ACC 321 Flashcards
Value system level model
Vendors, distributors, retailers, customers (supply chain partners)
Value chain model
Processes and their systems within a company
REA Model (business porocess model)
Rea model for sub-system
Flowchart (task level model)
Specific tasks performed by specific individuals within sub-systems
Business process
A set of activities that takes one or more inputs and creates an output that is of value to the customer
Value chain
Is a purposeful network of business processes that asemble the individual compnents into a final product that has value to the customer
Core business processes
Revenue cycle, expenditure cycle, production cycle, payroll cycle, finanacing cycle
Four major steps in data processing
Data input, data storage, data processing, info output
Master file
Stores cumulatice info about an organizations entities
Transaction file
Contains records of individual events that occur dirinf a fiscal period
Three main types of outputs
Documents reports queries
Documents
Records of transactions or other company data printed or stored
Reports
Documents that are used by employees to control operational activities and make decisions
Queries
User request for specific pieces of information
Different types of business enterprise risk
Economy, industry, enterprise, business process, accounting info systme
Economic risk
Industry, economy, competitor, legal, regulatory, change, treasury, credit, trading
Industry risk
Competitive, customers needs/wants, revolutionary product development
Enterprise risk
Reputation, stragegic focus, parent company support, patent protection, employee turnover, training
Operational risk
Operational and compliance
Accounting information system risks
Financial, operational, and technology
Enterprise risk management
Identifyinf, assessing and mitigating riaks for better business performance
Sas #99
Auditors responsibility to detect fraud
Sox
Ceo and cfo must certify quarterly and annual financial statements. Have to have internal control report
The fraud triangle
Three conditions that are present when fraud occurs. Pressure, opportunity, and rationalization
Fraud tree
Corruption, asset misappropriation, and financial statement fraud
Frequency of fraud
Asset misappropriation happens the most then corruption then financial statement
Financial loss associated with fraud
Financial statement highest, then corruption then asset
Initial detection of fraud
Tip is the most way we find out
Three objectives of coso
Operations, reporting, and compliance
Four compnay units of coso
Entity, division, operating unit, function
Five risk and control components
Control enviornment, risk assesment, control activities, info and comminication, monitoring activities
Control enviornment
Demonstrates commitment to integrity and ethical values, exercises oversight responsibily, establishes structure authority abd responsibility demonstrates commitment to competence enforces accountablilty
Risk assesment
Specifies relevant objectives, identifies and analyses risk, assesses fraud risk, identifies and analyzes significant change
Likelihood
The probablility that the threat will occur
Exposure (impact)
The potential dollar loss
What happens if either likelihood or impact increases?
The materiality of the event and the need to protect against it rises
Four risk reponses
Reduce, avoid, share, accept
Reduce
Implement an effective system of internal controls
Avoid
Do not engage in any activities that produce risk
Share
Transfer some of the risk to others via insurance
Accept
Do not avoid reduce or share
Inherent risk
The risk that exsist before management takes any response
Residual risk
The risk that remains after management implements internal controls or some other risk response
Control activities
Selects and develops control activities, selects and develops general controls over technology, develops through policies and procedures
Information and communication
Uses relevant info, comminicated internally, communicates externally
Monitoring
Conducts ongoing and separate evaluations, evaluates and comminicated deficienties. Must be monitored on ongoing basis and change when needed
Cybersecurity information sharing act of 2015
Companies must let everyone know when there has been a breach
Organized crime motive
Immediate financial gain, collect info for future gain
Organized crime target
Financial payments, pii and phi, payment cards
Organized crime impact
Costly regulatory penalities, lawsuite, loss of customer confidence
Nation state motive
Economic political and military advantage
Nation state target
Trade secrets, sensitive business info, emerging tech, critical infrastructure
Nation state impact
Loss of competitive advantage, disruption of critical infrastructure
Insiders motive
Personal advantage or monetary gain profession revenge and patriotism
Insider target
Sales deals market strategies corp secretz ip and r&dn business operations and personal info
Insiders impact
Trade secret disclosure, operational disruption, brand and reputation and national security impact
Hacktivist motive
Influence political or social change pressure business to change your practices
Hackivist target
Corp secrets, sensitive business info, info related to key executives employees customers and partners
Hackivist impact
Disruption of business acticities brand and reputation and loss of customer confidence
Unsophisticated attackers
You are attacked because you are on the internet and have a vulnerability
Sophisticated attackers
You are hacked because you are on the internet and have info of value
Corporate espionage
Your current or former employee seeks financial gain from selling your ip
State sponsored attacks
You are targeted because of who you are what you do or the value of your ip
What can i do to protect myself?
Protect credentials, social engineering have security defense
Security defense
First line-management, second line-risk management, third line-internal audit
Database forms
Input data
Database reports
Output of database queries
What makes up an enterprise
Personnel, r&d, sales, production, services, accounting
Tier 1: client computer
Includes an interface that permits dats entry and retrieval
Tier 2: applicatiob server
Consisting of specialized computers that store application software programs
Tier 3: database
Consisting of a large centralized relational database and rdbms
Five categories of control activities
Approval or authroization, design and use of documents and records, safeguard assets records and data, independent checks on performance, segregation of duties
Internal controls perform three important functions
Preventitive controls, detective controls, corrective controls
Three functions that need to be separated to acheieve separation of duties
Custodial functions, recording functions, and authorization functions
Information security
Policies and procedures to secure info assets including it hardware softeare and stored data
Information risk management
Managing risk related to informatjon assets and it
COBIT
Private model of choice to sufficiently demonstrate it controls
COBIT controls
It delivery must enable the organization to achieve its objectives, promotes processes focus and process ownership, looks ar fiduciary quality and security needs of enterprises, 7info criteria to define business requirements
COBIT information criteria
Quality, fiduciary, security
COVIT IT processes
Domains, processes, and activities
COBIT IT resources
People, application systems, technology, facilities, data
IT architecture
Consists of architecture for computers networks and databases
Access control
For a user to be allowed access to a secured system the user should be identified authenticated and then authorized to access the system
Operations security
Actvitities and procedures required to keep information technology running securely
Crytography
Is the encoding dats in a form that only the sender and intended reciever can understand
Encryption
Is the method of convering plaintext data into unreadable for called ciphertext
Ciphertext
Is converted back into plaintext using decryption
Sales order entry
All the activities involved in soliciting and processing customer orders
DFD squares
People, companies, business functions
DFD circles
Processes
DFD rectangles
Database
DFD arrows
How information flows
DFD words on arrows
Documents
Picking list
A document that authorizes the warehouse to release merchandise to the shipping department
Outputs of the sales process
Bad debt report, cash receipts forecast, customer listing, sales analysis reports
Bill of lading
A document that acts as a legal contract defining responsibility of goods while they are in transit
Sales invoice
Notifies the customer of the amount to be paid and where to remit payment
Deposit slip
A itemized slip showing the exact amount of paper money, coin, and checks beinf deposited go an account
Sales returns
Authorizing, accepting, and providing credit for returned items
Three times account adjustements are made
Goods are returned, goods are damages, accounts are uncollectible
Foreign key
Is the same field that links to a primary key in another table
REA
Economic resource, economic event, economic agent
Step 1 REA
Identify the economic exchange of events. The pair of events that reflect the give get in the cycle
Step two REA
Identify resources and agents. Identify the resources affected by each event and the agents who participate in those events
Every event must be linked to at least one
Resources
Every event must be linked to at least two
Participating agents
Commitment
Orders goods but has not paid and has not recieved goods. A promise to execute and economic event in the future
Step three REA
Cardinalities. Determine for each relationship
Attributes
Contain information which is required to produce desidred forms and reports
Association class
Used for many to many associated with attributes
Controls for Incomplete or inaccurate customer order
Threat in sales orfer entry. Completeness checks, auto lookup of data, reasonableness test compairing historical dats
Controls for sales to customers with poor credit
Separation od duties, salespeople have read only access to customer credit data, credit approved before selling inventory, accurate records of customer sales and limits
Controls for orders that arent legitiamte
Receipt of signed purchase order, digital signitures and certificates, controls with online transactions
Controls for stockouts, carrying cost, and markdowns
Accurate inventory control and forecasting, online inventory systems that allow recording of changes in real time, physical counts of inventory, review of sales forecast
Control for shipping errors
Use bar codes and rfid tags, field checks and completion checks, packing slip and bill of lading shouldnt be printed until shipment is verrified
Controls for theft of inventory
Secure location with restricted access, rfid tags
Controls for failure to bill customers
Segregate shipping and billing functions and documents should be numbered in order
Controls for billing error
Computer retrieve prices from inventory master file, check quantities on packing slip against on sales orders
Controls for theft of cash
Segration of duties, min handling of money, remittance advice
Controls for loss alteration or unautorized disclousure of data
Everything backed up regularly, controls utilized, encryption