CPA - IT Flashcards
COBIT focuses on IT controls and is intended for use by IT managers, IT professionals, and internal and external auditors
Enterprise architecture
An organization’s enterprise architecture is its efforts to understand, manage, and plan for IT assets
Enterprise-wide or Enterprise Resource Planning (ERP) systems
ERPs provide transaction processing, mgmt support, and decision-making support in a single, integrated, organization-wide package
Goals of ERP systems
- Global visibility
- cost reductions
- Employee empowerment (improved communcation and decison making)
- “Best practices”
An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems?
Modificaitons can be made to each module w/out affecting other modules
Online transaction processing (OLTP) system
The modules comprising of core business functions: sales, production, purchasing, payroll, financial reporting etc -> think operational data for the eorganization
Online analytical processing (OLAP) system
Incorporates data warehouse and data mining capabilities w/in the ERP
Cloud Delivery Service Models
- Infrastructure as service (IaaS) - Use of the cloud to access a virtual data center of resrouces (e.g. AWS)
- Platform as service (PaaS) - A development environment for creating cloud-based software and program using cloud-based services (Salesforce.com)
- Software as service (SaaS) - Remote access to software (Office 365 etc.)
Good internal control in a computer system requires that operators, programmers, and the library function be segregated.
systems analyst is responsible for designing the computer system, including the goals of the system and means of achieving those goals, based upon the nature of the business and its information needs. The systems analyst also must outline the data processing system for the computer programmer with system flowcharts.
systems programmers are given responsibility for maintaining system software, including operating systems and compilers.
In relation to data management activities, the data owner’s primary role is __________, the data steward’s primary role is _____________, and the data custodian’s primary role is ____________________.
Answer: Accontability, responsible, responsible
The Systems Development Life Cycle (SDLC) is the traditional methodology for developing information systems. In which phase of the SDLC would the activity of identifying the problem(s) that need to be solved most likely occur?
Answer: Planning
Planning is the first phase of the SDLC and this information is needed before most of the analysis phase activities can be initiated.
The steps in the systems development life cycle are analysis, design, build, test, and implement.
A direct changeover involves implementation of a new system without the possibility of reverting to the old system. It is often a risky strategy.
Operational systems
support day-to-day activities of the business (i.e. purchasing of goods and services, manufacturing activities, sales t ocustomer, payroll etc.)
Management Information Systems (MISs)
Systems designed to support routine management problems based primarily on data form transaction processing systems
Order data elements by size
Files: are composed of
Records: are composed of
Fields: are composed of
Data values: are composed of
Bytes (characters): are composed of
Bits: the smallest storage element in a computer system
A data mart is a type of data warehouse that is customized for an organization.
An overall description of a database, including the names of data elements, their characteristics, and their relationship to one another, would be defined by using a
data definition language
During the annual audit, it was learned from an interview with the controller that the accounting system was programmed to use a batch processing method and a detailed posting type. This would mean that individual transactions were
Assigned to groups before posting, and each transaction had its own line entry in the appropriate ledger
A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies?
Establish a off-site mirrored website
Establishing an off-site mirrored Web server would provide for continuous duplication of data in geographically separated locations.
Compared to online real-time processing, batch processing has which of the following disadvantages?
Stored data are current only after the update processes
Business analytics
“the science and art of discovering and analyzing patterns, IDing anomalies, and extracting other useful info in data for application to a business issue or problem
data lake
an unfiltered pool of big data
data warehouse
structured, filtered data repository for solving business problems
Common challenges in data governance
- It’s hard to quantify the benefits of data governance and management -> thus, underinvestment in these activities is common
- Unclear as to who is responsible for data ownership
- Complying w/increasing regulation of data ownership
- Too much data (data deluge)
Data classification defines the privacy and security properties of data
data taxanomy categorizes the data within the organization’s structure and hierarchy
The data life cycle overviews the steps in managing and preserving data for use and reuse
RACI acronym -> illustrates the data stewardship roles of the data owner, steward, and custodian across the data life cycle
Responsible - Does the work to complete the task
Accountable - Delegates the work and is the lats one to review the task or deliverable before completion
Consulted - Deliverables are strengthened by review and consultation from multiple team members
Informed - Informed of project progress
data architecture
the structure and interaction of the major types and sources of data, logical data assets, physical data assets and data management resources of the enterprise
Metadata
a set of data that describes and gives further detail about a dataset
Criteria for describing data
3 criteria for describing data
- The description includes the dataset’s purpose
- The desciption of the set of data is complete and accurate; it includes the 10 elements:
P(opulation)
U(nits)
R(ecords)
P(recision)
S(ample)
S(ources)
T(ime)
U(ncertainty)
F(ields)
F(ilters)
3. The data description identifies information that hasn’t been included within the set of data or description but is necessary to understand each data element and the population
5 IT security principles specified by the AICPA Assurance Services Executive Committee (ASEC)
- Security - A top mgmt issue. Security is the foundations of systems reliability
- Availability - whether the system is operational and usable as specified in committments and agreements
- Processing integrity - does the system of internal control help ensure taht the system processes info as intended w/out errors or manipulations?
- Confidentiality - whether confidential info is proectected consistent w/organization’s commitments and agreements
- Privacy - addresses whether the system’s collection, use, retention, disclosure, and disposal of personal info conforms to its own commitments and w/the criteria set forth in GAAP
7 categories of assessing IT security principles
- Organization and management
- Communications
- Risk management, and design and implementation of controsl
- Control monitoring
- Logical and physical access controls
- System operations
- Change Management
Time based model of controls
The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationships among the 3 categories of controls:
- time it takes an intruderto break through preventive controls
- time it takes to detect that an attack is in progress
- time to respond to the attack
Accordingly, if #1 is > #2 + #3, then security procedures are effective. Else, they are ineffective.
One disadvantage of value-added network (VAN) is that they are expensive
The primary advantage of using value-added network (VAN) is that it provides increased security for data transmissions
Electronic data interchange involves
the electronic exchange of business transaction data in standard format from 1 entity’s computer to another entity’s computer
Communication about cyber incidents to external parties should be selective and appropriate to their roles. For example, few banks publicly announce when they have lost money in a theft or cyber-hack.
Distributed data processing system is useful when processing is done in multiple locations.
It enables processing of a large volume of transactions and fast access to data.
IT policies are particularly valuable in _______ and _________ organizations.
Answer: Decentralized; geographically disbursed
These attributes make IT policies particularly valuable, since personnel are disbursed across multiple locations. IT policies are particularly valuable with disbursed units.
A decentralized system is characterized by distributed processing and a lessened need for network resources.
According to the framework for cybersecurity, protecting and securing the U.S. critical infrastructure requires a partnership between ___________ and __________.
public entities ; private entities
XBRL
eXtensive Business Reporting Language
XBRL, or eXtensible Business Reporting Language, is an XML standard for tagging business and financial reports to increase the transparency and accessibility of business information by using a uniform format.
A computer emergency response team (CERT) is a ______ control.
Corrective
A CERT is a corrective control since it is intended primarily to clean up the mess of a violation of the system’s integrity.
a value-added network (VAN) is a system that routes data transactions between trading partners.
Encryption
The process of converting a plaintext message into a secure-coded form (ciphertext)
digital signature assures the recipient that the message came from a certain individual and it was not modified.
Brownout is reduced voltage in the electrical system of an organization.
Encryption protection is least likely to be used in which of the following situations?
When transactions are transmitted over local area networks (LAN)
This answer is correct. Various factors need to be considered. Encoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored. Although LANs may need encryption protection, the type of data and the described communication media make the other options appear more vulnerable.
Organizational (Business) Continuity Planning
- Create a BCM Policy and progrma
- Understand and evaluate organizational risks
- Determine Business Continuity Strategies
- Develop and implement a BCM Response
- Exercise, Maintain, and Review the Plan
- Embed the BCM in the Organization’s culture
*BCM = Business Continuity Management
Recovery point objective (RPO)
RPO = acceptable amount of data lost in an incident (usually stated in hours and defines the regularity of backups)
Recovery Time Objective (RTO)
RTO => specifies the longest acceptable time for a system to be inoperable
Cold site (empty shell)
An off-site location that has all the electrical connections and other physical requirements for data processing, but doesn’t have the actual equipment or files
Warm site
A location where the business can relocate to after the disaster, that isalready stocked w/computer hardware similar to that of the original site, but doesn’t contain backed up copies of data and info
Hot site
An off-site location completely equipped to quickly resume data processing
System backup = good;
data redundancy = bad
Checkpoint and restart
Common in batch processing systems - a checkpoint is a point in data processing where processing accuracy is verified
If there’s a problem, one returns to the previous checkpoint instead of the beginning of the transaction processing
Saves time and money
DoS attacks
denial of service attacks -> criminal may use a computer to deny others the use or services of a computer system or network
Legitimate users are prevented from accessing the system
In end-user computing, the user is responsible for the development and execution of the computer application that generates the information used by that same user.
A zombie computer is used most frequently to perpetrate a _________ attack:
DoS
Backup and recovery systems should be both _________ and ____________.
Off-site; redundant
Backup systems should include an off-site company and should include redundancy.
Disaster recovery plan should provide for an alternative processing site, backup and off-site storage procedures, identification of critical applications, and test of the plan.
Source program library management system (SPLMS)
The SPLMS manages the migration from the application development test environment to the active production library
The SPLMS ensures that only valid changes are made to the system by checking for all necessary authorizations and for program modifications by comparing the new source code to the old one
Only after verification does the program migrate to the SPL
Application controls concern the accuracy, validity, and completeness of data processing in specific application programs
3 categories of application controls
- Input and origination controls - control over data entry and data origination process
- Processing and file controls - controls over processing and files, including the master file update process
- Output controls - control over the production of reports
Procesing Controls
Controls designed to ensure that master file updates are completed accurately and completely
Processing controls also serve to detect unauthorized transactions entered into the system and maintain processing integrity
a validity check is a check of an entered number to see if it is in valid form or a valid account number.
The practice of authorizing changes, approving tests results, and copying developmental programs to a production library is program change control.
In updating a computerized accounts receivable file, which one of the following would be used as a batch control to verify the accuracy of the total credit posting?
The sum of cash deposits + discounts taken by customers
a validity check involves comparison of input to a list of valid items.
a field check is a control that limits the types of characters accepted.
a check digit is an extra reference number that follows an identification number and bears a mathematical relationship to the other digits.
The identification number can be subjected to an algorithm and compared to the check digit.
An edit check is a check on the accuracy of data as it is inputted.
In a daily computer run to update checking account balances and print out basic details on any customer’s account that was overdrawn, the overdrawn account of the computer programmer was never printed. Which of the following control procedures would have been most effective in detecting this fraud?
Answer: periodic recompling of programs from documented source files, and comparisons w/programs currently in use
This answer is correct because a periodic recompiling of the program from the original source files and comparison with the program currently in use would allow the auditor to detect the modification in the program that has permitted the fraud to occur.
Smigly Construction builds large warehouses for many clients. Smigly is more likely than most other businesses to use _____________ in its revenue cycle billing processes.
remittance advice
Remittance advices help customers match payments with invoices. They are more likely to be used in complex businesses, such as construction and medical billing.
Which of the following steps in the accounting cycle comes before posting entries to accounts?
Analyze transactions
A purchase requisition is a formal document that orders goods. It is the best offered control related to the risk of ordering unneeded goods.
Form 941 shows aggregate payroll tax withholdings and payments.
Winifred, an internal auditor, wants to determine if employee pay rates are accurate. Her best strategy for accomplishing this goal is to
Review the cumulative earnings register
This review will enable Winifred to determine if employee pay rates are accurate. She can evaluate these over time, and across job descriptions and ranks.
Adjusting journal entries are often the responsibility of
The controller
Adjusting entries are usually posted by the controller in the general ledger cycle.
Quality (in th econtext of total quality management)
The concept of quality is how well the item meets its design specifications. Does it perform as it’s expected to perform?
Quality of conformance
The degree to which a product meets its design specifications and/or customer expectations
Quality addresses 2 perspectives in total quality management (TQM)
- Failure to execute the product design as specified
- Failure to design the product appropriately; quality of design is defined as meeting or exceeding the needs and wants of customer
Cost of quality
The costs incurred by an organization to ensure that its products and/or services have a high quality of conformance
4 components of cost of quality
- Prevention cost - cost of any quality activity designed to help do the job right the 1st time
- Appraisal cost - the cost of quality control including testing and inspection
- Internal failure cost - the costs incurred when substandard products are produced but discovered before shipment to the customer
- External failure cost - the cost incurred for products that don’t meet requirements of the customer and have reached the customer
Backflush costing
The act of delaying journal entries until after the physical sequences have occurred
Often used in high-speed automated environments
Six-sigma is a statistical measure expressing how close a product comes to its quality goal.
Six-sigma is 99.999997% perfect with a 3.4 defects per million parts.
A Pareto chart ranks the causes of process variations by the degree of impact on quality.