Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CMA Part 1 > Chapter 14 - Controls and Security Measures > Flashcards

Chapter 14 - Controls and Security Measures Flashcards

1
Q

Primary vs Secondary Controls

A
  • PRIMARY CONTROLS
    1. Preventive controls: stop problems before occur. Examples:
      1. Access restriction.
      2. Using edit field checks to avoid certain types of incorrect data from entering a system. PRELISTING OF CASH RECEIPTS IS ALSO A PREVENTIVE MEASURE.
      3. Establishing formal security policy.
    2. Detective controls: alert problems after problems occur.
      1. Automatic reporting of all rejected batches of invoices.
      2. Examining systems logs of action that require scrutiny.
    3. Corrective controls: correct negative effects of unwanted events.
      1. Requiring that all cost variances over a certain amount are justified.
      2. Correcting errors on error listing.
    4. Directive controls: cause or encourage the occurrence of a desirable event.
      1. Policy and procedure control
  • SECONDARY CONTROLS
    • Compensatory (mitigative) controls may reduce risk after primary controls fail but not to an acceptable level.
      1. An example is supervisory review when segregation of duties is not feasible.
    • Complementary controls work with other controls to reduce risk to an acceptable level.
      1. Deposit slips validated by the bank.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Time-based Classification of Controls

A
  • Feedback controls report information about completed activities, e.g. inspection of completed goods.
  • Concurrent controls adjust ongoing processes. These real time controls monitor activities in the present to avoid them to deviate too far from standards.
  • Feedforward controls anticipate and prevent problems. The controls require long term perspective. Organizational policies and procedures are examples.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

FINANCIAL VS OPERATING CONTROLS

A
  • Financial controls should be based on relevant established accounting principles, also known as accounting controls e.g.. appropriate record keeping, safeguarding of assets and compliance with laws.
  • Operating controls apply to production and support activities, also known as administrative controls.
    1. Based on management principles and methods
    2. Documentary control is also involved.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Areas where control activities are identified

A
  • Segregation of duties, including four basic functional responsibilities.
  • Independent checks and verification.
  • Safeguarding controls.
  • Prenumbered forms.
  • Specific document flow.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Segregation of Duties

A

4 types of functional responsibilities must be segregated:

ARCR

  1. AUTHORIZATION - EXECUTE Authority to execute transactions.
  2. RECORDKEEPING - RECORD Recordkeeping of transactions.
  3. CUSTODY - HOLD Custody of the assets affected by transactions.
  4. RECONCILIATION - RECONCILE Periodic reconciliation of the existing assets and recoded amounts.

Examples on purchase cycle:

WHO STARTS THE PURCHASE PROCESS IS INVENTORY CONTROL

(The managers should submit purchase requisitions to the purchasing department. The purchasing function should be separate from operations.)

Execute: purchase department execute and follows up on transactions.
Record: accounts payable record the transaction.

Receiving prepares a receiving report and forwards it with the goods to warehouse. Receiving also sends the receiving report along with the packing slip to accounts payable for matching with the purchase order and updating of the accounts payable file

The Accounts Payable Department prepares a voucher from a vendor’s invoice only after examining supporting documents. These include a properly authorized purchase order and a receiving report stating quantities received and their condition.
Hold: custody of the assets is vested in the warehouse.
Reconciliation: inventory control does recon.

Examples on sales cycle:

Execute: sales department.
Record: accounts receivable.
Hold: treasurer (in case of cash) or warehouse.
Reconciliation: general ledger accounting group.

Sales order (approved by credit department), packing slip & bill of lading (provided by shipping to customer), invoice (provided by billing and is matched vs packing slip & bill of lading), acknowledgement (Upon receipt of an approved sales order, sales sends an acknowledgment to the customer)

CREDIT SALES SHOULD BE AUTHORIZED PRIOR TO EXECUTING THE SALES.

Examples in payroll cycle:

Execute: human resources hires and terminates.
Record: payroll department.
Hold: treasurer (since is cash).
Reconciliation: general ledger accounting group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Independent Checks and Verifications

A
  • The reconciliation of recorded accountability with the assets must be performed by a part of organization 1) unconnected with the original transaction 2) without custody of assets involved.
    • An agreement of cash count with the recorded balance does not providence that all cash received has been recorded properly. HAS TO BE ASSET VS CASH.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Safeguarding controls

A
  • Limits access to an organization’s assets to authorized personnel.
  • E.g. unescorted access to computer operations center prohibited: 1) all non information system personnel 2) all non operations information system personnel such as developers.
  • Holding of securities in safe deposit box.
  • Authorization of payment voucher accounts payable only after examining supporting documents.
  • Approval of credit memos by the credit department not sales.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Pre-numbered Forms

A
  • Sequentially prenumbered forms are the basis for a strong set of internal controls. Receiving reports in the warehouse and purchase orders in the sales department are common examples.
    • When every hardcopy is prenumbered, all can be accounted for for. E.g. date of their use and the person who filled out can be ascertained.
    • ID identified transactions can be checked for review and approval.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Specific Document Flow

A

>>> SPECIFIC DOCUMENT FLOW

  • Together with prenumbered forms, this allows for proper tracing of processes.
    • Tracing and vouching (double way vlookup)
      • TRACING: follows a transaction from the triggering event to a resulting event, ensuring that the transaction was accounted for properly.
        • LIABILITY ACCRUED FOR GOODS RECEIVED.
      • VOUCHING: tracks a result backward to the original event, ensuring that an accounted amount is properly supported.
        • RECEIVABLE CLAIM IS SUPPORTED TO A SALES TO CUSTOMER.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Compensating Control

A

COMPENSATING CONTROLS

  • Compensating controls replace the normal controls, such as segregation of duties, when the latter cannot be feasibly implemented.
    • For example, top management my authorize and execute investments and have access to record. To compensate, you can put two people to perform each function.
    • Other compensating controls:
      • Periodic communication with the board.
      • Oversight by a committee of the board.
      • Internal auditing reconciliation of the securities portfolio with the recorded information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

THREE GOALS OF INFORMATION SECURITY

A
  • Availability
  • Confidentiality
  • Integrity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Threats to systems: Input manipulation

A

Intrusion exploiting vulnerability of the system, using input fields that can be viewed by hackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Threats to system: Sabotage

A

disruption of an organzation’s system not for personal gain but simply for revenge or vandalism.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Threats to systems: Malwares: Virus vs Logic Bombs vs Spyware vs Ransomware vs Works vs Trojan Horses vs Phishing

A

Malware: short for malicious software.

  • Viruses: computer programs that propagate (replicate) themselves from one computer to the other without the user’s knowledge.
  • Logic bombs: also destroy data, but unlike viruses, they stay on a single computer and don’t replicate.
  • Spyware: spies on a user without his or her knowledge and collects data such as keystrokes. Programs that capture key strokes are called keylogger software.
  • Ransomware: holds a computer files hostage and demands a ransom payment. Ransomware distributors do really want to cause a major trouble.
  • Worms: pieces of codes that do not threaten the data on the computer, but are destructive because of the rapidity with which they replicate themselves (congest data/server traffic)
  • Trojan horses: voluntarily masquerades in programs that users wants, and can be a door to control the computer, retrieve data, or use it to launch proxy attacks on other computers.
  • Phishing: is the attempt to acquire sensitivity information by pretending to be a trustworthy entity.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SYSTEMS DEVELOPMENT CONTROLS

A
  • All information system, automated or manual, perform four basic functions on information: 1) input, processing, output and storage.
  • The most critical separation of duties in an information system is between (1) computer operators, files, equipment, and production programs and (2) programmers and system analysts.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PHYSICAL CONTROLS - Access Controls.

A
  • Access controls:
    • Password and ID NUMBERS. Sometimes linked to badges, magnetic cards, scanned cards or biometric attibutes.
    • Device authorization table: this control grants access only t o those physical devices that should logically need access.
    • System access log: record all users and attempted uses of the system.
    • Encryption: encoding data before transmission over communication lines makes it more difficult for someone to access content.
    • Callback: requires user to call, give ID, hang up and wait for a call to an authorized number.
    • Controlled disposal of documents: both electronically (erase) or physically (shredding).
    • Biometric technologies.
    • Automatic logoff: the disconnection of inactive data terminals may prevent viewing of sensitive data on an unattended work station.
    • Security personnel: an entity may hire security specialists.
17
Q

Physical controls - Environmental Controls

A

Cooling ad heating system to preserve software physical conditions.

18
Q

Logical Controls

A
  • Logical controls - ADAPTIVE (limit system access (1) to authorized people (2) only to a certain extent.
    • Authentication: is the act of ensuring that the person attempting to access the system is in fact who he/she says he is.
      • Password optimization: be difficult to guess, at least 8 with variation of characters, and system should force passwords to change periodically.
      • Single sign-on can be a solution to password optimization..
    • Authorization: access rules and user groups in Adaptive

Logical computer controls are needed to determine whether an acceptable user is allowed to proceed. The one item that is not part of this control process is a

A.List of all files maintained on the system.

B.List of all programs maintained on the system.

C.List of all authorized user code numbers and passwords.

D.Limit on the number of transaction inquiries that can be made by each user in a specified time period.

Answer (D) is correct.
Restricting access to the computer system requires determining whether access by a given user (or device) is compatible with the nature of the attempted use. A series of passwords or identification numbers may be required to gain access to the system, to examine data files, and to perform processing using particular programs. Thus, a clerk might be authorized only to read the data in a given file while using a specified terminal, but his or her superior might be able to update the file. Logical controls require online storage of authorization tables or matrices that specify the access permitted to specified codes and devices. The number of authorized inquiries per user is not included in such a table.

  • *
19
Q

Input Controls

A
  • Input controls (data is authorized, complete and accurate):
    • Online input controls (when data is entered into screen)
      • Preformatting. The display of a document with blanks for data items to be entered by the terminal operator.
      • Edit field checks.
      • Limit (reasonableness) checks . Crazy qties or formats.
      • Check digits: algorithm applied to any kind of serial identifier.
      • Prompting: asking questions to user to ensure proper data entry.
    • Batch input controls:
      • Management release (check and release).
      • Record count.
      • Control total validation routines (Oracle module expenses).
      • Hash total: sum of all social security numbers (sum of a numeric field, which has no meaning itself, can serve as a check that the same records that should have been processed are processed.
20
Q

Processing Controls

A
  • Processing controls (provide reasonable assurance that (1) all data submitted for processing are processed (2) only authorized data is processed:
    • Like input controls there are also limit checks, control totals.
    • Validation/validity test. Identifiers are matched against master files to determine existence (only processed if e.g. vendor code is recognized). UNVALID ZIP CODES FOR EXAMPLE.
    • Completeness test. Only complete records are submitted.
    • Arithmetic controls (recalculation of data)
    • Sequence check. Computer effort is expended more efficiently when data is processes in a logical order, such as by customer number.
    • Run-to-run control totals. Controls are checked for each batch round of processing.
    • Key integrity. A record’s key is the group of values in designated fields that uniquely idenfity a record and should never be modified.
21
Q

Output Controls

A
  • Output controls provides assurance that processing was complete and accurate.:
    • Generates complete audit trail for each process: batch number, time of submission, completion, number of records, dollar total.
    • Error listing: reports all transactions rejected in the system.
22
Q

Computer Assisted Audit Techniques (CAAT)

A
  • Certain controls relating to the input, processing and output are internal to the computer systems and they should be tested by others.
23
Q

CAAT - Audit Around the computer

A
  • MOST SIMPLE ONE
  • Not appropriate when systems are sophisticated or the major controls are included in the computer programs. It may be appropriate for very simple systems that produce appropriate printed outputs.
    • The auditor manually processes the transactions and compares the results with the clients’s computer processed results.
    • Only small batch can be tested (not so effective).
    • The computer is treated as a black box, and only inputs and outputs are evaluated.
24
Q

CAAT - Auditing Through the Computer

A
  • Auditing through the computer
    • Uses the computer to test the processing logic and controls within the system and the records produced.
    • CAAT may be systems-or transaction based or may provide automated methods for extracting and analyzing the data.
    • Test data consists of set of dummy good and bad data elements.
    • Parallel simulation subjects the client data to auditor created programs to see if data is really being processed claimed.
    • Generalized audit software (GAS) packages allow the auditor to load a copy of the client’s production data onto the auditor’s own computer and perform various analytical procedures (check duplicate records, missing records, suspect vendor # , etc).
    • Spreadsheet analysis (using excel and what-if scenarios with this data).
    • Integrated test facilty – in this approach the auditor creates dummy files on the client’s live production system. The objective is to see if real time systems contains adequate controls.
    • Embeded audit module: permits continuous monitoring of online, realtime systems, but a disadvantage is that audit hooks must be programmed.
25
Q

Storage Controls

A
  • Program documentation: complete, up to date documentation of all programs and associated operating procedures is necessary for efficient operation of an information system.
  • Dual write routines: the data can be stored on two separate physical devices (usually magnetic hard dirves).
  • Validity checks: hardware that compares the bits in each byte to the permissible combinations.
  • Physical controls: mounting hard drives in physically secure rooms and storing portable media in locked storage areas are vital to preventing the compromise of confidential data.
  • Snapshot copies (like in Oracle).
  • Cloud computing is a standardized IT capability (services, software, infrastructure) delivered via the internet in pay-per-use, self-service way. Advantages: lower infra investments, payperuse, mobility, lower personnel and utility costs.
26
Q
  • Inherent risks of internet
A
  • Passowrd attacks
    • Brute-force attach uses password cracking software to try several access combinations.
    • Passwords are also compromised by Trojan horses, IP Spoofing and packet sniffers. Spoofing is identity misrepresentation in cyberspace. Sniffing is the use of software to eavesdrop on information sent by a user to the host computer of a website.
  • Man in the middle attack takes advantage of network packet sniffing and routing and transport protocols.
    • Attacks used to steal data, obtain access to the network during a rightful user’s active session, analyze the traffic on the network to learn about its operations etc…
    • Encryption is the best safety response.
  • DeniaL of service (DoS) attack is the attempt to overload an organization’s network with so many messages that it cannot function. It can come from machines infected by Trojan horses.
27
Q

Data Encryption

A
  • Encryption technology converts data into a code. Unauthorized users may still be able to access data, but will not be able to decode it.
  • Public key, or assymetric, encryption is more secure because it requires two keys: the public key and the private key which is kept secret by recipient. RIVEST, SHAMIR AND ADELMAN (RSA)
  • Private key, or symmetric, encryption is less secure because it requires only a single key.
28
Q

Firewalls

A
  • Firewalls
    • A firewall is a combination of hardware and software that separates an internal network from an external network, such as the Internet, and prevents passage of traffic deemed suspicious.
      • Network firewalls regulate traffic to an entire network, such as an organization LAN.
  • Vulnerability testing (or vulnerability scanning) identifies weakness in IT infra.
  • Penetration testing involves using tools and techniques commonly used by hackers to gain access to application, system, or network by circumventing its security features and focusing on multiple vulnerabilities.
  • Application firewalls regulate traffic to a specified application, such as an email or file transfer application. Based on proxy server technology.
  • A FIREWALL ALONE IS NOT ADEQUATE, ANTIVIRUS SOFTWARE IS ALSO NECESSARY.
29
Q

Business Continuity Plan

A

ROUTINE BACKUP AND OFFSITE ROTATION

  • Data is more valuable than hardware because it is irreplaceable if destroyed, therefore periodic back up and rotation are essential.
  • The offsite location must be temperature and humidity controlled against physical intrusion. It should also be geographically remote enough from the site of the organization’s main operation.
  • A typical back up routine involves duplicating all data files and application programs once a month. Incremental changes are saved every week and kept on the main processing center, this means that in the case of any disruption a maximum of 3 weeks business information is lost.

BUSINESS CONTINUITY PLAN

  • Business continuity planning is the continuation of business by other means during the period in which computer processing is unavailable or less than normal.
  • Dealing with specific disasters
    • Power failure can be averted by the purchase of backup electric generators.
    • Virus attacks must be brought down gracefully to halt the spread of the infection.
    • In case of extreme disaster, must contract for alternate processing facilities, and have an appointed recovery team when a disaster occurs.
  • Recovery center types
    • Hot site is a fully operational processing facility and can lead to immediate recovery with a flying start site.
    • Warm site is a facility with limited hardware, but lacking servers and client terminals.
    • Cold site is a shell facility lacking most infra, but readily available for the quick installation of hardware.
30
Q

Change Controls

A

Change control manages changes in information system resources and procedures. It includes a formal change request procedure; assessments of change requests on technical and business grounds; scheduling changes; testing, installing, and monitoring changes; and reporting the status of recorded changes.

CMA Part 1 (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions