AIS Test 2 Flashcards
Sabotage
Intentional act where the intent is to destroy a system or some of its components.
Cookie
Text file created by a website and stored on a visitor’s hard drive. Cookies store information about who the user is and what the user has done on the site.
Fraud
Any and all means a person uses to gain an unfair advantage over another person.
White-Collar Criminals
Typically, business people who commit fraud. White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
Corruption
Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
Investment Fraud
Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud.
Misappropriation of Assets
Theft of company assets by employees.
Fraudulent Financial Reporting
Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
Pressure
Person’s incentive or motivation for committing fraud.
Opportunity
Condition or situation that allows a person or organization to commit and conceal a dishonest act and covert it to personal gain.
Lapping
Concealing the theft of cash by means of a series of delays in posting collections to accounts receivable.
Check Kiting
Creating cash using the lag between the time a check is deposited and the time it clears the bank.
Rationalization
Excuse that fraud perpetrators use to justify their illegal behavior.
Computer Fraud
Any type of fraud that requires computer technology to perpetrate.
Time-Based Model of Security
Implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
Defense-In-Depth
Employing multiple layers of controls to avoid a single point-of-failure.
Social Engineering
Using deception to obtain unauthorized access to information resources.
Authentication
Verifying the identity of the person or device attempting to access the system.
Biometric Identifier
A physical or behavioral characteristic that is used as an authentication credential.
Multifactor Authentication
Use of two or more types of authentication credentials in conjunction to achieve a greater level of security.
Multimodal Authentication
Use of multiple authentication credentials of the same type to achieve a greater level of security.
Authorization
Process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
Access Control Matrix
Table used to implement authorization controls.
Compatibility Test
Matching the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
Penetration Test
Authorized attempt to break into the organization’s information system.
Change Control and Change Management
Formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability.
Border Router
Device that connects an organization’s information system to the internet.
Firewall
Special purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks.
Demilitarized Zone (DMZ)
Separate network located outside the organization’s internal information system that permits controlled access from the internet.
Routers
Special purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next.
Access Control List (ACL)
Set of IF-THEN rules used to determine what to do with arriving packets.
Packet Filtering
Process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet.
Deep Packet Inspection
Process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers.
Intrusion Prevention Systems (IPS)
Software or hardware that monitors patterns int he traffic flow to identify and automatically block attacks.
Endpoints
Collective term for the workstations, servers, printers, and other devices that comprise an organization’s network.
Vulnerabilities
Flaws in programs that can be exploited to either crash the system or take control of it.
Vulnerability Scanners
Automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats.
Exploit
Program designed to take advantage of a known vulnerability.
Patch
Code released by software developers that fixes a particular vulnerability.
Patch Management
Process of regularly applying patches and updates to software.
Hardening
Process of modifying the default configuration of endpoints to eliminate unnecessary settings and services.
Log Analysis
Process of examining logs to identify evidence of possible attacks.
Intrusion Detection Systems (IDS)
System that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.
Computer Incident Response Team (CIRT)
Team that is responsible for dealing with major security incidents.
Virtualization
Running multiple systems simultaneously on one physical computer.
Cloud Computing
Using a browser to remotely access software, data storage, hardware, and applications.
Threat/Event
Any potential adverse occurrence or unwanted event that could injure the AIS or the organization
Exposure/Impact
Potential dollar loss should a particular threat become a reality.
Likelihood/Risk
Probability that a threat will come to pass.
Internal Controls
Processes and procedures implemented to provide reasonable assurance that control objectives are met.
Preventive Controls
Controls that deter problems before they arise.
Detective Controls
Controls designed to discover control problems that were not prevented.
Corrective Controls
Controls that identify and correct problems as well as correct and recover from the resulting errors.
General Controls
Controls designed to make sure an organization’s information system and control environment is stable and well managed.
Application Controls
Controls that prevent, detect, and correct transaction errors and fraud in application programs.
Belief System
System that describes how a company creates value, helps employees understand management’s vision, communicates company core values, and inspires employees to live by those values.
Boundary System
System that helps employees act ethically be setting boandaries on employee behavior.
Diagnostic Control System
System that measures, monitors, and compares actual company progress to budgets and performance goals.
Interactive Control System
System that helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions.
Foreign Corrupt Practices Act (FCPA)
Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls.
Sarbanes-Oxley Act (SOX)
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud.
Public Company Accounting Oversight Board (PCAOB)
Board created by SOX that regulates the auditing profession; created as part of SOX.
Control Objectives for Information and Related Technology (COBIT)
Security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
Committee of Sponsoring Organizations (COSO)
Private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Internal Control- Integrated Framework (IC)
A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.
Enterprise Risk Management - Integrated Framework (ERM)
A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO’s Internal Control - Integrated.
Internal Environment
Company culture that is the foundation for all other ERM components, as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
Risk Appetite
Amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Audit Committee
Outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors.
Policy and Procedures Manual
Document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties.
Background Check
An investigation of a prospective or current employee that involves verifying their educatiional work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.
Strategic Objectives
High-level goals that are aligned with and support the company’s mission and create shareholder value.
Operations Objectives
Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources.
Reporting Objectives
Objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance.
Compliance Objectives
Objectives to help the company comply with all applicable laws and regulations.
Event
Positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives.
Inherent Risk
Susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.
Residual Risk
Risk that remains after management implements internal controls or some other response to risk.
Expected Loss
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood).
Control Activities
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
Authorization
Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document or record.
Digital Signature
Means of electronically signing a document with data that cannot be forged.
Specific Authorization
Special approval an employee needs in order to be allowed to handle a transaction.
General Authorization
The Authorization given employees to handle routine transactions without special approval.
Segregation of Accounting Duties
Sepaarating the accounting functions of authorization, custody, and recording to minimize an employee’s ability to commit fraud.
Collusion
Cooperation between two or more people in an effort to thrwart internal controls.
Segregation of System Duties
Implementing control procedures to clearly divide authority and responsiblity within the information system function.
System Administrator
Person responsible for making sure a system operates smoothly and efficiently.
Network Manager
Person who ensures that the organization’s networks operate properly.
Security Management
People that make sure systems are secure and protected from internal and external threats.
Change Management
Process of making sure changes are made smoothly and efficiently and do not negatively affect the system.
Users
People who record transactions, authorize data processing, and use system output.
Systems Analysts
People who help users determine their information needs and design systems to meet those needs.
Programmers
People who use the analysts’ design to create and test computer programs.
Computer Operators
People who operate the company’s computers.
Information System Library
Corporate databases, files, and programs stored and managed by the system librarian.
Data Control Group
People who ensure that source data is approved, monitor the flow of work, reconcile input and output, handle input errors, and distribute systems output.
Steering Committee
An executive level committee to plan and oversee the information systems function.
Strategic Master Plan
Multiple-year plan of the projects the company must complete to achieve its long-range goals.
Project Development Plan
Document that shows how a project will be completed.
Project Milestones
Points where progress is reviewed and actual and estimated completion times are compared.
Data Processing Schedule
Schedule that shows when each data processing task should be performed.
System Performance Measurements
Ways to evaluate and assess a system.
Throughput
Amount of work performed by a system during a given period of time.
Utilization
Percentage of time a system is used.
Resonse time
How long it takes for a system to respond.
Postimplementation Review
Review, performed after a new system has been operating for a brief period, to ensure that it meets its planned objectives.
Systems Integrator
An outside party hired to manage a company’s systems developmetn effort.
Analytical Review
Examination of the relationships between different sets of data. Abnormal or unusual relationships and trends are investigated.
Audit Trail
Path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin.
Computer Security Officer (CSO)
An empoyee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences, and reports to top management.
Chief Compliance Office (CCO)
Employee resonsible for all the compliance tasks associated with SOX and other laws and regulatory rulings.
Forensic Investigators
Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as Certified Fraud Examiner (CFE).
Computer Forensics Specialists
Computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.
Neural Networks
Computing systems that imitate the brain’s learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically.
Fraud Hotline
Phone number employees can call to anonymously report fraud and abuse.
Auditing
Objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria.
Internal Auditing
Assurance and consulting activity designed to add value, improve organizational effectiveness and efficiency, and accomplish organization objectives.
Financial Audit
Examination of the reliability and integrity of financial transactions, accounting records, and financial statements.
Information Systems (Internal Control) Audit
Examination of the general and application controls of an IS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets.
Operational Audit
Examination of the economical and efficient use of resources and the accomplishment of established goals and objectives.
Compliance Audit
Examination of organizational compliance with apllicable laws, regulations, policies, and procedures.
Investigative Audit
Examination of incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities.
Inherent Risk
Susceptibility to significant control problems in the absence of internal control.
Control Risk
Risk that a material misstatement will get through the internal control structure and into the financial statements.
Detection Risk
Risk that auditors and their audit procedures will fail to detect a material error or misstatement.
Confirmation
Written communication with independent third parties to confirm the accuracy of information, such as customer account balances.
Reperformance
Performing calculations again to verify quantitative information.
Vouching
Comparing accounting journal and ledger entries with documentary evidence to verify that a transaction is valid, accurate, properly authorized, and correctly recorded.
Materiality
Amount of an error, fraud, or omission that would affect the decisiono f a prudent user of financial information.
Reasonable Assurance
obtaining complete assurance that information is correct is prohibitively expensive, so auditors accept a reasonable degree of risk that the audit conclusion is incorrect.
Systems Review
Internal control evaluation step that determines if necessary control procedures are actually in place.
Tests of Controls
Tests to determine whether existing controls work as intended.
Compensating Controls
Control procedures that compensate for the deficiency in other controls.
