BEC 7 Flashcards
Types of Computer Systems
- Transaction Processing System (TPS) - older 2. Management Reporting Systems – more recent
Management Information System (MIS)
- form of management reporting system - organized assembly of resources & procedures required to collect, process, & distribute data for use in decision-making process
Decision Support System (DSS)
- form of management reporting system - INTERACTIVE system that provides the user with easy access to decision models & data, to support semi-structures decision-making tasks
Expert System
- form of management reporting system - A.I. Development - has built in hierarchy of rules which are acquired from human experts in the field - with a provided input, the ES should be able to define the nature of the problem and provide recommendations to solve the problem
Executive Support Information System
- form of management reporting system - supports executive work: non-routine decisions, helps answer questions regarding competitors, ID new acquisitions
Analytical Processing System
- form of management reporting system - enables user to ask (query) the system, retrieve data, & conduct analysis
Systems Development Life Cycle Approach (SDLC) Steps
- Feasibility Study 2. Requirements Definition 3. Software Selection & Acquisition (purchased) / Software Design (in-house) 4. Configuration (purchased) / Development (in-house) 5. Final Testing & Implementation 6. Post-Implementation 7. Maintenance Phase
Feasibility Study
- 1st Step of SDLC - determine strategic benefits of the system (gains or cost avoidance) - Estimate Payback schedule - Readiness of the organization’s users - maturity of the organization’s processes
Requirements Definition
- 2nd step of SDLC - define the problem/need that requires resolution - define the functional/qualitative requirements of the selection - use in house or purchase but must entail a defined & documented acquisition process - user needs to be actively involved
Software Selection & Acquisition Or Software Designs
- 3rd step of SDLC - Purchased: request for proposal, consider operational, support, tech requirements, & financial viability (escrow) - In-house: baseline, specifications, implementation with hardware software, program/database specs, security considerations, formal control process
Configuration Or Development
- 4th step of SDLC - Purchased: tailor system to requirements (via settings NOT coding), may beed to build interface for implementation with existing system - In-House: program & develop supporting operation processes, testing to verify/validate, iterations of user acceptance testing
Final Testing & Implementation
- 5th step of SDLC - establish actual operation of the new system - final iteration of user acceptance & user sign-off - may go through certification or accreditation process to assess effectiveness of business application in mitigating risk to appropriate level - providing management accountability over effectiveness of the system in meeting it goals - establish appropriate level of internal control
Post Implementation
- 6th step of SDLC - formal process that assess the adequacy of the system & projected cost-benefit or ROI measurements in relation to feasibility stage (step 1) - provide lessons learned and/or plans for addressing system deficiencies - recommendations for future projects regarding systems development & project management processes followed
Maintenance Phase
- 7th step of SDLC (not included in other interpretations) - monitor & support of the new system - training, help desk resources, & permissions system for changes (authorizations & tested) to system
Transaction Processing System (TPS) 2 ways
- Online Transaction Processing (OLTP), Real-Time (OLRT) 2. Batch Processing
Online Transaction Processing
- database updated as soon as transaction is received (immediate) - up to date at being keyed/transmitted - Issue: computers continually running & accessible at all points of transaction - Good for retail businesses
Batch Processing
- gathering information & entering transaction or groups periodically - greater control over input process (verify, authorize before input) - Problem: delay between transaction & input (accounting records may not always accurately reflect current)
Centralized vs Distributed Processing
- Centralized is 1 computer for whole firm that could be addressed by multiple people through remote terminals - Distributed is virtually 1 computer per employee at different locations (network used to connect)
LANs
- within specific georgraphical area - each computer does its own processing & manages some of its data - file server acts like a remote disk drive - good management control: access code and passwords
WANs
- different remote locations
VANs
- links computer files of different companies together - increased security (prevent access to inappropriate data information)
Problem with WLAN’s
- unauthorized access (both ENCRYPTION of data and PASSWORDS to connect are critical)
Bus (topology)
- common path in a communications network
Star (topology)
- there is one computer (central hub) to which all computers connect - all data is first received by the hub and then sent by the hub (email systems)
Ring (topology)
- each computer is connected to 2 closest neighbors in a closed loop (relay info) - 2 directions because 1 interruptions won’t bring down the network
Tree (topology)
- groups of star-configured networks are organized in branches with 1 computer at the base - if within a branch, don’t have to to go the root computer - if in a different branch, may have to go through the root computer
Mesh (topology)
- connected to many redundant interconnections between network nodes
Intranet
network limited to the computers of 1 company
Extranet
similar to intranet but select customers and vendors are able to participate as well
Client/Server Computing
networks for operating another computer - users of the client computer will be bale to access a server computer or even operating programs running on the server
Enterprise Resource Planning (ERP)
- packaged business software that allows an organization to automate & integrate the majority of its business practices, processes, and share common data across the entire organization - produce & access information in a real-time environment
Transmission Control Protocol and Internet Protocol
TCP/IP: communication protocol designed to network dissimilar systems
Electronic Data Interchange (EDI)
extranets set up as VANs to enable process of communication between suppliers & customers
EDI Special Considerations
- Strict Standards (completeness & accuracy) 2. Translation Software (mapping) 3. Unauthorized Access (encryption, firewall, EFT concern)
Encryption
application control that make stole data unreadable to someone without knowing the coding method
Advantages of EDI
- eliminates need for human intervention - can be more efficient that other systems - when inventory is ordered @ reorder point, EDI eliminates gaps & shortens the cycle - payments are made & received automatically (reduces AR float)
Risks of E-Commerce
- Confidentiality 2. Integrity 3. Availability (system failures) 4. Authentication & Non-repudation 5. Power shift to customers
Controls for E Commerce
- Security mechanism & procedures 2. firewalls 3. process where participants are identified positively and uniquely 4. Routing Verification procedures 5. Message acknowledgement procedures
Network Firewall
for company computers - easier & cheaper to set up - huge risk if penetrated
Application Firewall
- for individual program protection - also allows user authentication
List Computers (most to least in size)
- Supercomputers 2. Mainframe Computers 3. Minicomputers 4. Microcomputers (PCs) 5. Personal Digital Assistants
Magnetic tape vs Magnetic discks
- Tape is used mainly for back up & only sequential access to data is possible - Disks: random access to data and used inside computers
System Software
run system and direct operations (OS & Utility applications)
Utility Programs
for sorts, merges, & other routine functions to maintain & improve efficiency of computer
Algorithms
instruction sets used in programs to define and control processes
Heuristic
software that can learn and modify its operations (ie spell checking)
Source Program
written in the language by the programmer
Object Program
form the machine understands (1s & 0s)
Compiler
converts source programs into machine language
Protocol
rules determine the required format & methods for transmission of data
A Query Program
application that counts, sums, & retrieves items from a database based on user criteria
Fourth Generation Programming Language (4GL)
- commonly used in the development of business applications - distinguished by their use of “natural language” commands making them self-documenting
2 Popular Programming Language
C++ & Java
Data Structure List
- Bit 2. Byte 3. Character 4. Alphanumeric 5. Field 6. Record (Primary & Secondary) 7. File (Master & Detail) 8. Database 9. Table 10 Data Detention File (describes)
Database Management System (DBMS)
- software system that controls the organization, storage, & retrieval of data in a database - organized & efficient manner to track information - program & database should be independent of each other (multiple access & control access) - goal: data normalization
Data Mining
analysis of data which looks for trends or anomalies WITHOUT advanced knowledge of the meaning of data
Data Normalization
to minimize the repetition & redundancy in the database (efficiency & remove danger of inconsistent data storage)
Systems Analyst
- prepares specifications for application programmers - middle man between users and programmers - designs IS using flowcharts (documenting, procedures, isolate control weaknesses)
Application Programmers
- writes, tests, & Debugs programs that will be used in the system - develops instructions for operations to follow
Database Administrator
- responsible for the security & information classification of shared data stored on the DB - design, definition, & maintenance of DB
Computer Operator
operate computer in data center - command the OS, mount disks/tapes, & placing paper in the printer - may also wirte in JCL – Job Control Language
Systems Programmer
Tech Support - updates and maintains the OS
Systems Development & Maintenance (Personnel)
- Systems Analyst 2. Application Programmers 3. Database Administrator
Operations in an IT function (personnel)
Input 1. Data Entry 2. Computer Operator Output 3. Data Control Clerk 4. Data Control Department 5. Librarians
Major Security Risk when an employee leaves a client
failure to remove user accounts
Parity Check
odd parity computer uses a dummy bit to check total # of bits ON (if odd = OK, if even = malfunction)
Microcomputers Controls
- inventory lists 2. keyboard locks 3. secured to desk 4. periodic PW change 5. periodic data backup 6. sensitive info in offline storage
ICE RACE
7 Principles of Information Criteria in COBIT I – Integrity C – Confidential E – Efficient R – Reliable A – Availability C – Compliance E – Effective
Control Risks for Microcomputers
- portable/small (steal or damage) - data & software accessible (easily access unauthorized records, Modify/copy/delete)
Which objective are applications controls for?
the financial reporting objective
What is included in Application controls?
- Preventive Controls (errors & fraud) 2. Detective Controls & Automated Controls (error & fraud – credit log review) 3. User Controls & Corrective Controls – individuals to follow up and detect errors/fraud
What do Application controls relate to in an IT environment?
- data input, data processing, & data output
Contingency Planning
controls for accidental or intentional destruction or alteration
Field Checks
validated by characters, length, & format accepted
Limit Test
AKA “reasonable tests” Numbers are compared to limits that have been set for acceptance (i.e. wages)
Validity Checks
Data is compared to a list of acceptable entries to be sure it matches with one of them (ie. CA for state vs IX for state)
Check Digits
numbers or letters with not obvious meaning but is part of a formula - computer applies the formula to entered digits to verify as acceptable or not
Edit Checks
on Batch Processing data (input control) - verify each individual entry is appropriate - if not, generates list of rejected transaction for review by the control clerk
Types of Processing Controls
- Systems & Software Documentation 2. Computer programs tested (language) 3. Test Data 4. System testing (interacting properly)
Output Controls (Data Processing)
- concerned with detecting errors (opposed to preventing) - reasonable assurance that ONLY AUTHORIZED persons receive output for review
Benefit of XBLR
- reduces chance of error when generating reports - can handle data in different languages & accounting standards
Risks of IT (auditing)
- Over-reliance 2. Access 3. Changes in Programs 4. Failure to Change
2 Major Risks (IT & auditor)
- Unauthorized Access – Distributed computing can cause more harm than centralized 2. Audit Trail
What can an Auditor do when client provides a program to verify that is not actually used by the client?
Include TEST DATA in a INTEGRATED TESTING FACILITY (simulated + actual data during a program run)
If Integrated Testing Facility is not practical, what approach should an Auditor use?
controlled reprocessing approach
Controlled Reprocessing approach
used when integrated testing facility is not practical - auditor supervises the entry of actual client data into the client program to reproduce results of a previous program run by the client - if results are identical, then program is the actual one used
Generalized Audit Software Package may include
- Programs to access client files 2. Source Code Comparison 3. Parallel simulation 4. Spreadsheets for working trial balances and similar audit needs
Trust Services Main Principles for SSAE
Meet one or more of SAC PO 1. Security 2. Availability 3. Confidentiality 4. Processing Integrity 5. Online Privacy
Trust Services Sub-Principles
- Policies 2. Communications 3. Procedures 4. Monitoring
Webtrust (assurance)
Websites 1. company existence 2. reliability of key business information placed on its website
Systrust Service
Information Systems assurance SAC – PO
COBIT Principles
- Meeting Stakeholders Needs 2. End to End Applications 3. Development of a Single Integrated Framework 4. Enabling a Holistic Approach 5. Separating Governance from Management
Steering Committee
- plan and oversee the IS function (systems development and acquisition) - address the complexities created by function and divisional boundaries
COBIT Definition
framework provides managers, auditors, and IT users with a set of measure, indicators, processes, and best practices to maximize the benefit of IT
COBIT Business Objectives
- Effective Decision Support 2. Efficient Transaction processing 3. Compliance
COBIT Governance Objectives
- Strategic Alignment 2. Value Delivery (cost/benefit) 3. Resource Management (optimize knowledge/infrastructure) 4. Risk Management 5. Performance Measurement
COBIT Information Criteria
ICE RACE mnemonic
COBIT IT Resources
- Applications 2. Information 3. Infrastructure 4. People
COBIT Domains and Processes
PO AIDS ME 1. Plan & Organize 2. Acquire & Implement 3. Deliver & Support 4. Monitor & Evaluate
General Controls for IT
ensure that control environment is stable and well managed 1. Systems Development Standards 2. Security Management Controls 3. Change Management Procedures 4. Software acquisition, dev., operations, & maint. Controls
Header (IT)
use to ID records on an accounting system file - located at the beginning of each file and contains the file name, expiration date, and orther ID data
High-Level Statements
provide guidance to works who must make present and future decisions (IT Security)+
Program Level Policy
the mission statement for IT security program
Program-Framework Policy
IT security strategy (overall approach)
EDI Controls
- Activity logs of failed transactions 2. Network and sender/receipt acknowledgements
Supply Chain Management
- What: goods received = goods order 2. When: goods delivered on/before date promised 3. Where: delivered to location requested 4. How much: COGS low as possible
Supply Chain Management Objectives
- Planning 2. Sourcing 3. Making 4. Delivery
Customer Relationship Management Systems (CRM)
provide sales force automation and customer services in an attempt to manage customer relationships - objective is to increase customer satisfaction (profit & revenue)
