Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
AIS_E3
Accounting Information Systems
| Question | Answer |
|---|---|
| Define Internal Control | Process implemented by the board of directors, management and those under their direction to provide reasonable assurance that certain control objectives are achieved |
| What are the 4 control objectives need to be achieved for internal control? | Assets are safeguarded, records are maintained in sufficient detail to accurately and fairly reflect company assets, accurate and reliable information is provided, reasonable assurance financial reports are prepared in accordance with GAAP |
| What are the 3 control objectives need to be achieved for internal control? | Operational efficiency is promoted and improved, adherence to prescribed managerial policies is encouraged, organization complies with applicable laws and regulations |
| Define Assets as a safeguarded | It includes data. Objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets. |
| What are the 3 important functions of internal controls? | Preventive Controls, Detective Controls, Corrective Controls |
| Define Preventive Controls | deter problems before they arise |
| Define Detective Controls | discover problems that are not prevented |
| Define Corrective Controls | identify and correct problems as well as correct and recover from the resulting errors |
| What are the two categories internal controls are segregated into? | General Controls and Application Controls |
| Define General Controls | make sure an organizations control environment is stable and well managed |
| Define Application Controls | make sure transactions are processed correctly. They are concerned with the accuracy, completeness, validity, and authorization of data captured, entered, processed, stored, transmitted to other systems and reported |
| Define what promote and improve operational efficiency is | the objective is to ensure that company receipts and expenditures are made in accordance with management and directors' authorization |
| What is the Foreign Corrupt Practices Act (FCPA)? | prevent companies from bribing foreign officials to obtain business. A significant effect was to require corporations to maintain good internal accounting controls |
| What is the Sarbanes-Oxley Act of 2002 (SOX)? | designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives that perpetrate fraud |
| Who does SOX apply to? | Applies to publicly held companies and their auditors. Idea behind these rules was to make the auditors more independent from the companies they are auditing |
| What are the two things under SOX? | Public Company Accounting Oversight Board (PCAOB) and New Auditing Rules - partners must rotate and prohibited from performing certain non-audit services |
| What is the huge change of SOX and what do they have to be a apart of? | They have to have one member be a financial expert. Oversees External auditors and be part of the board of directors |
| What does COBIT stand for? | Control Objectives for Information and related technology - business objectives, IT resources and processes (make sure they fit the business objective) |
| What does COSO stand for? | Committee of Sponsoring Organizations. (Internal controls) |
| What types of Internal Controls does COSO have? | Control Environment, Control activities, Risk Assessment, Information and Communication and monitoring |
| What is Enterprise Risk Management Model made up of? | Control vs. Risk: COSO elements, setting objectives, event objectives(risk based), risk assessment(risk based). Also reduced, accepted, shared, avoided <-- risk based |
| What are the three vantage points of control frameworks? (COBIT) | business objectives, IT Resources, IT Processes |
| What do you need to do to satisfy business objective for control frameworks? (COBIT) | information must conform to certain criteria referred to as "Business requirements for information" |
| What is the criteria business objectives must meet? | Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance with legal requirements, reliability |
| What do IT resources include? | People, technology, data, application systems, facilities |
| What are the 4 domains of IT Processes? | Planning and Organization, Acquisition and Implantation, Delivery and Support, Monitoring (figure out the best things that need to happen) |
| What did COSO issue? | Internal Control Integrated Framework (1992)- defines internal controls, provides guidance, widely accepted as the authority of internal controls, used to control business activies |
| What are the five crucial components of COSO? | Control Environment, Control Activities,Risk Assessment, Information and Communication, Monitoring |
| What is the big difference between COSO and COSO/ERM? | How we deal with risk |
| What is ERM's process? | the process the board of directors and mgt use to set strategy, identify events that may affect the entity, assess and manage risk and provide reasonable assurance that the company achieves it objectives and goals |
| What are the basic principles of ERM? | Companies are formed to create value for their owners, mgt must decide how much uncertainty it will accept, uncertainty results in risk, uncertainty results in opportunity, and ERM framework can manage uncertainty as well as create and preserve value |
| What four objectives must mgt meet to achieve company goals? (ERM) | Strategic, Operations, Reporting, and Compliance |
| What are the company units? (ERM) | Subsidiary, Business Unit, Division, and Entity-level |
| What are the 8 interrelated risk and control components of ERM? | Environmental Control, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and communication, and monitoring |
| What framework is required by SOX? | The IC Framework (internal control) - has been widely adopted as the way to evaluate internal controls (provides little context for evaluating the results) |
| What is internal environment? | influences how organizations establish strategies and objectives; structure business activities; and identify assess and respond to risk. ( IT IS the foundation for all other ERM components) - essentially the same as the control environment IC framework |
| What does an internal environment consist of? | Mgt's philosophy, operating style, risk appetite, board of directors, commitment to integrity, ethical values, competence, organizational structure, methods of assigning authority & responsibility, human resource standards, and external influences |
| What are the four categories of objective setting? | Strategic Objectives, Operations Objectives, Reporting Objectives, and Compliance Objectives |
| How does COSO define an Event? | An incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have positive or negative impacts or both. |
| What does an event represent? | Uncertainty, it may or may not occur, if it does it is hard to know when. Until it occurs it is hard to know its impact. When it occurs it may trigger another event |
| Events may occur individually or concurrently | TRUE! |
| What techniques do companies use to identify events? | comprehensive list of potential events, performing an internal analysis, monitoring leading events and trigger points, conducting workshops and interviews, using data mining, and analyzing business processes. |
| What does inherent risk mean? | there is a risk before we have any controls or procedures in place to stop that risk. |
| What are the two types of risk? (COSO - Risk Assessment) | Inherent risk and residual risk |
| What is residual risk? (Risk Assessment) | If we put controls in place and then measure the risk we then get what is known as residual risk. (risk that remains after controls are put in place) |
| What are the 4 ways mgt can respond to risk? (Risk Response) | Reduce, Accept, Share, Avoid |
| What should companies do about risk? | assess inherent risk, develop a response, then assess residual risk |
| What control is superior to detective controls? | Preventive Controls |
| What happens when preventive controls fail? | detective controls are essential for discovering the problem |
| What should a good internal control system employ/implement? | Preventive Controls, Detective Controls, and Corrective Controls |
| The benefits of an internal control procedure must exceed its costs | TRUE |
| What are the potential benefits of internal controls? | they can be hard to quantify - increased sales and productivity, reduced losses, better integration with customers and suppliers, increased customer loyalty, competitive advantages, and lower insurance premiums |
| Are Internal control cost or benefits easy to measure? | Cost |
| What is a general authorization? | mgt authorizes employees to handle routine transaction without special approval |
| What is special authorization? | for activities or transactions that are of significant consequences, mgt review and approvals are required. (might apply to sales, capital expenditures, or write-offs of a particular dollar amount |
| What are the three things that should be separate for segregation of accounting duties? | Authorization, Recording and Custody |
| What are control activities? | policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out. |
| Who is responsible to make sure control procedures are carried out? | Information security officer and the operations staff |
| What are some reasons that control activities should be in place before the holidays? | extended employee vaca (means that there are fewer ppl to mind the store), students are out of school and have more time on their hands, and lonely counterculture hackers increase their attacks |
| What categories do control procedures fall into? | proper authorization of transaction & activities, segregation of duties, project development & acquisition controls, change mgt controls, design & use of documents & records, safeguarding assets, records, & data, and independent checks on performance |
| What is collusion? | cooperation between two or more people in an effort to thwart internal controls |
| Authority and responsibility should be divided clearly among what 10 functions? (def. on pg198) | systems admin, network mgt, security mgt, change mgt, users, system analysis, programming, computer operations, information system library, data control |
| COSO and COSOERM both address?? | general internal control |
| COBIT addresses? | information technology internal control |
| According to COBIT what are the 7 key criteria that information needs to be to provide it to management? | Effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability |
| What are the components of the trust service framework? | security, confidentiality, privacy, processing integrity, and availability |
| Trust Service Framework was developed by who? | AICPA and CICA (related to system reliability) |
| What does confidentiality deal with? | Confidentiality deals with information Our company wants to keep private about our company. (sensitive organizational info is protected from unauthorized disclosure |
| What is security? | access to the system and its data is controlled and restricted to legitimate users |
| What is privacy? | Privacy is information we store about others.(personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized discourse) |
| Processing Integrity? | (data are processed accurately, completely, in a timely manner, and only with proper authorization) |
| Availability? | the system and its information are available to meet operational and contractual obligations |
| What are the two fundamental information security concepts? | Security is a management issue, not a technology issue and defense-in-depth and the time-based model of information security |
| Who has responsibility for information security? | Management - which makes it a management issue NOT a technology issue |
| Management involvement is especially important in the what 4 planning stages of information security? | create and foster a pro-active "security-aware" culture, inventory and value the organizations information resources, assess risk and select a risk response, and develop and communicate security plans, policies and procedures |
| What are the final 2 roles management has in information security? | acquire and deploy information security technologies and products; monitor and evaluate the effectiveness of organizations information security program |
| What is the idea of defense-in-depth? | employ multiple layers of controls in order to avoid having a single point of failure |
| Defense-in-depth...what do you need to do to increase effectiveness? | use of over-lapping, complementary, and redundant controls increases overall effectiveness because if on control fails or get circumvented another may function as planned |
| Defense in depth usually involves what? | the use of a combination of preventive, detective and corrective controls |
| What is the goal of time-based model of security? | employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information. |
| Time based model of security provides a means for management to...? | identify the most cost-effective approach to improving security by comparing the effect of additional investments in preventive detective or corrective controls. |
| What should the time based model be view as? | strategic tool (NOT a precise mathematical formula) |
| For tactile and daily mgt security most organization follow..? | the principle of defense in depth |
| What are the 6 steps to understanding targeted attacks? | conduct reconnaissance, attempt social engineering, scan and map the target, research, execute the attack and cover tracks |
| What are major types of preventive controls? | training, Authentication and authorization (user access controls), physical access controls, remote access controls/network access controls, device and software hardening controls AND Encryption |
| 4 types of detective controls? | log analysis, intrusion detection systems, security testing and audits and managerial reports |
| 3 types of corrective controls? | computer incident response teams, chief information security officer and patch management(updating to the newest version) |
| What is Authentication? | process of verifying the identity of the person or deice attempting to access the system |
| What are the 3 credentials for Authentication? | something they know(password, PIN), something they have (Smart card, ID badge), some physical characteristic(biometric identigier-finger prints, or voice) |
| What is Authorization Controls? | process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform. |
| What is hashing? | takes plain text of any length and transforms it into a short code called a Hash. can not take the characters and put it back to how it used to be originally |
| What is encryption? | we take regular text and turn it into Ciphertext |
| Why do people use hashing? | Point of hashing is to show that nothing in a document has been changed Used to verify that a message has not been changed |
| What will a digital signature use? | Will use encryption and hashing for a digital signature |
| What is log analysis? | process of examining logs to identify evidence of possible attacks. Logs form an audit trail. (Problem = a lot of data) |
| What does an intrusion detection system represent? | an attempt to automate part of the monitoring. (will look for known patterns) |
| What are managerial reports? | mgt can use COBIT to setup a report scorecard.1)Number of incidents with business impact 2) percentage of users who do not comply with password standards 3) % of cryptographic keys compromised and revoked |
| What are COBIT's key performance indicators? | number of incidents with business impact and percent of users that do not comply with password standards |
| Security Testing should be tested how often and approaches? | effectiveness should be tested periodically. One approach is vulnerability scan or security website |
| What are the three key components for corrective controls? | Establishment of a computer emergency response team, designations of a specific individual with organization-wide responsibility for security, and an organized patch management system |
| What is CERT? | Computer Emergency Response Team |
| What are the four steps of CIRT should lead the organization incident response process through? | Recognition a problem exist, containment of the problem, recovery, follow-up |
| Chief Security Officer (CSO) | Should be independent of our other IS functions and report to either the COO or CEO. Works with the person in charge of building security. Audit the CIO's security measures |
| Patch Management | large company the operating system gets an update”run the update & lets hope everything works” For companies vulnerabilities are published once month so each company can test updates for each part of their software. (known times a company is vulnerable) |
| What are script kiddies? | Script kiddies are people they may not be very good at hacking or may not know how to hack at all but know how to work the software |
| What is a border router? | connects and organizations information system to the internet. (sits on the outside of the organization.) |
| What is a firewall? | Behind the border router. Special-purpose hardware device or software running on a general-purpose computer. can be hardware or software – if we set up a firewall we can allow computers to get out and see certain information (firewall is like a filter) |
| What is demilitarized zone (DMZ)? | separate network that permits controlled access from the internet to selected resources, such as the organizations e-commerce web server. (it is something that is outside the network ) |
| What do the border router and the firewall act as? | filters to control which information is allowed to enter and leave the organizations information system |
| What is Computer incident response team (CIRT)? (also known as computer emergency response team) | responsible for dealing with major incidents. |
Created by:
dutchanator
Popular Accounting sets