Information Systems Part 1 Flashcards
How can machine learning improve the performance of Accounting Information Systems?
- By AUTOMATING repetitive and manual tasks
- Ex: QuickBooks and the Bank Feed
Why do organizations use Accounting Information Systems?
- To store, collect, and process financial data
- The AIS generates important reports that are part of decision making for managers and stakeholders.
When an Accounting Information System is a module in an Enterprise Resource Planning system, what bad thing happens?
- The AIS relies on a single database that is accessible by every individual within the company
- Because of this, an improper segregation of duties can occur
What is an Enterprise Resource Planning system?
- It is a business information system that automates business processes, share common data, and facilitate reporting in real-time, which improves flexibility and responsiveness
- Example: Microsoft Dynamics 365
- It integrates data from different functional areas, customers, and vendors
What are common IT system changes?
- Upgrades
- Cloud transitions
- Additions/Deletions
- Configuration changes
- Code modifications
- Updates/Patches
- Data modifications
How should policies and procedures for requesting, approving, implementing, and monitoring changes to IT resources be documented?
They should be documented in a written CHANGE MANAGEMENT PLAN that is repeatable and auditable
Vendors and customers share responsibility for ____ of a SaaS cloud application?
SECURITY
- The customer manages their own settings and physical security at their location.
- The vendor manages the physical security and overall controls.
What is IT architecture?
It is a FUNCTIONAL RISK AREA that focuses on an organization’s ability to develop systems that align corporate strategy, organizational objectives, and long-term technologies (hardware, software, data, procedures)
What is public cloud?
- 3rd party service provider owns IT computing architecture
- Multiple public users can share access to public cloud resources
- This results in lower costs, scalability (ability to be changed in size/scale)
What is hybrid cloud?
It uses a combo of public, private, and community cloud models
What is a community cloud?
- It is a cloud that can be used by a specific group of organizations with a common purpose
- Ex: Hospital chain uses this cloud to share patient info
What is CONTINUOUS INTEGRATION?
It is a change development practice where code changes are frequently and automatically integrated into a shared repository with the objective of catching bugs early in the development process
What is automated testing?
It is the most common method of validating Continuous Integration Code changes before deployment
What is the order of continuous integration?
- Unit
- Integration
- System
- Acceptance
What are availability reports?
- They are reports that directly address system uptime and downtime durations.
- These reports measure compliance with service level agreements.
What is a Service Level Agreement?
- Many organizations use these to define the details regarding the provision of an IT service (ex: networking services) from a 3rd party vendor.
- Service level agreements are important because they specify expectations of service availability, usage, performance, capacity, processing, storage requirements, responsibilities of each party, and penalties
What is the correct sequence of activities in a patch management process?
1) Identification/creation
2) Scheduling
3) Testing
4) Deployment
5) Audit/Assessment
What is patch management?
It is the process of identifying, testing, and applying software updates (patches) to fix vulnerabilities, enhance performance, and ensure the security of systems
What is patch management important for?
It is important for hosting machines with operating systems because by regularly applying updates (patches) to the OS, the OS can get protection against security vulnerabilities.
What are the COSO internal control components?
Control Environment
Risk Assessment
Information and Communication
Monitoring
Control Activities
What does the control environment of COSO internal control - integrated framework encompass?
Tone at the top
Organizational structure
Ethical values
Why are walkthroughs performed?
To obtain a qualitative understanding of a process
What does testing the operating effectiveness of controls involve?
It involves QUANTITATIVE testing on a sample or general population
What is a differential backup?
- It stores all the data since the last full backup
- Requires less storage than full backups
- Restoration time is long
- It requires more storage than incremental backups
What is an incremental backup?
It stores data that is generated or changed since the last full or incremental backup
What are the duties of a Cloud Computing Steering Committee?
They decide what processes, applications, or data should move to the cloud
What is the Mean Time to Recover?
This tracks the average time it takes to restore a service or system after an outage
What is a key purpose of the ANALYSIS phase of a business impact ANALYSIS?
To identify, score, and prioritize critical business functions
What are the 5 phases of a business impact analysis?
- Prepare
- Gather information
- Analyze
- Write/Present BIA report
- Implement
What is the business impact analysis?
It is a process for evaluating the consequences of a disruption to critical business functions
What is a gantt chart?
It is a visual representation of project management timelines that are used for planning
What are tabletop exercises?
- This is 1 method of testing existing Business Continuity Plans
- All personnel with BCP duties meet and walk through a potential disruption scenario to find and mitigate deficiencies
What is the difference between phased and parallel installation processes?
A parallel approach involves running 2 systems simultaneously, but some users are on the new system while others are on the old system under the phased approach
What is the phased approach?
It allows a company with multiple geographic locations to gradually implement new systems one location at a time, minimizing operation disruptions
What is MIRRORING?
- It involves keeping at least 2 identical copies of a database on separate machines
- Only 1 copy (principal database) is available for use
- Updates to the principal database are copied to the mirrored database.
What is REPLICATION?
It is multiple copies of data and database objects on different databases
What is a distributed database?
- It is a database that can be replicated but not mirrored
- Replication of distributed systems allows applications to access remote databases in multiple locations
- Since distributed data is stored in multiple databases, rather than a centralized database, it would be impossible to create a single mirror of the entire database
What are data interface controls?
- They are communication rules that may use middleware software configured with controls, which ensure prompt data transfers
- These controls address access, session lengths, protocols, and security
What is a BLOCKCHAIN?
It is an APPEND-ONLY (add as a supplement) ledger, which is a sequential (following in a logical order) database maintained by a DECENTRALIZED network of users
Are blockchain records IMMUTABLE (unable to be changed)?
YES
This means that the records are encrypted and cannot be changed
What is the correct order of the flow of change environment?
1) Development
2) Testing
3) Staging
4) Production
When does change to applications become available to all users?
PRODUCTION
Infrastructure as a Service is responsible for
- Servers and storage
- Networks and security
- Infrastructure facility
Platform as a Service is responsible for
- Database & analytical tools
- Operating systems
- Servers and storage
- Networks and security
- Infrastructure facility
Software as a Service is responsible for
- Hosted apps
- Database and analytics tools
- Operating systems
- Servers and storage
- Networks and security
- Infrastructure facility
What is Business Process as a Service?
It is an extension of SaaS and outsources entire business processes, such as payroll to a 3rd party who has cloud services
What is a cool thing that a virtual server can do?
It can run its own operating system and applications and enable multiple operating systems to run on a single physical server
What is cloud computing governance?
- It refers to oversight of an organization’s mission, vision, and core values.
- Good governance includes profitability, so the benefits of cloud usage should outweigh the risks.
What is the Governance and culture component of the COSO ERM for Cloud Computing concerned with?
They are concerned with setting the TONE AT THE TOP to ensure cloud strategies are aligned with the company’s values, including its risk appetite for migration to the cloud
What is the greatest threat to one’s financial statement?
It’s from a public blockchain’s underlying lack of internal controls because there may be no recourse in case of a dispute
What is a router?
It is a device that receives data packets from 1 network and sends them to a different network using the most efficient path
What is a switch?
It is something that connects all the devices within an entity’s computer network by moving data between the devices
What is a proxy server?
- It is a server that CONCEALS an internet user’s real identity.
- It routes data packets indirectly but doesn’t make intelligent routing decisions like a router does.
What is technology debt?
It is the cost of maintaining existing legacy systems plus the opportunity cost of not switching to modern systems.
Technology debt arises from what?
- Heavily customized systems
- Short-term, not long-term solutions prevent an organization from focusing on long-term strategy
- Obsolete technology needs more maintenance
What is a staging environment?
- It allows a sample group of END USERS the chance to evaluate changes to applications before going live.
- Staging environment would be the same as the live environment.
When user entities outsource business functions, what happens?
They are still responsible for 3rd party vendor oversight
What is the Systems Development Life Cycle?
It is a subset of an organization’s change management function.
What system components are included in the Systems Development Life Cycle?
- Infrastructure
- Software
- Data
- Procedures and personnel needed to meet objectives
What are the steps in the Systems Development Life Cycle?
1) Analysis
2) Design
3) Development
4) Testing
5) Implementation
6) Maintenance
What is parallel testing?
- It is testing where processing is performed at the same time at both the primary and alternate site.
- The results are compared to ensure processing was correct and complete
What is simulation testing?
- It is testing that is done before parallel testing
- It is performed only at the alternate site
What is full interpretation testing?
- It is testing that is done after parallel testing.
- It has the GREATEST RISK of DISRUPTING ACTUAL OPERATIONS because all primary site processing is stopped and sent to the alternate site.
What should a disaster recovery plan focus on?
It should focus on procedures that will help restore critical systems in the event of a disaster
What would happen if a systems analyst quit his job?
His departure would be a significant risk because it could result in a knowledge gap within the development team
What item can help the development team stay on schedule in the event a systems analyst quit his job?
Systems documentation can hep his team stay on schedule
What is a grandfather-father-son retention system?
It is a backup control used for recovering transactional data (information that’s captured from business transactions) after system downtime
What is the order of functional tests for a company that develops applications using the continuous integration/continuous deployment pipeline?
1) Unit Testing
2) Integration testing
3) System testing
4) Acceptance testing
What are general controls?
They relate to the integrity of an information system
They are subdivided into:
- Access controls
- Change controls
- Operations controls
Ex: Systems documentation
What are application controls?
- They are aimed at processes within a specific software program
- Ex: Field checks
What are change controls?
They prevent, detect, and correct unauthorized changes to systems, applications, and data
What is the change management process?
- Change requested
- Request evaluated
- Change implemented
- Change tested
What is scope creep?
It is when a project’s requirements, deliverables, or objectives increase beyond the original agreement
What needs to be done to test the operating effectiveness of the segregation of duties between change management team?
Service auditor needs to inspect management’s quarterly review of permissions to ensure that developers and migrators are in separate permission groups
What is a baseline configuration?
- It is a document, formally reviewed, and agreed-upon system specification that serves as a basis for future builds, releases, or changes.
- It’s a record of the system components and architecture at a point in time.
What are endpoint devices?
Computers, tablets, smartphones
What is middleware?
It is a utility program that helps different software programs communicate with one another to improve the efficiency of a computer system
What is a server?
They are powerful computers that store, process, and manage data
How can the operating effectiveness of a business continuity plan be evaluated?
This can be done by reviewing the results from previous business continuity tests conducted by internal IT team
What can an IoT device do that an endpoint device like a wireless camera cannot do?
IoT devices can connect to a security system, but a wireless camera cannot do that
What are Input types of application controls?
- Validity checks
- Range (limit) checks
- Authorization checks
- Hash amounts
- Batch controls
What are processing types of application controls?
- Data validation
- Sequence checks
- Completeness checks
- Duplication checks
What are Output types of application controls?
- Distribution lists
- Printer security
- Storage controls
- Confidentiality controls
What are the 3 types of application controls?
- Input
- Processing
- Output
What is an important use for a patch?
- It is to respond to security risks, as out of date systems are vulnerable to incidents
- Ex: The Equifax breach affected millions of people because the company didn’t patch its network after being alerted to a critical security vulnerability
Why is outsourcing helpful?
It is helpful because companies may find it hard to staff an internal department with the right knowledge
What are the benefits of a shared database in an Enterprise Resource Planning System?
- A shared database improves data quality by reducing the opportunity for duplication and errors
- Information is entered into the ERP only 1x, so there is less risk of inconsistencies that are seen in multiple standalone systems
Service availability formula
(Agreed service time - Downtime) / Agreed service time
What is needed in a systems specification document?
- Writing this document is an important step in the analysis phase of systems development
- This document describes what the system will do and how it will operate
- It addresses end-user requirements, such as description of data elements
What is the Resources, Events, and Agents data model?
- It is a model where RESOURCES are items of economic value
- EVENTS are business activities
- AGENTS are internal and external stakeholders who participate in events
What is a Unified Modeling Language diagram?
- AKA “Entity Relationship Diagram”
- It is a visual representation of a conceptual data model that shows the tables in a database and the associations between them
What is Recovery Time Objective?
- It is a target for the maximum amount of downtime a business can tolerate
- A baseline RTO is established during a business impact analysis to calculate the cost of downtime
What is pseudo anonymity?
- It is being invisible and hiding your true identity in blockchain
- This risk can be mitigated (lessened) by developing a CODE OF CONDUCT
Walkthroughs are performed to
Obtain a QUALITATIVE UNDERSTANDING of a process
What is user acceptance testing?
It is a process where the sample group ensures that the changes meet predefined acceptance criteria
