Busy. Please wait.
or

show password
Forgot Password?

Don't have an account?  Sign up 
or

Username is available taken
show password

why


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.


Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.
Don't know
Know
remaining cards
Save
0:01
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
Retries:
restart all cards
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

AIS_E3

Accounting Information Systems

QuestionAnswer
Define Internal Control Process implemented by the board of directors, management and those under their direction to provide reasonable assurance that certain control objectives are achieved
What are the 4 control objectives need to be achieved for internal control? Assets are safeguarded, records are maintained in sufficient detail to accurately and fairly reflect company assets, accurate and reliable information is provided, reasonable assurance financial reports are prepared in accordance with GAAP
What are the 3 control objectives need to be achieved for internal control? Operational efficiency is promoted and improved, adherence to prescribed managerial policies is encouraged, organization complies with applicable laws and regulations
Define Assets as a safeguarded It includes data. Objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.
What are the 3 important functions of internal controls? Preventive Controls, Detective Controls, Corrective Controls
Define Preventive Controls deter problems before they arise
Define Detective Controls discover problems that are not prevented
Define Corrective Controls identify and correct problems as well as correct and recover from the resulting errors
What are the two categories internal controls are segregated into? General Controls and Application Controls
Define General Controls make sure an organizations control environment is stable and well managed
Define Application Controls make sure transactions are processed correctly. They are concerned with the accuracy, completeness, validity, and authorization of data captured, entered, processed, stored, transmitted to other systems and reported
Define what promote and improve operational efficiency is the objective is to ensure that company receipts and expenditures are made in accordance with management and directors' authorization
What is the Foreign Corrupt Practices Act (FCPA)? prevent companies from bribing foreign officials to obtain business. A significant effect was to require corporations to maintain good internal accounting controls
What is the Sarbanes-Oxley Act of 2002 (SOX)? designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives that perpetrate fraud
Who does SOX apply to? Applies to publicly held companies and their auditors. Idea behind these rules was to make the auditors more independent from the companies they are auditing
What are the two things under SOX? Public Company Accounting Oversight Board (PCAOB) and New Auditing Rules - partners must rotate and prohibited from performing certain non-audit services
What is the huge change of SOX and what do they have to be a apart of? They have to have one member be a financial expert. Oversees External auditors and be part of the board of directors
What does COBIT stand for? Control Objectives for Information and related technology - business objectives, IT resources and processes (make sure they fit the business objective)
What does COSO stand for? Committee of Sponsoring Organizations. (Internal controls)
What types of Internal Controls does COSO have? Control Environment, Control activities, Risk Assessment, Information and Communication and monitoring
What is Enterprise Risk Management Model made up of? Control vs. Risk: COSO elements, setting objectives, event objectives(risk based), risk assessment(risk based). Also reduced, accepted, shared, avoided <-- risk based
What are the three vantage points of control frameworks? (COBIT) business objectives, IT Resources, IT Processes
What do you need to do to satisfy business objective for control frameworks? (COBIT) information must conform to certain criteria referred to as "Business requirements for information"
What is the criteria business objectives must meet? Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance with legal requirements, reliability
What do IT resources include? People, technology, data, application systems, facilities
What are the 4 domains of IT Processes? Planning and Organization, Acquisition and Implantation, Delivery and Support, Monitoring (figure out the best things that need to happen)
What did COSO issue? Internal Control Integrated Framework (1992)- defines internal controls, provides guidance, widely accepted as the authority of internal controls, used to control business activies
What are the five crucial components of COSO? Control Environment, Control Activities,Risk Assessment, Information and Communication, Monitoring
What is the big difference between COSO and COSO/ERM? How we deal with risk
What is ERM's process? the process the board of directors and mgt use to set strategy, identify events that may affect the entity, assess and manage risk and provide reasonable assurance that the company achieves it objectives and goals
What are the basic principles of ERM? Companies are formed to create value for their owners, mgt must decide how much uncertainty it will accept, uncertainty results in risk, uncertainty results in opportunity, and ERM framework can manage uncertainty as well as create and preserve value
What four objectives must mgt meet to achieve company goals? (ERM) Strategic, Operations, Reporting, and Compliance
What are the company units? (ERM) Subsidiary, Business Unit, Division, and Entity-level
What are the 8 interrelated risk and control components of ERM? Environmental Control, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and communication, and monitoring
What framework is required by SOX? The IC Framework (internal control) - has been widely adopted as the way to evaluate internal controls (provides little context for evaluating the results)
What is internal environment? influences how organizations establish strategies and objectives; structure business activities; and identify assess and respond to risk. ( IT IS the foundation for all other ERM components) - essentially the same as the control environment IC framework
What does an internal environment consist of? Mgt's philosophy, operating style, risk appetite, board of directors, commitment to integrity, ethical values, competence, organizational structure, methods of assigning authority & responsibility, human resource standards, and external influences
What are the four categories of objective setting? Strategic Objectives, Operations Objectives, Reporting Objectives, and Compliance Objectives
How does COSO define an Event? An incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have positive or negative impacts or both.
What does an event represent? Uncertainty, it may or may not occur, if it does it is hard to know when. Until it occurs it is hard to know its impact. When it occurs it may trigger another event
Events may occur individually or concurrently TRUE!
What techniques do companies use to identify events? comprehensive list of potential events, performing an internal analysis, monitoring leading events and trigger points, conducting workshops and interviews, using data mining, and analyzing business processes.
What does inherent risk mean? there is a risk before we have any controls or procedures in place to stop that risk.
What are the two types of risk? (COSO - Risk Assessment) Inherent risk and residual risk
What is residual risk? (Risk Assessment) If we put controls in place and then measure the risk we then get what is known as residual risk. (risk that remains after controls are put in place)
What are the 4 ways mgt can respond to risk? (Risk Response) Reduce, Accept, Share, Avoid
What should companies do about risk? assess inherent risk, develop a response, then assess residual risk
What control is superior to detective controls? Preventive Controls
What happens when preventive controls fail? detective controls are essential for discovering the problem
What should a good internal control system employ/implement? Preventive Controls, Detective Controls, and Corrective Controls
The benefits of an internal control procedure must exceed its costs TRUE
What are the potential benefits of internal controls? they can be hard to quantify - increased sales and productivity, reduced losses, better integration with customers and suppliers, increased customer loyalty, competitive advantages, and lower insurance premiums
Are Internal control cost or benefits easy to measure? Cost
What is a general authorization? mgt authorizes employees to handle routine transaction without special approval
What is special authorization? for activities or transactions that are of significant consequences, mgt review and approvals are required. (might apply to sales, capital expenditures, or write-offs of a particular dollar amount
What are the three things that should be separate for segregation of accounting duties? Authorization, Recording and Custody
What are control activities? policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out.
Who is responsible to make sure control procedures are carried out? Information security officer and the operations staff
What are some reasons that control activities should be in place before the holidays? extended employee vaca (means that there are fewer ppl to mind the store), students are out of school and have more time on their hands, and lonely counterculture hackers increase their attacks
What categories do control procedures fall into? proper authorization of transaction & activities, segregation of duties, project development & acquisition controls, change mgt controls, design & use of documents & records, safeguarding assets, records, & data, and independent checks on performance
What is collusion? cooperation between two or more people in an effort to thwart internal controls
Authority and responsibility should be divided clearly among what 10 functions? (def. on pg198) systems admin, network mgt, security mgt, change mgt, users, system analysis, programming, computer operations, information system library, data control
COSO and COSOERM both address?? general internal control
COBIT addresses? information technology internal control
According to COBIT what are the 7 key criteria that information needs to be to provide it to management? Effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability
What are the components of the trust service framework? security, confidentiality, privacy, processing integrity, and availability
Trust Service Framework was developed by who? AICPA and CICA (related to system reliability)
What does confidentiality deal with? Confidentiality deals with information Our company wants to keep private about our company. (sensitive organizational info is protected from unauthorized disclosure
What is security? access to the system and its data is controlled and restricted to legitimate users
What is privacy? Privacy is information we store about others.(personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized discourse)
Processing Integrity? (data are processed accurately, completely, in a timely manner, and only with proper authorization)
Availability? the system and its information are available to meet operational and contractual obligations
What are the two fundamental information security concepts? Security is a management issue, not a technology issue and defense-in-depth and the time-based model of information security
Who has responsibility for information security? Management - which makes it a management issue NOT a technology issue
Management involvement is especially important in the what 4 planning stages of information security? create and foster a pro-active "security-aware" culture, inventory and value the organizations information resources, assess risk and select a risk response, and develop and communicate security plans, policies and procedures
What are the final 2 roles management has in information security? acquire and deploy information security technologies and products; monitor and evaluate the effectiveness of organizations information security program
What is the idea of defense-in-depth? employ multiple layers of controls in order to avoid having a single point of failure
Defense-in-depth...what do you need to do to increase effectiveness? use of over-lapping, complementary, and redundant controls increases overall effectiveness because if on control fails or get circumvented another may function as planned
Defense in depth usually involves what? the use of a combination of preventive, detective and corrective controls
What is the goal of time-based model of security? employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information.
Time based model of security provides a means for management to...? identify the most cost-effective approach to improving security by comparing the effect of additional investments in preventive detective or corrective controls.
What should the time based model be view as? strategic tool (NOT a precise mathematical formula)
For tactile and daily mgt security most organization follow..? the principle of defense in depth
What are the 6 steps to understanding targeted attacks? conduct reconnaissance, attempt social engineering, scan and map the target, research, execute the attack and cover tracks
What are major types of preventive controls? training, Authentication and authorization (user access controls), physical access controls, remote access controls/network access controls, device and software hardening controls AND Encryption
4 types of detective controls? log analysis, intrusion detection systems, security testing and audits and managerial reports
3 types of corrective controls? computer incident response teams, chief information security officer and patch management(updating to the newest version)
What is Authentication? process of verifying the identity of the person or deice attempting to access the system
What are the 3 credentials for Authentication? something they know(password, PIN), something they have (Smart card, ID badge), some physical characteristic(biometric identigier-finger prints, or voice)
What is Authorization Controls? process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
What is hashing? takes plain text of any length and transforms it into a short code called a Hash. can not take the characters and put it back to how it used to be originally
What is encryption? we take regular text and turn it into Ciphertext
Why do people use hashing? Point of hashing is to show that nothing in a document has been changed Used to verify that a message has not been changed
What will a digital signature use? Will use encryption and hashing for a digital signature
What is log analysis? process of examining logs to identify evidence of possible attacks. Logs form an audit trail. (Problem = a lot of data)
What does an intrusion detection system represent? an attempt to automate part of the monitoring. (will look for known patterns)
What are managerial reports? mgt can use COBIT to setup a report scorecard.1)Number of incidents with business impact 2) percentage of users who do not comply with password standards 3) % of cryptographic keys compromised and revoked
What are COBIT's key performance indicators? number of incidents with business impact and percent of users that do not comply with password standards
Security Testing should be tested how often and approaches? effectiveness should be tested periodically. One approach is vulnerability scan or security website
What are the three key components for corrective controls? Establishment of a computer emergency response team, designations of a specific individual with organization-wide responsibility for security, and an organized patch management system
What is CERT? Computer Emergency Response Team
What are the four steps of CIRT should lead the organization incident response process through? Recognition a problem exist, containment of the problem, recovery, follow-up
Chief Security Officer (CSO) Should be independent of our other IS functions and report to either the COO or CEO. Works with the person in charge of building security. Audit the CIO's security measures
Patch Management large company the operating system gets an update”run the update & lets hope everything works” For companies vulnerabilities are published once month so each company can test updates for each part of their software. (known times a company is vulnerable)
What are script kiddies? Script kiddies are people they may not be very good at hacking or may not know how to hack at all but know how to work the software
What is a border router? connects and organizations information system to the internet. (sits on the outside of the organization.)
What is a firewall? Behind the border router. Special-purpose hardware device or software running on a general-purpose computer. can be hardware or software – if we set up a firewall we can allow computers to get out and see certain information (firewall is like a filter)
What is demilitarized zone (DMZ)? separate network that permits controlled access from the internet to selected resources, such as the organizations e-commerce web server. (it is something that is outside the network )
What do the border router and the firewall act as? filters to control which information is allowed to enter and leave the organizations information system
What is Computer incident response team (CIRT)? (also known as computer emergency response team) responsible for dealing with major incidents.
Created by: dutchanator