guidelines.

2 types os schemes

•encode plain text into non-readable form or cyphertext 1. Symmetric-key encryption methods 2. Asymmetric-key encryption methods

Cost and benefit analysis (risk assessment)

•important in determining whether to implement an internal control. -Internal control benefits > costs: IMPLEMENT

Authentication

•process that establishes the origin of information or determines the identity of a user, process, or device.•It is critical in e-business because it can prevent repudiation while conducting transactions online.

fraud detection

•program should include an evaluation by internal auditors on the effectiveness of business processes, along with an analysis of transaction-level data to obtain evidence on the effectiveness of internal controls and to identify indicators of fraud risk or actual fraudulent activities.•An effective approach is to have a continuous monitoring system with embedded modules to create detailed logs for transaction-level testing.

fraud prevention

•program starts with a fraud risk assessment across the entire firm, taking into consideration the firm's critical business divisions, processes, and accounts, performed by the management. •The audit committee typically has an oversight role in this process, often works with the internal audit group and external auditors. •Making employees aware of their obligations concerning fraud and misconduct begins with practical communication and training.

Sarbanes Oxley Act of 2002

•requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting.

Objective Setting

•set at the strategic level, establishing a basis for operations, reporting and compliance -support and align with the firm's mission and are consistent with its risk appetite.

IT governance

•subset of corporate governance and includes issues regarding IT management and security. •responsibility of management, to ensure that the firm's IT sustains and extends its business objectives •COBIT supports and management by providing a framework to ensure that IT is aligned with the business, IT enables the business and maximizes firm value, IT resources are used responsibly, and IT risks are managed appropriately.

Artificial neural networks

•the engines of machine learning. -are mathematical models that convert inputs to outputs/predictions, can be nested together -A cleaned and well-defined training data set is used to optimize predictions. -The trained model is applied to more test data or real-world data.

focus of information security (AICPA)

•the primary focus is the balanced protection of the confidentiality, integrity, and availability of data while maintaining efficient policy implementation and without disrupting organizational productivity. -confidentiality -integrity -availability

Machine Learning

•type of AI; Deep Learning is a type of Machine Learning. •involves the computer's ability to learn from experience rather than specific instructions. AI --> ML --> deep learning