Chapter 4: Internal Controls Flashcards

1
Q

What does security mean? (1)

A

The establishment and application of safeguards to protect data, software and computer hardware from accidental or malicious modification, destruction or disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the basic concerns of the computerised system that security should maintain? (3)

A
  1. The availability of the computerised service.
  2. The integrity of the data that it processes and stores.
  3. The confidentiality of the data before, during and after processing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the information system’s security based on? (3)

A
  1. Physical= equipment can be impaired when subjected to events eg fire, flooding, improper environmental conditions etc.
  2. People= as a threat.
  3. Data= that might get lost or damaged.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What functions should all security measures perform? (5)

A
  1. The avoidance or prevention of loss.
  2. The deterrence of as many threats as possible.
  3. Easy recovery after any loss.
  4. Identification of the cause of any losses after the event.
  5. The correction of vulnerable areas to reduce the risk of repeated losses.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are general controls? (1)

A

General controls relate to the environment within which computer based systems are developed, maintained and operated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some examples of general controls? (8)

A
  1. Personnel recruitment policies= to ensure honesty and competence.
  2. Segregation of duties= between different types of jobs to minimise data tampering.
  3. Training programmes= for new staff and new systems.
  4. Authorisation= procedures for program amendments and testing.
  5. Backup procedures= maintaining copies of files and back ups off site.
  6. Access controls= eg anti virus, firewalls.
  7. Transmission measures= to ensure data isn’t hacked when being transferred.
  8. Controls to ensure computing resources are used efficiently.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the main issues that affect security? (3)

A
  1. The nature of the personal data and the possible harm of it was accessed, altered, disclosed, lost or destroyed.
  2. The place where personal data is stored.
  3. The reliability of staff that have access to the data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the main data security measures? (3)

A
  1. Physical security.
  2. Software security eg failed access logs.
  3. Operational security eg work taken home by employees.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

According to the data protection act, data must be: (3)

A
  1. Accurate and up to date.
  2. Kept for no longer then necessary.
  3. Handled in a way that ensures security, including protection against unlawful processing, access, loss, destruction or damage.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What physical controls are used to protect computer systems? (4)

A
  1. Fire systems and procedures eg fire alarms, smoke detectors.
  2. Location of hardware= away from the risk eg not having computers near areas prone to flooding.
  3. Building maintenance= attention to roofs, windows and doors to reduce the risk of flooding or break ins.
  4. Physical controls= eg security, CCTV.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What individual staff controls are used to protect the computer systems? (5)

A
  1. Physical controls.
  2. Logical access systems= if physical controls fail eg methods to ID the user.
  3. Personal ID= eg a PIN or password that is kept secret and frequently changed.
  4. Usage logs= the system should automatically record login and log off times.
  5. Secure storage= backups should be kept in a safe or in an off site area.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What errors might occur during the operation of a system? (4)

A
  1. Data capture/ classification errors.
  2. Transcription errors= occurring when data is input eg typed incorrectly.
  3. Data communication faults= if the system operates over a wide network then the original terminal may be corrupted during transmission.
  4. Data processing errors= because of programming errors, system design or data corruption.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are data capture/ classification errors and what do they include?

A

These occur before data is ready for input into the system eg:

  1. Incorrect data classification= allocating a production cost as an admin cost.
  2. Measuring mistake= recording the incorrect quantity of goods received.
  3. Incorrect spelling or transposition error= recording £50.60 as £50.06.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The purpose of the controls is to ensure that: (4)

A
  1. The data being processed is complete.
  2. The data being processing is authorised.
  3. The results are accurate.
  4. A complete audit trail of activity is available.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What states should have controls? (3)

A
  1. Input.
  2. File processing.
  3. Output.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is included in the input stage? (6)

A
  1. Data collection and preparation.
  2. Data authorisation.
  3. Data conversion.
  4. Data transmission.
  5. Data correction.
  6. Corrected data re-input.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is included in the file processing stage? (3)

A
  1. Data validation and editing.
  2. Data manipulation, sorting and merging.
  3. Master file updates.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is included in the output stage? (2)

A
  1. Output control and reconciliation with predetermined data.
  2. Information distribution.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does data integrity mean? (1)

A

Completeness and accuracy of data maintained using controls over data input, file processing and output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What should data controls ensure? (4)

A
  1. That data is collected accurately in full.
  2. Data is generated at appropriate times.
  3. Data is accurate and kept up to date.
  4. Processed properly and accurately to provide useful and meaningful output.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the biggest security weakness for any system? (1)

A

Human error, which is minimised using input controls.

22
Q

What techniques do input controls use? (3)

A
  1. Verification= checks data has been conveyed from the source to the system completely and accurately.
  2. Validation= the application of a series of rules designed the test the data’s reasonableness.
  3. Data communication/ transmission controls= controls to stop data being corrupted when transmitted over a wide area network.
23
Q

What are some examples of verification? (6)

A
  1. Type checks= every entry must comply with the prescribed format.
  2. Non existence checks= eg a validation table so only pre-existing data can be entered.
  3. Consistency checks= data is input and doesn’t require maintenance/ can’t be edited.
  4. Duplication checks= systems checks for data that has been previously entered.
  5. Range checks= a min and max value which input can be checked against.
  6. Input comparison= between the document and screen.
24
Q

What are some examples of validation? (6)

A
  1. Comparison of totals= eg checking debits and credits match.
  2. Comparison of data sets= eg checking 2 files to identify and reject any differences.
  3. Sequence numbers= the system can be programmed to reject an invoice number out of order.
  4. Range checks= eg values may be rejected outside of £3- £6.
  5. Format checks• the system may only except certain characters eg numbers only, rejecting letters.
  6. File controls= making sure correct files are processed, files aren’t lost or corrupted, unauthorised access is prevented and lost/ corrupted data can be recreated.
25
Q

What are processing controls? (2)

A

Processing controls ensure the accuracy and completeness of data when processed.

These controls should be tested regularly.

26
Q

What are some types of processing controls? (3)

A
  1. Standardisation= structured procedures for processing activities.
  2. Batch control= information about the batch is entered prior to processing.
  3. Double processing= repeat of processing with comparisons of individual reports.
27
Q

What are output controls? (1)

A

Output controls ensure that the produced output is checked against the input controls to ensure the completeness and accuracy of processing.

28
Q

What are the features of output controls? (5)

A
  1. Batch controls= the totals of accepted and rejected data.
  2. Exception reports= reporting abnormal transactions that may require investigation.
  3. Page numbers= so a user doesn’t receive a report with missing pages.
  4. Nil return reports= if there’s nothing to report, a report should be produced that says so.
  5. Distribution lists= the header of the report should show the distribution list for the report, the number of copies, the copy number and the planned recipient.
29
Q

What are application controls? (1)

A

Application controls are incorporated into the system’s software to ensure the data’s integrity is preserved.

30
Q

What are some types of application controls? (4)

A
  1. Passwords= to prevent accidental or deliberate changes to the data.
  2. Authorisation levels= certain actions will require users to have certain levels of clearance.
  3. Training and supervision= staff should receive adequate training to prevent mistakes.
  4. Audit trails= software should be written in such a way that shows the sequence of tasks performed.
31
Q

What is systems integrity? (1)

A

The controlling and monitoring of the system to ensure that it does exactly what it’s designed to do.

32
Q

What are some factors of systems integrity? (6)

A
  1. Project management.
  2. Operations management.
  3. Systems design.
  4. Personnel.
  5. Procedure control.
  6. Hardware configuration.
33
Q

What are admin controls? (1)

A

Admin controls relate to personnel and support functions.

34
Q

What are some types of admin controls? (6)

A
  1. Segregation of duties.
  2. The selection process for new staff (vetting).
  3. Job rotation.
  4. Enforced holidays.
  5. System logs.
  6. Supervision.
35
Q

What are some types of admin procedures? (3)

A
  1. Health and safety procedures eg fire drills.
  2. Document management.
  3. Filing or shredding documents.
36
Q

Why do online and real time systems need controls? (1)

A

Transactions are input as they arise so more people are inputting data over a wide network which makes control problems more likely.

37
Q

What are some controls used for an online and real time system? (4)

A
  1. Passwords and physical restrictions (locked rooms).
  2. Transaction logs= showing movements on control accounts.
  3. Documentation of transactions= all input transactions should be recorded and signed by appropriate personnel within the department.
  4. Matching transactions to a master file.
38
Q

How is the system’s integrity effected by network environments?

A

The complexity of the network, either local or over a wide area allows for more security breaches due to having multiple computers connected at the same time.

39
Q

What are the main risks to systems integrity for local/ wide spread networks? (4)

A
  1. Hardware/ software malfunction.
  2. Computer viruses.
  3. Unauthorised access to the system.
  4. Electronic eavesdropping.
40
Q

What controls can prevent electronic eavesdropping?

A
  1. Physical access controls.
  2. User identification.
  3. Data access authorisation= having types of provides tied with different user accounts.
  4. Database integrity controls= controls and audit systems that protect the system from unauthorised access, disclosure or modification.
  5. Program integrity controls= ensure that unauthorised access and alternations can’t be made to the program.
  6. Anti virus software.
  7. Surveillance= the detection of security violations by direct observation, review of computer logs or reviewing data usage.
  8. Encryption.
  9. Firewalls.
41
Q

What is a computer disaster? (1)

A

The loss of access or the unavailability of some computer systems.

42
Q

What are contingency controls? (1)

A

Contingency controls correct the consequences of a risk rather than reducing the risk itself.

43
Q

What should contingency controls include? (3)

A
  1. Standby procedures= so essential operations can be performed while normal services are disrupted.
  2. Recovery procedures= to return to normal working once the breakdown is fixed.
  3. Management policies= to ensure that the plan is implemented.
44
Q

What is the effectiveness of a contingency plan dependent on? (1)

A

The contingency plan is dependent on the data and system’s backup procedures

45
Q

When should data and systems backups be made? (3)

A
  1. When a lot of work has been completed in a short space of time.
  2. When a large piece of work has been completed.
  3. Backups should be made regularly.
46
Q

What are recovery plans? (1)

A

Recovery plans outline the procedures for various scenarios including corrupt file retrieval and individuals responsible for recovery procedures.

47
Q

What are the advantages of contingency planning? (5)

A
  1. Helps management cope with changes and emergencies.
  2. Reduces response time therefore minimising profits lost.
  3. Enables more rational decision making during an emergency.
  4. Helps prevent panic measures by allowing for detailed consideration of potential threats.
  5. Managers have the opportunity to evaluate low profitability events.
48
Q

What the disadvantages of contingency plans? (2)

A
  1. It can lead to a negative attitude among management and staff.
  2. Focusing on low profitability threats may be demoralising and demotivating.
49
Q

What are risks? (1)

A

Risks refer to anything that could lead to financial loss for an organisation.

50
Q

What are the types of risks? (5)

A
  1. Disasters outside the organisation’s control.
  2. Poor trading conditions.
  3. Mismanagement.
  4. Human or machine errors.
  5. Misappropriation of resources, tangible or intangible assets.
51
Q

What are the steps of assessing a risk? (9)

A
  1. Identify the risk.
  2. Quantify the risk.
  3. Identify counter measures.
  4. Cost counter measures.
  5. Choose which counter measures are required.
  6. Draw up contingency plans.
  7. Monitor, review and update the plan.
  8. Constantly watch for new risks and encourage all staff to report potential risks.
52
Q

What counter measures can an organisation use? (7)

A
  1. Transfer the risks eg use insurance policies.
  2. Decide to live with the risks if counter measures can be justified.
  3. Modify a system to eliminate the risk.
  4. Reduce the probability of risks by introducing controls.
  5. Reduce the exposure to risks by removing the organisation from a risky situation.
  6. Adopt measures that reduce the cost associated with a risk eg regular backups.
  7. Use recovery procedures.