ICS2 Flashcards
IS and Data Mgmt
SOC 2
System and Organization Controls engagements that examination of service orgs system of internal controls as it relates to the AICPA’s five Trust Service Criteria.
Trust Service Criteria
Security, availability, processing integrity, confidentiality, and privacy
Network infrastructure
refers to hardware, software, layout, topology of network resources that enable connectivity and communciation between devices
Modem
Connects network to internet service provider network through cable connection - receives analog signals and translates those into digital signals. Each modem has a public IP address.
Router
Manager network traffic by connecting devices to form a network.
Read source and destination fields in information packet headers to determine the best path for the packet to travel.
Act as a link between modem and switches or if no switches a user’s device.
Switches
similar to routers they can connect and divide devices w/in a network - turns one network jack into many so mulitple device can share one network connection.
does not assign IP.
Gateways
a computer/device acts as an intermediary between different networks.
Transforms data from one protocol into another so info can flow between networks.
Gateways interpret protocols and coverts the them into the right format to facilitate network movement, usually between company network and internet.
Protocol
Rule, or set of rules, that governs the way in which information is transmitted
TCP/IP
type of protocol used by internet- transmission control protocol/internet protocol.
Edge-enabled devices
allow computing, storage and networking functions closer to devices where data/system request originates - makes for faster response time.
Servers
physical/virtual machines that coordinate computers, programs, and data that are part of a network.
Client/server model - client sends request to server and it provides a response to executes an action.
Firewall
Software or hardware that protect a person or network traffic by filtering it through security protocols w/ rules.
Designed to prevent unauthorized access and downloading of malicious programs or access restricted sights
can be set up to only allow trusted sources
Circuit level gateway firewall
verifies source of packet and meets rules/policies set by security team
application level gateway
inspects packet itself - resource intensive and may slow performance
network address translation firewall
assigns internal network address to specific, approve external sources so those sources are approved
stateful multilayer inspection firewall
combines packet filtering and network address translation
next-gen firewall
assigns different firewall rule to different applications as well as users.
Bus Topology
- linear or tree form with each node connected to a single line or cable.
-Any node can send data at same time and cause interference so cables must be terminated at each end.
-Downside if central line is compromised- entire network offline
Mesh Topology
- there are numerous connections between nodes, with all nodes begin connected in a full mesh and some in a partial mesh.
-Common for wireless networks - Allows for high levels of traffic and promotes network stability if node is damaged.
-Costly
DIAMOND shaped
Ring Topology
- nodes connected in circular path, data must go through all devices between source and destination.
- Can be uni or multi directional
-Advantage is data transmission collision is minimized or eliminated, but can result in slow performance.
Star Topology
- Data passes through central hub that acts as a switch or server then transmits to peripheral device that act as client
- Can be mulitple hubs so if one fails on some nodes be affected
-Easier to ID damaged cables.
Network Infrastructure Protocols
governs the way data is transmitted based on method used (cable, port).
Open System Interconnection model
- Developed by ISO and explains how protocols work and how devices communicate w/ each other.
-Segregates network functions into 7 layers, each responsible for specific data exchange function
Open System Interconnection model layers
Encapsulation
Decapsulation
Data flows through each later through encapsulation which adds a header/footer to the data point received from the previous layer. Starts at application layer with a message down to the physical layer. There decapsulation begins moving up to application
- Application
- Presentation
- Session
- Transport
- Network
- Data Link
- Physical - actual network device use to transmit message
OSI Application Layer
serves as an interface between applications that a person uses and the network protocol to transmit a message. HTTP, FTP, SMTP, and EDI
OSI Presentation Layer
Transforms data from application layer into a format that other devices can interpret, such as videos, images, and webpages. Encryption also occurs.
ASCII, JPG, MPEG.
OSI Session Layer
Allows sessions between communicating devices to be established and maintained, which allow devices to have dialog with each other.
Remote Procedure Call, Structured Query Language (SQL), Network File System.
OSI Transport Layer
supports and controls the communication connections between devices
-involves setting rules for how devices are referenced, amount of data transmitted, validating data integrity, and determining if data lost.
TCP, UDP, SSL, and TLS.
OSI Network Layer
Adds routing and address headers/footers to data (source and destination IP) so messages each the corret device. Detects errors.
IP, IPSec, NAT, and IGMP.
OSI Data Link Layer
data packets are formatted for transmission determined by hardware and network technology (ethernet).
Adds Media Access Control addresses, which are device identifiers that act as source and destination reference numbers to rout message to right device.
ISDN, PPTP, L2TP, and ARP.
OSI Physical Layer
converts the message sent from data link layer into bits so it can be transmitted to other physicals devices.
Receives messages from other physical devices and coverts back from bits to a format that can be interpreted by data link layer.
HSSI, SONET, V.35 X.21
Network Infastructure Architecture
Way in which an organization structures its network from a holisic design standpoint, considering geographical, physical and logical layouts and network protocols used.
Local Area Network
network access to limited geographic area - home/single office
Wide Area Netowrk
network access to larger geographic area - cities, regions -
connect LANs together to provide broad coverage
Example - internet
Software Defined Wide Area network
Monitors performance of WAN connections and manages traffic to optimize connectivity.
Control and management are separated from the hardware and included in a software. (while a WAN its in the hardware)
Virtual Private network
virtual connection through secure channel or tunnel that provide remote and secure access to existing network. RDS (remote desk tops)
Firmware
software locally embedded in hardware instructs hardware how to operate. It is not updated frequently.
Internet of Things
Devices - that are an extension of mobile technology and typically require bluetooth or an internet connection to access a larger network (smart things)
Cloud computing advantages
costs related to maintenance/support, only pay for what is needed, gain efficiencies as data is all in one location, reduces likelihood of loss in an attach/disaster due to redundancies in cloud computing
Cloud Computing Model: Infrastructure as a Service
CSP provides an entire virtual data center of resources (servers, storage, hardware, networking) billed on per use basis.
Company responsible for keeping environment up and running and virtually managing the performance of the physical infrastructure.
CSP responsible for physical mgmt of infrastructure
Cloud Computing Model:
Platform as a Service
CSP provide tools/solutions remotely that are used to fulfill a specific business purpose (online platform for sell merch).
CSP responsible for keeping application uptime at acceptable level
Cloud Computing Model
Software as a Service
CSP provides a business application/software used to perform specific functions or processes. Customers purchase through licensing.
CSP offers application via the internet and is responsible for updates, security enhancements, etc.
Business Processes as a Service model
use SaaS to deliver specific business functions (payroll)
Cloud Computing Deployment Model: Public
cloud owned and managaged by provider
Cloud Computing Deployment Model: Private
Cloud created for a single org and managed by org or CSP. Can exist on/off premises
Cloud Computing Deployment Model: Hybrid
Two or more clouds, with at least 1 being private, that remain unique cloud entities but with technology in place that facilitates the portability of data and applications between each entity.
Cloud Computing Deployment Model: Community
Shared by multiple organizations to support common interest
COSO Enterprise Risk Management - Integrating with Strategy and Performance
categorizes methods for addressing an organizations risk into five components with 20 support princples.
COSO ERM - 5 components (list)
1.Governance and Culture
2. Strategy and Objective Setting
3. Performance
4. Review and revision
5. Information, Communication, Reporting
COSO ERM - Govnernance and Culture
Sets tone and reinforces importance of oversight. Target behaviors and values and understanding risk
COSO ERM - Strategy and Objective Setting
Strategic planning process - risk appetite should be aligned with strategy, business objectives put in place to achieve level of appetite through ID risk, assess risk, and responding to risk.
COSO ERM - Performance
Prioritize risks based on risk appetite so objectes are assesed, met, and reported to key stakholders
COSO EMR - Review and Revision
review performance over time and make revisions
COSO EMR - Information, Communication, and Reporting
continual process to support sharing internal/external info through organization
COSO ERM For Cloud Computing
- guidance when applying COSO framework to cloud computing.
-Integrate governance of cloud computing into overall RM strategy.
Ownership of risk still remain w/ org, proper governance may include
- CC Steering Committee
- Understanding CSP values and culture and how effects risk profile, how CSP risks can impact performance, responsibilties of CSP, and how CSP’s IC address risk
-continuously update and reassess ERM when changes in cloud needs of CSPs
Applying COSO TO Configure Cloud options
Apply 8 components to tailor to risk appetite.
1. Internal Environment - foundation for risk appetite to determine level of outsource
- Objective Setting - understand how outsourcing help or hinder objectives
- Event ID - how CSP could made event ID harder/easier
- RA - risk of cloud strategy, impacts to risk profile, inherent/residual risks, likelihood of impact
- Risk Response - determine if risk response will be to avoid, reduce, share, or accept
- Control Activities - how IC are modified in cloud
- Info/Communciation - how cloud may impact timeliness, availability and dissemination of info.
- Monitoring - modify monitoring mechanisms to accommodate new complexities.
Cloud Risks
-Rate of competitor adoption
-being in same risk ecosystem as CPS and other tenants
-transparency
-reliability/performance
-lack of application portability
(vendor lock in)
- security/compliance
-cyberattacks or data leakage
-IT organization changes
-CSP long term viablity
ERP
Enterprise Resource Planning systems are cross function systems that support different business functions and facilitate integration of information across departments.
-centralized database and user interface
-Modules function independently or as an integrated system that allows data to be shared
Accounting Information System
collects, records, and stores accounting information and using rules, reports on financial and nonfinancial info. Made up of 3 subsystems
Transaction Process System
Financial Reporting System
Management Reporting System
AIS-Subsystem: Transation Processing System
converts economic events into financial transactions (JE) and distributes info to support daily operations.
Covers - Sales cycle, conversion cycle, expenditure cycle.
AIS-Subsystem: Financial Reporting System
aggregates daily financial info from the TPS and other sources of infrequent events (mergers, lawsuits, disasters) to enable timely regulatory and financial reporting
AIS Subsystem: Management Reporting System
Provides internal financial information to solve business problems (budgeting, variance, cost/volume/profit analysis)
What are the 5 objectives of AIS - collectively of all subsystems
- Record valid transactions
- Properly classify transactions
- Record at correct value
- Record in correcct accounting period
- Present in FS
What is the sequence of events in AIS
- Transaction data entered into AIS by end user/customer
- Source docs filed
- Recorded in jounal
- Posted to general/sub ledgers
- Trail balance prepped
- Adj. accurals, and corrections are entered.
- Finacial reports are generated
Revenue and Cash Collections Cycle
- real time access to inventory subledger to check availablity
- auto approval/denial credit
- Records sales invoice and transmits inventory release and packing slip
- Input shipping notices - triggers updating cust. Credit record, inventory, GL, and mgmt reports.
- Cash receipts clerk to record remittance
- closes sales invoice, posts GL, updates payment record, mgmt reports.
Purchsing and Disbursement Cycle
-Reads requested purchse to verify on approval list and shows approved vendors
- Preps PO and delivers to vendor
- Rec. departmetn inputs qty received - updates rec. report, reconciles qty again open PO, closes PO, updates Inv. SL and GL.
- AP enters invoice - links inovice to PO and receiving report - create voucher
- approves payments and sets payment date
- prints/distributes signed checks to mailrool - recorded in check register file, closes invoice, updates GL, transaction report.
HR/Payroll Cyces
-AIS integrated with HRMS for real time EE data changes
- EE enter time to prodcue time/attendance files
- allocates labor costs to job costs, accumulates direct/indirect exp and end of work period on a batch basis, calcs payroll, updates EE records, produces payroll register and AP.
- creast JE and updates GL.
Production Cycel
-Rec. work order for production run - put in as Work In Programm SL.
Labor/materials added - documns sent to AIS to automatically update WIP
- tracks costs for labor materials, OH - variances
- Closes WIP account after fian ticket showing good in inventory
- JE and GL updates
Fixed Asset Cycle
-Create record of asset SL - useful life, salvage, deprectioanl, lcoation
- update GL, JE, depreciation schedule
- Cals depreciation, AD, book value at end of period - JE and GL
0 Disposed recorded - cals gain/losses, JE, adj enteries to GL
Treasury Cycle
-integrated with other cycles
- includes source doc (deposit slits, checkes, stocks, itnerst) to post JE
- Bank recs
- JE for change in cash,
- reports
GL and Reporting Cycle
-Update GL (in other cycles)
- Auto produces trail balance
- posts adj entries
- prodcued FS and report of variances
- Closes temp accounts, carry forward to BS
Automation
designed to perform repetitive tasks. Must first examine process to describe each step take, exchange of info, governance of policies for each transaction, and knowledge needed to perform each task.
Risks to outsourcing
Quality - product defective or substandard
Productivity
Staff turnover -
language skills
security
qualifications
labor insecurity
Common offshore operations
IT provided by managed services provider
Business processes
Software development
Knowledge processing (reading xrays)
Robotic Process Automation
Use of program to perform repetitive tasks that don’t need skilled human labor. Uses simple rule based processes. Web scraping tool.
lidar
light detection and ranging -type of robotic process automation - used in self driving vehicles
Natural Lanague Processing Software
NLP - technology used to encode, decode, interpret human languages to perform tasks and interact with humans, carry out commands on other devices. Ie virtual assistants
Neural Networks
Modeled after neurons that faciliate the fucntion of human or animal memories. Invovles an input layer, hidden layer, and output layer. Fuzzy logic
Process integrity
systems ability to initiate and complete transactions so they are valid, accurate, completed timely, and authorized to meet a company’s objective.
AICPA definition of deficiences in desing of a control in SOC 2
necessary controls are missing, or not designed properly
how to ID if deficient in design exists
obtain understanding of mgmt RA process, evaluate the link between controls and trust service criteria and deteremine if controls are appropraite.
