COBIT Flashcards
COBIT Control Objectives for Information and RElated Technology
COBIT 5 five key principles
Stakeholder Drivers
Stakeholder Needs
Value Creation
Realization of Benefits
Optimization of Risk
Optimal Use of Resources
Enterprise Goals
IT-RElated Goals
EnablersCorbett five COBE IT five
COBE IT has five principles
Asserts that value creation is the most basic stakeholder need and that’s the fundamental goal of any enterprise.
Value creation in this model is achieved by balancing three components
Realization of benefits
Optimization which is not minimization of risk optimal use of resources
COBIT 5 What are the 5 Key Principles
- Meeting stakeholder needs
- Covering the Enterprise End to End
- Applying a Single Integrated Framework (regardless of hardware and software used)
- Enabling a Holistic Approach (enablers)
- Separating Governance from Management
Enabling a Holistic Approach - What are the seven categories of enablers that support comprehensive IT governance and management.
Notice they are like the control environment characteristics in COSO
- Principles, Policies and Frameworks
- Processes
- Organizational Structures
- Culture, Ethics and Behavior
- Information
- Services, infrastructure and applications
- People, skills and competencies
Last three are classified as resources, the use of which must be optimized
Of the seven categories of enablers, which are resources that must be optimized
Information
Services, Infrastructure and Applications
People, Skills and Competencies
SEparating Governance from Management: What are the four responsibility areas that must be addressed
Plan
Build
Run
Monitor
Goals for the Information Security Program
Confidentiality
Availability
Integrity
Steps to Creating an Information Security Plan
Identify Threats
Identify Risks
Design Controls to Compensate
Incorporate the Controls into Coherent, Enterprise-Wide Plan
Set forth Policies So People Are Aware of Expectations, both internal and external users
COBIT 5 - Steps in creating the information security plan. What are the two phases of risk analysis? P. 378
Determining the likelihood of risk
Determining the level of damage that good be done
Example: Sabotage could be very damaging but risk is low
The Depreciation tax shield is?
Cash provided by recording depreciation.
A reduction in income taxes.
The answer is a reduction in income taxes.
Though it does contribute to cash flow, I guess the cash isn’t “provided” it’s just shielded from being an outflow.
What are generic controls.
Generic IT controls can be classified in the traditional 3 ways that internal controls are.
Preventive
Detective
Corrective
Preventative Controls two types
Physical and Logical
Physical Controls are
preventative controls (there are two here) the other is logical
Logical Controls Are _________ controls
There are 2 here the other is physical
Physical Preventative Control Example
Fences
Locked Doors
Security
Segregation of Duties Policy
What type of IT control is a segregation of duties policy
Physical preventive control (really?) It’s from the Gleim book.
What are some examples of logical preventive controls.
These are all the input controls listed below. They make sure data is authorized, complete and accurate. There are online input and batch input controls.
Authorization (AP supervisor authorizes batch b4 submitted for recording)
Controls Programmed into the system - also known as edit routines
-Preformatting
Edit (field) checks
Limit (reasonableness) checks and range checks
Validity Checks
Sequence Checks
Closed Loop Verification
Check Digit Verification
Edit Check - Other name for it, type of check
Also called field check, input control, preventative
No invalid characters e.g., no letters in social security numbers
Limit Checks, other name, type, example
Reasonableness, preventative, input check
Hours worked cannot exceed 80 without authorization
VALIDITY CHECKS
type, example
Input control, preventative
vendor must be in master file
Sequence Checks type, example
input, preventative
sort files on a key before matching
accounts payable transaction file and master filed sorted according to vendor number and should be in order
done before matching
Close-Loop Verifiation type, example
Input, Preventive
Sends input back to the computer after processing
Check-Digit
Example, other name
Self Checking digits
Uses algorithm
used to catch keying errors such as dropped and transposed digits
Zero balance checks type, example
input, preventative
reject anything where sum of all debits and credits does not equal 0
Mutually Exclusive
There was a question that asked for the present value of two projects, what should you watch out for?
There was a lot of math figuring out the present value, then it asked which project to take. Both had present values, but if you failed to notice it said mutually exclusive and you could only pick one you’d have got it wrong.
What is an internal rate of return? time adjusted ROR accounting ROR payback period net present value
notice that IRR is not a NPV, it’s a rate not a net
Advantage of the IRR over the accounting ROR
recognition of salvage VU
emphasis on cash flows
recognition of time value of money
hey guess what accounting ROR considers salvage
accounting ROR cares about income, not cash flows so much
time value of money on 2 and 3
Who cares about cash flows and who cares about net income.
IRR - cash flows
Accounting ROR - net income
Formula for Accounting ROR
Annual Cash Flow - Depreciation
How is salvage value handled in IRR and Accounting ROR
IRR discount it back - interesting though, do you discount it back if you figure out the depreciation, depreciation “shield”
Accounting - if you’re figuring the depreciation you take off the salvage value, as far as how ties are handled, I’m not sure
Salvage Value
IRR?
Accounting ROR?
Yes both
Depreciation
IRR
Accounting IRR
Yes both
IRR definitely use depreciation shield
Accounting ROR - use salvage to get the annual depreciation and add this to the cash flows
ARR is not a cash flow calculation, it’s a net income calculation.
That being the case, I think you use salvage to get the depreciation, but ignore the incom tax effects of the depreciation shield
I have to get with this because I can’t get a straight answer out of the examples.
Capital Budgeting - Two types of depreciation, one is relevant, other isn’t
Tax depreciation is relevant
Book is not
Do not spend a lot of time on an accounting ROR question.
Tam is negotiating to purchase equipment that would cost $100,000 and would save $20,000 in after-tax cash costs (what should you notice here). Equipments useful life is 10 years with no residual value and would be depreciated by the straight line method. Accrual accounting ROR is what.
It says “after-tax” cash costs, now I would assume that means what you save in total cash after the depreciation is factored into the savings. But it doesn’t, it means we saved this much in cash expenses, but you haven’t considered the extra cost you’re going to have for depreciation on the new machine. So the calculation is:
Hey we have $20,000 less in expenses
But we have $10,000 more in depreciation
So we’re ahead by 10 grand or 10% of the $100,000.
You figured out the accounting rate of return, now what do you compare it to.
I don’t know, I’m assuming the average cost of capital, or maybe it’s just that it’s positive.
Looks like compare it to company’s book rate of return.
The accounting rate of return, why is it bad?
They can choose different methods of depreciation.
Comparing it to the company’s book rate is that the book rate is an average return on capital projects which are a combination of good and bad.
When doing capital budgeting problems, must take into account not only the extra income, but what else?
The extra costs for depreciation.
Accounting ROR
Average Increade in Accounting NEt INcome
divided by
Required Investment
denominator is not an average
Detective Controls Definition
Call attention to errors that are already in the system before they cause a negative outcome
And
Call attention to someone trying to get into the system or using the system improperly
Detective Controls Examples
Examination of Console logs
Examination of System logs (failed login attempts) - not really an error entered into the system now is it
Output Controls: Transaction logs, error listings, record counts, run-to-run totals
What are OUtput Controls (other name, Example)
Detective Controls Transaction Log Error Listing Record Counts Run-to-Run Controls
Run-to-Run Control. What type is it, what category is it.
Detective Output Control
The new financial balance should be the sum of the old balance plus the activity that was just processed.
Error Listing - What type/category is it, example.
Detective Output Control
Exception report with all the transactions rejected by the system
Record Count What Category/Type
Detective Output Control
Does the count - the records the user expected to be processed
Transaction Log type/category/Example
Detective Output Control
Who logged into the application and did what
Detective Output Controls Mneumonic
TERR2R Transaction Logs Error Listings (rejections) Record Counts Run-to-Run
Distinguish Input From Output Controls - how
The input are narrow, specific, this field was entered wrong, this number was transposed, this batch total is wrong
The output are much more general and after the trigger is pulled. I really don’t see why. It’s touch because I just pulled up a slide that says “error reporting and handling is an input control” and the Gleim books says Error listings are output controls.
Signatures on Batch forms or source documents
Online access controls
Unique Paswords
All of these are what type of control
Input authorization control
What are these examples of? Batch control totals TOtal monetary items total items total documents hash totals
Batch input controls
Input, Processing, Output
There are many in the same category, it depends what the timing is
Don’t worry about input, processing, output or if you have to guess use the timing idea
If it’s immediate feedback, I’d say it’s an input control
If it’s after it’s entered then it’s a processing
All are built into the system
If it’s a validity control it’s ___________, if. it’s a validation control it’s __________
Vendor exists
Validity = Input Validation = Processing
Now how do you remember, I don’t know, validation sounds later?
List of Processing Controls
Processing
Validation (it’s validity if it’s and input)
Completeness (are all the data there in the record)
Arithmetic (cross footing, zero balance dr and cr’s equal)
Sequence
Run-to-Run (can also be output, again if it occurs at the end it’s output)*
Key Integrity don’t know what this is
*So if you do a run-to-run along to way like check the batch total after each stage of processing then it’s a processing control, if you take the beginning balance, add the activity and check the ending balance it’s an output control
Batch Controls Input
Management Release
Record Count - Batch is not released for processing until record count agrees
Financial Total - Batch is not released for processing unless total of patch - user calculated
HashTotal - Sum of numeric field - meaningless but shows all records have been entered, sum of SSI number, it says can follow through processing, but I don’t see examples of has totals as anything but input controls
Input, Processing, Output 0 how to tell the difference
Look for the timing on some of them if before processing, input if during
Two broad groups of IT Controls
General and Application
