Chapter 4 Flashcards
General Controls
apply overall to the IT accounting system
application controls
used specifically in accounting applications to control inputs, processing, and outputs
example: validity check
authentication of users
a process or procedure in an IT system to ensure that the person accessing the IT system is a valid and authorized user
login
to make the computer recognize you in order to create a connection at the beginning of a computer session,
user id is used along with the password
smart card
plugged into the computer’s card reader and helps authenticate that the user is valid displays a constantly changing token
security token
plug into the usb port and thereby eliminates the need for a card reader
two factor authentication
authentication of the user, based on something they have and something they know
biometric devices
use some uniqe physical characteristic of the user to identify the user and allow the appropriate level o access to that user
computer log
a complete record of all dates, times , and uses for each user
nonrepudiation
the user cannot deny any particular act that he or she did on the IT system
user profile
determines each user’s access level to the system, on a need to know basis
authority table
contains a list of valid authorized users and the access level granted to each one
configuration tables
contain the appropriate set-up and security settings
firewall
a hardware or software designed to block unauthorized access
encryption
the process of converting data into secret codes referred to as cipher text
symmetric encryption
uses a single encryption key that must be used to encrypt data and also to decode the encrypted data
public key encryption
uses both a public key and a private key. The public key, which can be known by everyone, is used to encrypt the data and a private key is used to decode the encrypted data
wired equivalency privacy(WEP)
used by wireless network equipment such as access points and wireless network cards
wireless protected access(WPA)
improved encryption that requires access to an access point first
service set identifier(SSID)
a password that is passed between the sending and receiving nodes of a wireless network
virtual private network
utilizes tunnels, authentication, and encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data
secure socket layer
a communication protocol built into web server and browser software that encrypts data transferred on that website, ex: https
virus
self replicating piece of program code that can attach itself to other programs and data and perform malicious actions such as deleting files or shutting down the computer
antivirus software
continually scans the system for viruses and worms and either deletes or quarantines them
vulnerability assessment
the process of proactively examining the IT system for weaknesses that can be exploited by hackers, viruses, or malicious employees
intrusion detection
specific software tools that monitor data flow within a network and alert the IT staff to hacking attempts or other unauthorized access attempts
penetration testing
the process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized users
IT governance committee
usually made up of top executives, responsibilities include
- align IT investments to business strategy
- Budget funds and personnel for the most effective use of the IT systems.
- Oversee and prioritize changes to IT systems
- Develop, monitor, and review all IT operational policies
- Develop, monitor, and review security policies
systems analysts
analyze and design IT systems,
programmers
actually write the software using the code
operations personnel
employees who are responsible for processing operating data
database administrator
develops maintains the database and ensures adequate controls over data within the database
system development life cycle
systematic steps undertaken to plan, prioritize, authorize, oversee, test, and implement large scale changes to the IT system
uninterruptible power supply
includes a battery to maintain power in the event of a power outage in order to keep the computer running for several minutes after a power outage
emergency power supply
an alternative power supply that provides electrical power in the event that a main source is lost
physical protection should include
- Limited access to computer rooms through employee ID badges or card keys
- Video surveillance equipment
- logs of persons entering and exiting the computer rooms
- locked storage of backup data and offsite backup data
business continuity planning
proactive program for considering risks to the continuation of business and developing plans and procedures to reduce those risks
two types of IT business continuity concepts
- strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups
- A disaster recovery plan
redundant servers
two or more computer network or data servers that can run identical processes or maintain the sames data
redundant arrays of independent disks
often set up as mirror images of each other to prevent data loss
offsite backup
having backups sent to an offsite location
disaster recovery plan
plan for continuance of IT systems after a disaster
AICPA 5 categories of IT controls
- Security
- Availability
- Processing integrity
- Online privacy
- Confidentiality
Control categories
authentication of users hacking and other network break ins environmental physical access business continuity
Database management system
software system that manages the interface between many users and the database
local area network
a computer network covering a small geographic area
wide area network
a bunch of LAN’s hooked together
telecommuting
communicating over the phone
electronic data interchange
the company to company transfer of standard business documents in electronic form
application controls
internal controls over input, processing, and output of accounting applications
- input controls
- processing controls
- output controls
input controls
source document controls - paper document used to capture original data
standard procedures for data preparation and error handling
programmed edit checks
control totals and reconciliation
data preparation
procedures to collect and prepare source documents
field check
examines a field to determine whether the appropriate type of data was entered
validity check
examines a field to check that the data entry in the field s valid compared with a preexisting list of acceptable values
limit check
has only an upper limit
range check
has both an upper and lower limit
reasonableness check
compares the value in a field with those field to which it is related to determine whether the value is reasonable
completeness check
assesses the critical fields in an input screen to make sure that a value is in those fields
sign check
examines a field to determine that it has the appropriate sign
sequence check
checks if the batch number is the next one in the sequence
self checking digit
an extra digit added to a coded id number, determined by a mathematical algorithm
control totals
subtotals of selected fields for an entire batch of transactions
record counts
count the number of records processed
batch totals
total the financial data
hash totals
total of fields that have no apparent logical reasoning
run to run control totals
reconciliation of control totals at various stages of the processing
output control
makes so that the data doesn’t get into the wrong hands
throughput
the measure of transactions in a period
