Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AIS > Control and accounting information systems ( Topic 4) > Flashcards

Control and accounting information systems ( Topic 4) Flashcards

1
Q

Overview of control concepts

A

System to provide reasonable assurance that objectives are met such as:

  • Safeguard assets.
  • Maintain records in sufficient detail to report company assets accurately and fairly (e.g. prevent ‘cooking the books’).
  • Provide accurate and reliable information.

  • Prepare financial reports in accordance with established criteria.
  • Promote and improve operational efficiency.

  • Encourage adherence to prescribed managerial policies.

  • Comply with applicable laws and regulations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Functions of Internal Control

A

Preventive controls:
• Deter problems before they arise(e.g. control physical access)

Detective controls:
• Discover problems that were not prevented. (e.g. double check calculation)

Corrective controls:
• Correct problems (e.g. correct data entry errors, full restoration from backup after evidence found payment data improperly altered)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Internal controls are often segregated into two categories:

A

General
Controls designed to make sure an organization’s information system and control environment is stable and well managed.
• Overall IC system and processes (e.g. overall system security; software acquisition, development)

Application:
Application controls - Controls that prevent, detect, and cor- rect transaction errors and fraud in application programs.
• Transactions are processed correctly (e.g. authorization occurs where expected)
- They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Sarbanes Oxley (2002)

A

Developed in response to high profile corporate scandals (e.g. Enron, WorldCom, Lehman Brothers, and in Australia: OneTel, HIH, etc.
Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud.
• Public Company Accounting Oversight Board (PCAOB)
- Oversight of auditing profession, i.e. ‘auditing’ the auditors
New Auditing Rules
- Partners must rotate periodically 

- Prohibited from performing certain non-audit services (e.g. information systems design and implementation; financial reporting)
– in Australia, CLERP 9 legislation is now in force 


New Roles for Audit Committee
- Be part of board of directors and be independent. 

- One member must be a financial expert. 

- Oversees external auditors.

New Rules for Management 

- Financial statements and disclosures are fairly presented, were reviewed by management (e.g. CEO/CFO), and are not misleading. 

- The auditors were told about all material internal control weaknesses and fraud.

New Internal Control Requirements (Section 404 of SOX) 

- Management is responsible for establishing and maintaining an adequate internal control system. 

- Report accompanying Financial statements containing assessment of internal controls, attest their accuracy, and report weaknesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Australian Criminal Code Criminal Code No. 12 of 1995 as amended

A
  • Prison sentences of up to 10 years.
  • Financial penalties for bribery.
  • Fines of up to three times the benefit derived or 10% of a company’s annual turnover.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ASX Corporate Governance Guidelines

A
  1. Lay solid foundation for management and oversight. 

  2. Structure the board to add value. 

  3. Promote ethical and responsible decision-making. 

  4. Safeguard integrity in financial reporting. 

  5. Make timely and balanced disclosure. 

  6. Respect the rights of shareholders. 

  7. Recognise and manage risk. 

  8. Remunerate fairly and responsibly.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SOX Management Rules

A
  • Base evaluation of internal controls on a recognised framework.
  • Disclose all material internal control weaknesses.
  • Conclude a company does not have effective financial reporting internal controls if material weaknesses exist.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Control Frameworks

A

COBIT ( Control Objectives for Information and Related Technology )
• Framework for IT control

COSO ( Committee of Sponsoring Organizations )
• • Framework for enterprise internal controls (control-based approach)

COSO-ERM

• Expands COSO framework taking a risk-based approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

COBIT Framework

A 
Based on the following principles:

• Meeting stakeholder needs

• Covering the enterprise end-to-end

• Applying a single, integrated framework
• Enabling a holistic approach

• Separating governance from management

Governance is the responsibility of the board of directors who

(1) evaluate stake- holder needs to identify objectives,
(2) provide management with direction by prioritizing objectives, and
(3) monitor management’s performance

The 32 management processes are broken down into the following four domains:

  1. Align, plan, and organize (APO)
  2. Build, acquire, and implement (BAI)
  3. Deliver, service, and support (DSS)
  4. Monitor, evaluate, and assess (MEA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

COSO framework

A
  1. Control (internal) environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

COSO-ERM

A

(Enterprise Risk Management)

  1. Internal environment
  2. Objective setting
  3. Event identification
  4. Risk assessment
  5. Risk response
  6. Control activities
  7. Information and communication
  8. Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

COSO-ERM

1. Internal environment

A
  • Management’s philosophy, operating style, and risk appetite. • loose attitude towards ‘creative accounting’
  • The board of directors (e.g. independent boards vs non- independent boards).
  • Commitment to integrity, ethical values, and competence
  • Management endorse (or not) aggressive sales practices; unfair/unethical sales/negotiation practices; excessive bonuses based on financial results; ‘punish’ honesty
  • Organisational structure (e.g. clear vs unclear lines of authority/responsibility).
  • Methods of assigning authority and responsibility (e.g. based on policy and procedures).
  • Human resource standards (e.g. hiring, training, compensation, leave and rotation of duties, termination) Example:Jérôme Kerviel
  • External influences (e.g. regulators).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

COSO-ERM

2. Objective setting

A

Strategic:

• High-level goals aligned with corporate mission

Operational:

• Effectiveness and efficiency of operations

Reporting:
- Objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance.
• Complete and reliable 

• Improve decision making

Compliance: 

• Laws and regulations are followed - help the company com- ply with all applicable laws and regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

COSO-ERM

3.Event Identification

A

Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives

Positive or negative impacts (or both)

Events may trigger other events


All events should be anticipated

○ E.g. choosing inappropriate technology 

○ Unauthorized access 

○ Incomplete transactions 

○ System failures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

COSO-ERM

4 Risk Assessment

A

Identify Risk:
• Identify likelihood of risk

• • Certain-likely-possible-unlikely-rare 

• Identify positive or negative impact

• • Catastrophic-sever-major-moderate-minor-insignificant 


Types of Risk:
• Inherent
Risk that exists before any plans are made to control it 

- E.g. risk of not having computers password-protected

• Residual

  • Remaining risk after controls are in place to reduce it
  • E.g. Risk that password not safeguarded by employee
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

COSO-ERM

5 Risk Response

A

Estimate cost and benefits
ESTIMATE COSTS AND BENEFITS
- The objective in designing an internal control system is to provide reasonable assurance that events do not take place
One way to estimate the value of internal controls involves expected loss, the mathemati- cal product of impact and likelihood:
- Expected loss = Impact x Likelihood

Determine cost and benefit effectiveness

Implement control or accept,share ,or avoid the risk

Reduce:

• Implement effective internal control 
Accept:

• Do nothing, accept likelihood of risk 
Share:

• Buy insurance, outsource, hedge 
Avoid:

• Do not engage in activity that produces risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

COSO-ERM

6 Control Activities

A

• Proper authorisation of transactions and activities.
- Signature or code (e.g. digital signature) on document to signal authority over a process.

  • Separation of duties. 

  • Project development and acquisition controls. 

  • Change management controls. 

  • Design and use of documents and records. 
- staggered printing schedule, does it match what it printed by the teller
  • Safeguarding assets, records, and data. 

  • Independent checks on performance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Seperation of Accounting Duties - model

A

On images document

19
Q

Segregation of systems duties as to divide authority and responsibility between the following systems functions

A
  • System administration 
- Systems administrators make sure all information system components operate smoothly and efficiently
  • Network management 
- Network managers ensure that devices are linked to the organization’s internal and external networks and that those networks operate properly.
  • Security management - Security management makes sure that systems are secure and protected from internal and external threats.
  • Change management - Change management is the process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability
  • Users 
- Users record transactions, authorize data to be processed, and use system output.
  • Systems analysts - Systems analysts help users determine their information needs and design systems to meet those needs.
  • Programmers - Programmers take the analysts’ design and develop, code, and test computer programs.
  • Computer operators 
- Computer operators run the software on the company’s computers. They ensure that data are input properly, processed correctly, and that needed output is produced.
  • Information system librarian - The information system librarian maintains custody of corporate databases, files, and programs in a separate storage area called the information system library.
  • Data control. - The data control group ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and distributes systems output.
20
Q

Project Development and Acquisition Controls

A
  1. A steering committee
- guides and oversees systems development and acquisition.
  2. A strategic master plan
- is developed and updated yearly to align an organization’s in- formation system with its business strategies. It shows the projects that must be com- pleted, and it addresses the company’s hardware, software, personnel, and infrastructure
    requirements.
  3. A project development plan - shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones—significant points when progress is reviewed and actual and estimated completion times are compared

  4. A data processing schedule - shows when each task should be performed
  5. System performance measurements - are established to evaluate the system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is used), and response time (how long it takes for the system to
    respond) .
  6. A post-implementation review - is performed after a development project is completed to
    determine whether the anticipated benefits were achieved.
21
Q

Independent Checks On Performance

A

• Top-level reviews (e.g. variance analysis)
Management should monitor company results and periodically compare actual company performance to (1) planned performance, as shown in budgets, targets, and forecasts; (2) prior period performance; and (3) competitors’ performance.


• Analytical reviews (e.g. credits sales increase should be consistent 
with accounts receivable increases; what if they are inconsistent?!) 

An analytical review is an examination of the relationships between different sets of data. For example, as credit sales increase, so should accounts receivable. In addition, there are relationships between sales and accounts such as cost of goods sold, inventory, and freight out.

• Reconciliation of independently maintained records (e.g. do bank statement balances agree/reconcile with company account balances?) 

Records should be rec- onciled to documents or records with the same balance. For example, a bank reconciliation verifies that company checking account balances agree with bank statement balances

• Comparison of actual quantities with recorded amounts 

Significant assets are periodically counted and reconciled to company records. At the end of each clerk’s shift, cash in a cash register drawer should match the amount on the cash register tape. Inven- tory should be periodically counted and reconciled to inventory records.

• Double-entry accounting
The maxim that debits equal credits provides numerous opportunities for independent checks.


• Independent review
After a transaction is processed, a second person reviews the work of the first, checking for proper authorization, reviewing supporting documents, and checking the accuracy of prices, quantities, and extensions.

22
Q

COSO-ERM

7 Information and Communication

A 
Primary purpose of an AIS:
 • Gather

• Record

• Process 
• Summarise

• Communicate.

Communicate across organization what internal controls have been created, why they have been created, and the manner in which they operate

The updated IC framework specifies that the following three principles apply to the information and communication process:

  1. Obtain or generate relevant, high-quality information to support internal control
  2. Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control
  3. Communicate relevant internal control matters to external parties
23
Q

COSO-ERM

8 Monitoring

A

Perform internal control evaluations (e.g., internal audit)

Implement effective supervision

Internal control effectiveness is measured using a formal or a self-assessment evaluation. A team can be formed to conduct the evalua- tion, or it can be done by internal auditing

Use responsibility accounting systems (e.g., budgets)

Effective supervision involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who

Monitor system activities
Risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vul- nerabilities, report weaknesses found, and suggest improvements

Track purchased software and mobile devices

The Business Software Alliance (BSA) tracks down and fines companies that violate software license agreements. To com- ply with copyrights and protect themselves from software piracy lawsuits, companies should periodically conduct software audits.

Conduct periodic audits (e.g., external, internal, network security)
External, internal, and network security audits can assess and monitor risk as well as detect fraud and errors. Informing employees of audits helps resolve privacy issues, deters fraud, and reduces errors

Employ computer security officer

A computer security officer (CSO) is in charge of system security, independent of the information system function, and reports to the chief operating officer (COO) or the CEO. The overwhelm- ing tasks related to SOX and other forms of compliance have led many companies to delegate all compliance issues to a chief compliance officer (CCO)


Engage forensic specialists

Forensic investigators who specialize in fraud are a fast-growing group in the accounting profession. Their increasing presence is due to sev- eral factors, most notably SOX, new accounting rules, and demands by boards of directors that forensic investigations be an ongoing part of the financial reporting and corporate governance process

Install fraud detection software

Fraudsters follow distinct patterns and leave clues behind that can be discovered by fraud detection software.

Implement fraud hotline
People witnessing fraudulent behavior are often torn between two conflicting feelings.

24
Q

Information for Management characterised by:

A

Effectiveness
• Information must be relevant and timely.
Efficiency
• Information must be produced in a cost-effective manner.
Confidentiality
• Sensitive information must be protected from unauthorised disclosure.
Integrity
• Information must be accurate, complete, and valid.

Availability
• Information must be available whenever needed.
Compliance
• Controls must ensure compliance with internal policies and with external legal and regulatory requirements.
Reliability
• Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.

25
Q

Trust Services Framework

A

Security
• Access to the system and data is controlled and restricted to legitimate users.

Confidentiality

• Sensitive organizational data is protected.

Privacy
• Personal information about customers, trading partners, investors, and employees are protected.

Processing integrity
• Data are processed accurately, completely, in a timely manner, and only with proper authorization.

Availability

• System and information are available.

26
Q

Foundation of the Trust Services Framework:

A

• Management issue, not a technology issue
- S286 Corporations Act 2001 states: 

o Financial statements and notes for the financial year comply with the Accounting Standards; and 

o Financial statements and notes for the financial year give a true and fair view. 

- Accuracy of an organisation’s financial statements depends upon the reliability of its information systems. 


27
Q

Management’s Role in Security

A
  • Create security aware culture 

  • Inventory and value company information resources 

  • Assess risk, select risk response 


• Develop and communicate security 

- Plans, policies and procedures
Acquire and deploy IT security resources 


Monitor and evaluate effectiveness 


28
Q

Security Approach

A

Defense-in-depth and the time-based model of information security

  • Have multiple layers of control.

  • Overlapping/complementary/redundant
29
Q

Time-based model

A

Combination of detective and corrective controls
• For an effective information security system: 
P> D+C 

• P = the time it takes an attacker to break through the organisation’s preventive controls. 

• D = the time it takes to detect that an attack is in progress. 

• C = the time it takes to respond to the attack.

30
Q

Time based model example

A

E.g.

		- Firewalls/passwords/tokens/biometrics increase P 

		- An intrusion detection system decreases D 

		- Sophisticated methods to respond to breaches decrease C
31
Q

Basic steps criminals use to attack an organization’s information system:

A
  1. Conduct reconnaissance - Similarly, computer attackers begin by collecting information about their target. Perusing an orga- nization’s financial statements, Securities and Exchange Commission (SEC) filings, web- site, and press releases can yield much valuable information. The objective of this initial reconnaissance is to learn as much as possible about the target and to identify potential vulnerabilities.
  2. Attempt social engineering - use of deception to obtain unauthorized access to information resources is referred to as social engineering. Social engineering can take place in count- less ways, limited only by the creativity and imagination of the attacker. Social engineering attacks often take place over the telephone
  3. Scan and map the target - If an attacker cannot successfully penetrate the target system via social engineering, the next step is to conduct more detailed reconnaissance to identify potential points of remote entry. The attacker uses a variety of automated tools to identify
    computers that can be remotely accessed and the types of software they are running.
  4. Research. Once the attacker has identified specific targets and knows what versions of software are running on them, the next step is to conduct research to find known vulner-
    abilities for those programs and learn how to take advantage of those vulnerabilities.
  5. Execute the attack. The criminal takes advantage of a vulnerability to obtain unauthorized access to the target’s information system.
  6. Cover tracks. After penetrating the victim’s information system, most attackers attempt to
    cover their tracks and create “back doors” that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.
32
Q

Mitigating risk

  • Preventive Control
A
  • Culture of security
  • Training of employees
  • User access controls (authentication and authorisation)
  • Physical access controls (locks, guards etc.)
  • Network access controls (firewalls, intrusion prevention systems etc.)
  • Device and software hardening controls (configuration options)
33
Q

User access Controls

A

Authentication—verifies who a person is:
• Something person knows(e.g.passwords,PINs) 

• Something person has(smartcards,IDcards) 

• Some biometric characteristic (finger print; iris/retina) 

• Combination of all three 


Authorisation—determines what a person can access. (e.g. restricting access to files and applications)
files (no access/read/read and update/read, update, delete) 

application (no access/execute)

(see Access Control Matrix next slide) 


34
Q

multifactor authentication

A

The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.

35
Q

multimodal authentication

A

The use of multiple authentication credentials of the same type to achieve a greater level of security.

36
Q

penetration test

A

An authorized attempt to break into the orga- nization’s information system

37
Q

Network Access Control (Perimeter Defense)

A

Border router:
• Connects an organisation’s information system to the Internet.

Firewall
• Software or hardware used to filter information.

Demilitarised Zone (DMZ) 
• Separate network that permits controlled access from the Internet to selected resources.

Intrusion Prevention Systems (IPS)

• Monitors patterns in the traffic flow, rather than only inspecting individual
packets, to identify and automatically block attacks.


38
Q

Device and Software Hardening (Internal Defense)

A

End-Point Configuration

• Disable unnecessary features that may be vulnerable to attack on.
• - Servers, printers, workstations 

• - Use vulnerability scanners to identify vulnerable end-points User Account

Management
Software Design 

• Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.

39
Q

Detective Controls

A

Log Analysis
• Process of examining logs to identify evidence of possible attacks.

Intrusion Detection
• Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyse those logs for signs of attempted or successful intrusions. • 

E.g. compare known network access patterns with observed network access patterns 

• Multiple attempts to access an account


Managerial Reports (e.g. # of passwords violating standards)

Security Testing 

e.g. penetration testing: authorised attempt to break into an organisation’s IS. 


40
Q

Corrective Controls

A

Computer Incident Response Team (problem recognition/containment/recovery/follow-up)

Chief Information Security Officer (CISO):
- Independent responsibility for information security assigned to someone at an appropriate senior level.

Patch Management:

Fix known vulnerabilities by installing the latest updates. 
			-  Security programs 

			-  Operating systems 

			-  Applications programs 

41
Q

Virtualisation

A

• Multiple systems are run on one computer.

  • In the past organisations had multiple servers and computers, however it was safer that they were separate – virtualization combines cuts costs – however risk that all information is in one spot
42
Q

Cloud computing

A

Cloud Computing

cloud computing - using a browser to remotely access software, data storage, hard- ware, and applications.

• Remotely accessed resources

  • Software applications
  • Data storage

  • Hardware
43
Q

Virtutalisation and cloud computing

Opportunities and Risks

A

Risks
• Increased exposure if breach occurs.
• Reduced authentication standards.

Opportunities
• Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein.

44
Q

Internet of Things (IoT)

A

The embedding of sensors in a multitude of devices (lights, heating and air conditioning, appliances, etc.) so that those devices can now connect to the Internet. The IoT has significant implications for information security. On the one hand, it makes the design of an effective set of controls much more complex

AIS (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions