BEC IT2 Flashcards
_____ concerns the completeness, validity, accuracy, timeliness, and authorization of system process.
Processing integrity
An organization implements an integrated package of authentication controls related to its critical systems. This is an example of:
Defense in depth.
_____ concerns whether the system is operational and usable as specified in commitments and agreements.
Availability
According to the AICPA ASEC, the requirement of notice related to privacy states:
Individuals must be told about privacy policies including why information is collected, used, retained, and disclosed.
The AICPA Assurance Services Executive Committee (ASEC) principles and criteria can be used to evaluate:
(1) the controls of a system and (2) the confidentiality and privacy of the information processed by the system.
ASEC specifies five trust services principles:
- Security- foundation of systems reliability. Security procedures restrict access to authorized users only, protect the confidentiality and privacy of sensitive information, provide integrity of information, and protect against attacks. Security is a top management issue.
- Availability concerns whether the system is operational and usable as specified in commitments and agreements.
- Processing integrity concerns the completeness, validity, accuracy, timeliness, and authorization of system processing.
- Confidentiality concerns whether confidential information is protected consistent with the organization’s commitments and agreements.
- Privacy addresses whether the system’s collection, use, retention, disclosure, and disposal of personal information conforms to its own commitments and with criteria set forth in generally accepted privacy principles (GAPP). . GAPP includes these 10 subprinciples.
Time-based model of controls
P>D+C, so time it takes intruder to break through should be more than time to defect and correct attack for system to be effective
Defense in depth
The strategy of implementing multiple layers of controls to avoid having a single point of failure. Combination of firewalls, passwords, etc.
IT detective controls include:
- Log analysis (audit log)
- Intrusion detection systems
- Managerial reports (downtime due to security issues)
- Security testing
IT corrective controls include:
- Computer emergency response team (CERT)
- Chief security officer hired
- Patch management for known issues
Assessments of cyber risk impact:
Should assess the likelihood and severity of impacts and should be led by senior management in consultation with business and IT stakeholders.
Managing cyber risks requires:
Attempting to prevent cyber breaching but addressing those that occur through detective and corrective controls.
Principle 6—The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Unless management understands which systems are critical to organizational objectives and which are not, it will underallocate scarce resources to mission-critical systems and overallocate resources to unimportant systems.
Principle 7—The organization identifies risks to the achievement of its objectives across the entity and analyzes risks in order to determine how the risks should be managed.
Principle 8—The organization considers the potential for fraud in assessing risks to the achievement of objectives.
led by senior management, in collaboration with business and IT stakeholders
Principle 9—The organization identifies and assesses changes that could significantly impact the system of internal control.
Rapidly changing technologies and cyber-criminals’ quick adaption to these changes yields new methods of exploiting system vulnerabilities
Principle 10—The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Principle 11—The organization selects and develops general control activities over technology to support the achievement of objectives.
Principle 12—The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Preventive, detective, and corrective controls are all essential to addressing cyber risks. Well-designed preventive controls may stop attacks from being realized by keeping intruders outside of the organization’s internal IT environment and keeping the information systems secure.
Principle 13—The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
Control system data must be transformed into actionable, high-quality information that informs and communicates about the effectiveness of cyber-related controls.
Principle 14—The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Communication about cyber risks should include all personnel, personnel responsible for managing and monitoring cyber risks and controls, and the board of directors.
The need for a cybersecurity framework
The goals of the framework included creating a common language for understanding, and cost-effective means for managing, organizational cybersecurity risks without imposing regulations.
The need for a cybersecurity framework
The goals of the framework included creating a common language for understanding, and cost-effective means for managing, organizational cybersecurity risks without imposing regulations. Consists of 3 parts: the core, the profile, the implementation tiers.
Core elements of cybersecurity framework:
- Functions -cybersecurity activities and include: Identify, Protect, Detect, Respond, and Recover (5 core functions). They help manage cybersecurity risk by organizing information, enabling risk management, addressing threats, and enabling learning through monitoring.
- Categories -cybersecurity outcomes that link to organizational needs and activities. Examples of categories are: asset management, access control, physical security, and incident detection processes.
- Subcategories- divide categories into specific outcomes of technical and/or management activities, high-level control goals. Examples include: Identify and catalog external information systems; Protect data at rest.
- (Informative) References- are specific standards, guidelines, and practices that provide benchmarks and methods for achieving the control goals (i.e., outcomes) found in the subcategories.
Complete the missing words in the following sentence: ____ are actions that implement _____.
Procedures, policies
All polities, including IT policies should:
- Be linked to the entity’s strategy and objectives
- Need an owner who is responsible for ensuring that the policy is operating and is updated
- Need a process for evolving with change
- Should include a title, purpose, scope and context, statement of responsibilities, and time for updating
Important IT policies:
- Values and Service Culture—What is expected of IT function personnel in their interactions with clients and others
- Contractors, Employees, and Sourcing—Why, when, and how an entity selects IT human resources from among employees or outside contractors
- Electronic Communications Use—Policy related to employee use of the Internet, intranet, email, blogs, chat rooms, and telephones
- Use and Connection Policy—Policy that states the entity’s position on the use of personal devices and applications in the workplace and connection to the entity’s systems.
- Procurement—Policy on the procurement processes for obtaining IT services
- Quality—Statement of IT performance standards
- Regulatory Compliance—Statement of regulatory requirements of IT systems
- Security—Policy related to guarding against physical or electronic threats to IT. May include disaster recovery preparation policies
- Service Management and Operational Service Problem Solving—Policies for ensuring the quality of live IT services
E-business is
Business process that relies on electronic dissemination of information or on automated transaction processing. Conducted within the organization as well as between the organization and its trading partners.
E-commerce is
This term is narrower than e-business and is used to refer to transactions between the organization and its trading partners.
Types of E-commerce
Business-to-Business (B2B) E-Commerce
Business-to-Consumer (B2C) E-Commerce— relies heavily on intermediaries or brokers to facilitate the sales transaction.
Business-to-Employee (B2E)—Involves the use of web-based technology to share information with, and interact, with an organization’s employees
Business-to-Government (B2G)
Risks of E-commerce:
- System availability- don’t want system to go down
- Security and confidentiality
- Authentication- must trust the person is who they say they are
- Nonrepudiation- audit trail that renders transaction verifiable
- Integrity- secure from hackers
E-commerce models:
- Electronic Marketplaces and Exchanges—These marketplaces bring together buyers and sellers of goods who connect virtually rather than physically to one another. Ex. eBay.
- Viral Marketing—Organizations increasingly attempt to increase brand awareness or generate sales by inducing people to send messages to friends using social networking applications.
- Online Direct Marketing—Many companies now have large online presences to sell directly to consumers or other businesses. Ex. Amazon.
- Electronic Tendering Systems—These tendering or bidding systems allow companies to seek bids for products or services that the organizations wish to purchase. Also called “e-procurement systems.”
- Social Networking/Social Computing—Is concerned with how people use information systems to connect with others.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
E-commerce applications:
- Customer relationship management- retain and gain customers, analyze info to develop personalized marketing plans
- Electronic data interchange (EDI)
- Electronic funds transfer (EFT)- ATM, POS terminals, direct deposit, Paypal (token-based payments), allows transfer of funds from one bank account directly to another
- Supply chain management (SCM)-incorporates all activities from purchase of raw materials to sale and consumption
Electronic data interchange (EDI)
Computer-to-computer exchange of business data in structured formats allowing direct processing of the data by the receiving system; EDI reduces handling costs and speeds transaction processing compared to traditional paper-based processing. EDI requires that all transactions be submitted in a specified format; translation software is required to convert transaction data from the internal company data format to the EDI format and vice versa. The vast majority of EDI transactions are still processed through value-added networks due to well-established controls, security and audit trails.
Risk of cloud computing:
- Unauthorized cloud activity- put preventive and detective controls in place
- Lack of CSP transparency- only used pre-approved cloud vendors
- CSP reliability and performance- effective incident management procedures must be in place
- Cyber attack- Incident management plan that considers increased risk of attack on CSP
Risk management plan for cloud computer should include who?
Senior management and IT steering committee, if risk is substantial, include the BOD
According to COSO, which of the following differences relevant to the risk assessment process is most likely to exist between a large entity and a small entity?
The CEO of a small entity is more likely than the CEO of a large entity to be attuned to risks arising from internal factors through hands-on involvement with all levels of personnel. The engagement of the owner in a small entity is likely to improve the assessment of risks because of their hands-on involvement with all levels of personnel.
An internal cloud is:
A cloud that is behind an entity’s firewall.
A cloud computing system solution integrates which of the following elements?
A business process, a deployment model, and a service delivery model. Effective cloud solutions require considering and integrating a relevant business process, a deployment model and a service delivery model.
A small accounting firm buys SaaS from a third-party CSP. As a part of this process, the accounting firm regularly requests and receives data about the system’s performance of the CSP. This is an example of managing which of the following cloud-computing risks?
Lack of CSP transparency
Which of the following statements is true regarding small business computing?
Spreadsheets should be reviewed and tested by an independent third party.
Which of the following critical accounting function is most likely to be absent in a small business computing environment?
Authorization.
Which of the following is an effective control related to personal computing in a small business?
Locking doors when offices are open and removing storage devices to secure locations.
Small business and segregation of duties
Because there are too few individuals to provide for segregation of duties, incompatible functions are frequently combined. It is critical to effective control that the functions of authorization, custody of assets, and record keeping be separated. If essential, the duties of authorization and review/auditing may be combined.
Specific Risks and Controls Related to Small-Organizational Computing
- Physical Access— make sure that doors are locked when offices are open and that removable storage devices are stored in secure locations.
- Logical Access—All machines should require a username and password
- Data Backup Procedures—Company-wide standards for backing up files should be established and enforced
- Program Development and Implementation—User-developed programs—which include spreadsheets and databases—should be subject to third-party review and testing
- Data Entry and Report Production— all work should be regularly reviewed by an independent third party.
Mobile device risks
- Malicious applications—Mobile devices are susceptible to malicious applications that contain hidden functionalities to collect and transmit user data to third parties.
- Loss and theft—The ubiquity and portability of mobile devices makes them particularly vulnerable to loss or theft, system capabilities must enable blocking the device from accessing organizationally sensitive systems.
- Restricting access and permission rights—may be desirable to allow users fewer access and permission rights on mobile devices. (called view-only access).
A data warehouse in an example of
Online analytical processing.
The multi-location system structure that is sometimes called the “Goldilocks” solution because it seeks to balance design tradeoffs is
Distributed
A distributed processing environment would be most beneficial in which of the following situations?
Large volumes of data are generated at many locations and fast access is required.
Multi-location system structures:
- Centralized system- Maintain all data and perform all data processing at a central location, slower response but higher security and consistency
- Decentralized system- Allow each location to maintain its own processing system and data files, most of the transaction processing is accomplished at the regional office, and summarized data is sent to the central office, better responsiveness but greater potential security violations
- Distributed (hybrid) system- rather than maintaining a centralized or master database at a central location, the database is distributed across the locations according to organizational and user needs, more current and complete information, better communication among remote locations to distribute database (but extra cost of doing so)
Components of a network:
- Nodes- any device connected to the network (client node, server node)
- Transmission media
- Network operating system
- Communications devices (modem, hub, repeaters, multiplexers, concentrators, bridges, routers, gateways)
Transmission media
- Wire communications
a. Copper or twisted pair-Traditionally used for phone connections, The slowest, least secure (e.g., easy to tap) and most subject to interference of the wired media, Least expensive media
b. Coaxial cable— faster, more secure, and less subject to interference but slightly higher cost.
c. Fiber optic cable—Extremely fast and secure, fiber optic cable communications are based on light pulses instead of electrical impulses; therefore, they are not subject to electrical interference - Wireless communications
a. Microwave transmission— used primarily by WANs.
b. Wi-Fi or spread-spectrum radio transmission-Found in both LANs and WANs, slower than wired systems using coaxial cable or fiber optic cable
c. Bluetooth—Uses the same radio frequencies as Wi-Fi but with lower power consumption resulting in a weaker connection
c. Digital cellular (cellular digital packet data, or CDPD)—transmission of data over the cell network; used by WANs.
Types of networks:
- Local Area Networks (LANs)- use dedicated lines
- Wide Area Networks (WANs)—Although WANs can vary dramatically in geographic area, most are national or international in scope.
- Storage Area Networks (SANs)— LANs that connect storage devices to servers
- Personal Area Networks (PANs)—Often a home network that links devices used by an individual or family to one another and to the Internet.
Networks can be public or private.
The data control protocol used to control transmissions on the Internet is
Transmission control protocol/Internet protocol (TCP/IP) is the protocol used by the Internet. TCP/IP is a packet-switched network protocol. The Internet is the world’s largest packet-switched network.
Which of the following technologies is specifically designed to exchange financial information over the World Wide Web?
Extensible business reporting language (XBRL).
The Internet is made up of a series of networks which include
Gateways to allow mainframe computers to connect to personal computers.
Intranets and extranets
Intranets and extranets are private (e.g., limited access) networks built using Internet protocols. Therefore, users can access network resources through their web browser rather than a proprietary interface. This substantially reduces training time for users and system development time for programmers. Thus, intranets and extranets are rapidly replacing traditional proprietary LANs and WANs.
Web 2.0 features
- Blog—Similar to an electronic bulletin board. An efficient way to share information.
- Wiki—A knowledge-sharing website developed collaboratively by a community or group, all of whom can freely add, modify, or delete content.
- Twitter—A micro-variation of a blog.
- RSS (Really Simple Syndication)/ATOM Feeds—An easy way to get news and information.
Which of the following statements about firewalls is NOT true?
“Network firewall” and “application firewall” are two different names for a program designed to prevent and detect unauthorized access to the system. The name “application firewall” comes from the ability of these systems to monitor and control the execution of programs or “applications” in addition to screening messages from users. This capability makes application firewalls much more effective than simple network firewalls, which are only able to monitor communications from users, but cannot control program execution.
Data control language used in a relational database is most likely to include commands used to control
Which users have various privileges relating to a database. Data definition language is more directly associated with original defining of a database.
Major Tom’s Ground Control Flight Services uses biometrics. The control goal of the use of biometrics is:
Authentication
Logical Access Control
Controlling electronic access to data via internal and external networks. Functions of such systems include managing user profiles, assigning identifications and authentication procedures, logging system and user activities, establishing tables to set access privileges to match users to system resources and applications, and, log and event reporting. The primary controls over logical access involve user identification (authentication) and user authorization.
User identification (authentication)
Normally accomplished by creating a username for each authorized user and associating the username with a unique identifier. Passwords, security tokens (smart cards, one-time passwords), biometric controls, multi-factor authentication (combo of above).
User authorization
Authorization matrix or access control list (ACL) specifies each user’s access rights to programs.
Types of firewalls:
- Network- Filters data packets based on header information (source and destination IP addresses and communication port), Very fast, Forwards approved packets to application firewall
- Application-Inspects data packet contents, Controls file and data availability to specific applications
Honeypot or Honeynet
Server that lures hackers to a decoy system
When designing the physical layout of a data processing center, which of the following would be least likely to be a necessary control?
Adequate physical layout space for the operating system.
In an accounting system, a header can be used to
Identify data records
IT facility controls are
General
Which of the following statements best characterizes the function of a physical access control?
Separates unauthorized individuals from computer resources.
Physical location controls:
- The computer room should be climate controlled to control and monitor heat and humidity, which can damage equipment and data files.
- Fire suppression systems appropriate for electrical fires should be installed.
- Adequacy of power and backup power systems should be periodically evaluated. Potential electrical system risks include failure (blackout), reduced voltage (brownout), sags, spikes and surges, and electromagnetic interference (EMI).
- Regular maintenance/monitoring, inspections by local fire departments
Data storage on magnetic disks, tapes, USB drives:
- External labels—visually (physically) identify the disks or USB drives.
- Internal labels (sometimes called “header” and “trailer” records)—Read by the processing program to determine the identity of the data file.
- File protection rings or locks—Physically prevent the media from being overwritten.
- Setting file attributes—Logically restrict the ability of the user to read, write, update, and/or delete records.
Which of the following is true regarding public/private key encryption?
Both the public and private keys can be used to encrypt and decrypt messages. Although public/private key technology is more secure than private key technology, there is no difference in the strength of the encryption algorithm: messages encrypted using single key encryption are no easier to crack than messages encrypted using public/private key encryption.
Which of the following provides the most reliable form of electronic authentication?
Digital certificate
What is a major disadvantage of using a private key to encrypt data?
Both the sender and receiver must have the private key before this encryption method will work. The private key (also known as the single key) is used both to encrypt the message (run the encryption algorithm “forward”) and decrypt (run the encryption algorithm “backward”).
Bob sends a message using asymmetric key to Cassie. In this exchange, who holds the private key:
Cassie, the receiver has the private key in an asymmetric encryption.
Encryption
This is the process of converting a plaintext message into a secure-coded form (ciphertext). It can provide privacy and authentication (user identification). It can protect stored (i.e., data at rest) or transmitted (i.e., data in motion) data.
The encryption algorithm is the function or formula that encrypts and decrypts (by reversal) the data.
The encryption key is the parameter or input into the encryption algorithm that makes the encryption unique. Used to decrypt data.
Key length is a determinant of strength. Longer keys are harder to decrypt.
Symmetric Encryption
Also called single-key encryption, symmetric encryption uses a single algorithm to encrypt and decrypt, just uses a private key. Fast, simple, easy and less secure than asymmetric encryption. Often used for data at rest.
Asymmetric encryption
To acquire a public/private key pair, the user applies to a certificate authority (CA). The CA registers the public key on its server and sends the private key to the user. If the public key is used to encrypt, the private key must be used to decrypt. Safer but more complicated, often used for data in motion.
Electronic identification methods:
- Digital signature-Use public/private key pair technology to provide authentication of the sender and verification of the content of the message
- Digital certificate- For transactions requiring a high degree of assurance, a digital certificate provides legally recognized electronic identification of the sender, and, verifies the integrity of the message content. Based on a public key infrastructure (PKI) which specifies protocols for managing and distributing cryptographic keys
Secure Internet Transmission Protocols:
- Secure Sockets Layer (SSL)
- Secure Hypertext Transfer Protocol (S-HTTP)
- Secure Electronic Transactions (SET)- often used in consumer purchases over the internet
- Virtual Private Network (VPN)
Six-step model to create disaster recovery plan:
- Create a BCM Policy and Program— defining the scope of the BCM plan, identifying roles in this plan, and assigning roles to individuals.
- Understand and Evaluate Organizational Risks—Identifying the importance of activities and processes is critical to determining needed costs to prevent interruption
- Determine Business Continuity Strategies— define alternative methods to ensure sustainable delivery of products and services.
- Develop and Implement a BCM Response—Document and formalize the BCM plan.
- Exercise, Maintain, and Review the Plan
- Embed the BCM in the Organization’s Culture
Business continuity planning importance:
- Mission critical (manufacturing, financials)
- Business critical (payroll, order entry)
- Task critical (print and file services)
2 important goals of DRP:
- The recovery point objective (RPO) defines the acceptable amount of data lost in an incident. Typically, it is stated in hours, and defines the regularity of backups.
- The recovery time objective (RTO) defines the acceptable downtime for a system. It specifies the longest acceptable time for a system to be inoperable.
Types of backup facilities:
- Cold site (“empty shell”)—An off-site location that has all the electrical connections and other physical requirements for data processing, but does not have the actual equipment or files.
- Warm site— already stocked with computer hardware similar to that of the original site, but does not contain backed-up copies of data.
- Hot site-completely equipped to quickly resume data processing. All equipment plus backup copies of essential data files and programs are often at the site.
- Mirrored site—Fully redundant, fully staffed, and fully equipped site with real-time data replication of mission-critical systems.
- Reciprocal agreement—An agreement between two or more organizations (with compatible computer facilities) to aid each other.
- Internal site—Large organizations (e.g., Walmart) with multiple data processing centers often rely upon their own sites for backup.
A checkpoint is used mostly in _____ systems
Batch processing
_____ systems include redundancy of components.
Fault tolerant, Businesses rely extensively on the concept of redundant backups—having multiple backup copies
A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies?
Establish off-site mirrored web server. RAID (redundant array of independent disks; originally redundant array of inexpensive disks) is a useful and relevant control in relation to a natural disaster. However, it is not the most efficient or effective way to assure the continuous delivery of IT services.
Back-up and recovery procedures:
- “Grandfather, father, son” system- three-generation backup procedure: the “son” is the newest version of the file; the “father” is one generation back in time, the “grandfather” is two generations back in time, batch processing in magnetic tape environment
- Checkpoint and restart—Common in batch processing systems, a checkpoint is a point in data processing where processing accuracy is verified; if a problem occurs, one returns to the previous checkpoint instead of returning to the beginning of transaction processing.
- Rollback and recovery—Common to online, real-time processing; periodic “snapshots” are taken of the master file
Network-based backup:
- Remote backup service (online backup service)-outsourcing service that provides users with an online system for backing up and storing computer files.
- RAID—RAID (redundant array of independent disks; ) stores the same data in different places (thus, redundantly) on multiple hard disks. Good for natural disasters.
- Storage Area Networks (SANs)—Replicate data from and to multiple networked sites; immediately available without the need to recover it
- Mirroring- Maintaining an exact copy of a data set to provide multiple sources of the same information, used in e-commerce for load balancing—distributing excess demand from the primary site to the mirrored.
A company’s web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of
A denial of service attack. A denial-of-service attack prevents legitimate users from accessing the system by flooding the server with hundreds of incomplete access requests. The object of the attack is to prevent access to the system: the attacker does not actually gain access to information on the system.
Which of the following is a computer program that appears to be legitimate, but performs an illicit activity when it is run?
Trojan horse, A Trojan horse is an apparently legitimate program that contains an unauthorized code that performs malicious activities when the program is run. Trojan horse programs are often used to provide a “back door” to the victim’s system
A type of malware designed to let the attacker bypass the normal user authentication process (e.g., enter username and password) and enter the user’s system is
A back door, A back door is a program that allows an unauthorized user to gain access to the system by side-stepping the normal logon procedures.
Stagger Lee pretended to be an accountant in the payroll department to gain access to the Wichita Lineman Electrical Services Co. accounting system. This is an example of:
Spoofing
The combination of these three controls would illustrate each of the core elements that are a part of a defense-in-depth strategy.
Training, managerial reports, and patch management. This answer illustrates a defense-in-depth strategy by combining preventive (i.e., training), detective (i.e., managerial reports), and corrective controls (i.e., path management).
A manufacturing company that wants to be able to place material orders more efficiently most likely would utilize which of the following?
Electronic data interchange
Which of the following is NOT an example of an e-commerce system?
Customer relationship management (CRM).
Communications between trading partners in an electronic data interchange (EDI) environment are usually
sent through a value-added network (VAN).
QuikStop, Inc., a local convenience store chain, is planning to install point-of-sale (POS) systems in all eight of its locations by the end of the year. In the first year or so of operation, QuikStop can reasonably expect to experience all of the following EXCEPT
Decreases in total inventory order costs. The reduction in lead-time due to the accuracy and timeliness of the inventory records allows QuikStop to keep lower levels of inventory, thereby reducing its total inventory carry costs.
Which of the following best defines electronic data interchange (EDI) transactions in business applications?
Electronic business information is exchanged between two or more businesses.
Which of the following is not a benefit of mobile computing?
Reduced usability issues. Mobile computing increases, not decreases, usability issues since systems must be redesigned for display and data entry on small screens.
The most appropriate data-gathering techniques for a system survey include interviews, quick questionnaires, observations, and
Systems documentation, Creating system documentation would be an appropriate data-gathering technique for a system survey.
After changes to a source program have been made and verified, it moves to
Production
Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?
Change control, The management of changes to applications is part of the Source Program Library Management System (SPLMS).
A brokerage firm has changed a program so as to permit higher transaction volumes. After proper testing of the change, the revised programs were authorized and copied to the production library. This practice is an example of
Change control, The practice of authorizing changes, approving tests results, and copying developmental programs to a production library is program change control.
Source code programs are normally maintained in a library under secure storage by file librarian off-site. How are these new programs developed or old programs modified?
SPLMS (source program library management system) manages the migration from the application development test environment to the active production library. SPLMS ensures that only valid changes are made to the system.
Levels of documentation for programs (4):
- Systems Documentation—Overviews the program and data files used primarily by systems developers; can be useful to auditors.
- Program Documentation—A detailed analysis of the input data, the program logic, and the data output; used primarily by programmers; important resource if the original programmer is unavailable.
- Operator Documentation (Also Called the “Run Manual”)— operator documentation provides information necessary to execute the program such as the required equipment used exclusively by the computer operators.
- User Documentation—Describes the system from the point of view of the end user
Forms of documentation:
- Questionnaires
- Narratives—Text descriptions of processes.
- Data Flow Diagrams (DFDs)-Often used in developing new systems, Use simple, user-friendly symbols (unlike flowcharts)
- Flowcharts- Often used to evaluate controls in a system, Too complicated and technical for some users. DFDs are easier to understand.
- Entity-Relationship (E-R) Diagrams
- Decision Tables—Depict logical relationships in a processing system by identifying the decision points and processing alternatives
Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data?
Validity check, A validity check compares the value entered in a field to a list of valid data values. An error message is displayed if the value is not found on the list.
Which of the following controls in not usually found in batch processing systems?
Closed loop verification is an input control associated with online real-time systems.
A customer notified a company that the customer’s account did not reflect the most recent monthly payment. The company investigated the issue and determined that a clerk had mistakenly applied the customer’s payments to a different customer’s account. Which of the following controls would help to prevent such an error?
Closed loop verification
An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error?
Reasonableness.
Application controls (concern the accuracy, validity and completeness of data processing in specific application programs):
- Input and origination controls—Control over data entry and data origination process
- Processing and file controls—Controls over processing and files, including the master file update
- Output controls—Control over the production of reports
Not all controls work with all processing methods (batch vs. OLRT)
Control objectives:
- Valid—All transactions are appropriately authorized; no fictitious transactions; no duplicate transactions
- Complete—All transactions have been captured; there are no missing transactions.
- Accurate—All data has been correctly transcribed, all account codes are valid; all data fields are present; all data values are appropriate.
Missing data check
The simplest type of test , checks only to see that something has been entered into the field.
Field check (data format/type check)
Verifies that the data entered is of an acceptable type—alphabetic, numeric, a certain number of characters, etc.
Limit test
Checks to see that a numeric field does not exceed a specified value; for example, the number of hours worked per week is not greater than 60. (Range test, sign test)
Valid code test (validity test)
Checks to make sure that each account code entered into the system is a valid (existing) code; this control does not ensure that the code is correct, merely that it exists. In a database system, this is called referential integrity.
Check digit
Designed to ensure that each account code entered into the system is both valid and correct. The check digit is a number created by applying an arithmetic algorithm to the digits of a number, for example, a customer’s account code. The algorithm yields a single digit appended to the end of the code. Whenever the account code (including check digit) is entered, the computer recalculates the check digit and compares the calculated check digit to the digit entered. (Ex. parity check)
Reasonableness check (logic test)
Checks to see that data in two or more fields is consistent. For example, a rate of pay value of “$3,500” and a pay period value of “hourly” may be valid values for the fields when the fields are viewed independently; however, the combination (an hourly pay rate of $3,500) is not valid.
Sequence check
Verifies that all items in a numerical sequence (check numbers, invoice numbers, etc.) are present
Key verification
Key verification is generally found in batch systems, but can be used in online real-time environments as well. As a second example, consider the process required to change a password: enter the old password, enter the new password, and then re-enter (i.e., key verify) the new password.
Closed loop verification
After the code is entered, this system looks up and displays additional information about the selected code. For example, the operator enters a customer code, and the system displays the customer’s name and address. Available only in online real-time systems.
Batch control totals
Manually calculated totals of various fields of the documents in a batch. Batch totals are compared to computer-calculated totals and are used to ensure the accuracy and completeness of data entry.
Preprinted or preformatted screens
Reduce the likelihood of data entry errors by organizing input data logically
Default values
Pre-supplied (pre-filled) data values for a field when that value can be reasonably predicted
Automated data capture
Use of automated equipment such as bar code scanners to reduce the amount of manual data entry
A poor quality connection caused extensive line noise, resulting in faulty data transmission.
Which of the following controls is most likely to detect this condition?
Parity check, designed to detect errors in data transmission
More than one file may be stored on a single magnetic disc. Several programs may be in the core storage unit simultaneously. In both cases it is important to prevent the mixing of data. One way to do this is to use
Boundary protection, primary purpose of boundary protection is to prevent the mixing of data on a magnetic memory disc and a core storage unit.
Processing controls (file updates are complete and accurate):
- Run-to-Run Controls— totals of processed transactions are reconciled to batch totals—any difference indicates an error. Also called “control totals.”
- Internal Labels (“Header” and “Trailer” Records)—Used primarily in batch processing, electronic file identification allows the update program to determine that the correct file is being used
- Audit Trail Controls—Each transaction is written to a transaction log as the transaction is processed; the transaction logs become an electronic audit trail
Types of files:
- Master files- updated by postings to transaction files.
- Standing data is a subcategory of master file that consists of infrequently changing master files
- Transaction files-basis for updating master files.
- System control parameter files determine the workings, including error characteristics
Primary goal of data control:
To ensure that access, change, or destruction of data and storage media is authorized
File controls:
- Parity Check (Parity Bit)—A zero or 1 included in a byte of information, makes sum of bits odd or even
- Read after Write Check—Verifies that data was written correctly to disk
- Echo Check—Verifies that transmission between devices is accurate by “echoing back”
- Error Reporting and Resolution— ensure that generated errors are reported and resolved by individuals who are independent of the initiation of transactions (segregation of duties).
- Boundary Protection
- Internal Labels (“Header” and “Trailer” Records)—Used primarily in batch processing
- External Labels—Labels on removable storage
- Version Control— correct file version is used in processing
- File Access and Updating Controls—ensure that only authorized, valid users can access and update files.
Output controls:
- Spooling (print queue) controls—Jobs sent to a printer that cannot be printed immediately are spooled
- Disposal of aborted print jobs
- Distribution of reports
- End user controls—For particularly critical control totals, or where end users have created systems, perform checks of processing totals and reconciling report totals
- Logging and archiving of forms, data and programs—Should be in a secure, off-site location.
- Record retention and disposal
In applying COSO to cyber risks, managing cyber risks should begin with:
Identifying system value
A manufacturing company discovers that its rollback and retention procedures do not include data from a key system related to production quality. Which of the following IT policies should address this violation?
Security, This problem relates to disaster recovery preparation. This means that the relevant IT policy is security.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
