ISC Vocabulary for Brainscape a-i testing Flashcards
1
Q
Refers to sending a network packet that appears to come from a source other than its actual source.
A
IP Spoofing
2
Q
A boundary or connection point between two systems, components, or entities meet and interact with each other that works as per the expectation of the users to help new and seasonal staff learn even the most feature-rich system quickly.
A
Intuitive Interface
3
Q
These types of systems are configured to both detect and prevent potential attacks on the IT environment and assets. Some of these are also designed to reconfigure other security mechanisms such as a firewall. These types of systems effectively limit damage to affected systems and must be appropriately configured to accept or deny network traffic correctly.
A
Intrusion Prevention Systems (IPS)
4
Q
This is a type of software application that can be implemented on host operating systems or as a network device to monitor for signs of intruder activity and attacks. This software looks for suspicious activity and alerts administrators. A system that detects and identifies unauthorized or unusual activity on the hosts and networks; this is accomplished by the creation of audit records and checking the audit log against the intrusion thresholds. It detects break-ins or break-in attempts either manually or via software expert systems that operate on logs or other information available on the network.
A
Intrusion Detection System (IDS)
5
Q
An IEEE Standard, RFC 2411, protocol that provides security capabilities at the Internet Protocol (IP) layer of communications. IPsec’s key management protocol is used to negotiate the secret keys that protect VPN communications, and the level and type of security protections that will characterize the VPN. The most widely used key management protocol is the Internet key exchange (IKE) protocol. IPsec is a standard consisting of IPv6 security features ported over to the current version of IP, IPv4. IPsec security features provide confidentiality, data integrity, and non-repudiation.
A
Internet Protocol Security (IPsec)
6
Q
As stated on the IASB website(www.ifrs.org), the International Accounting Standards Board is an independent, not-for-profit, private-sector organization working in the public interest. Its principal objectives are:to develop a single set of high-quality, understandable, enforceable, and globally accepted International Financial Reporting Standards (IFRS) through its standard-setting body,to promote the use and rigorous application of those standards,to take account of the financial reporting needs of emerging economies and small and medium-sized entities (SMEs), andto bring about convergence of national accounting standards and IFRS to high-quality solutions.
A
International Accounting Standards Board (IASB)
7
Q
Internal control over financial reporting (ICFR) is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with the applicable financial reporting framework and includes those policies and procedures that:pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity;provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the applicable financial reporting framework, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; andprovide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity’s assets that could have a material effect on the financial statements.ICFR has inherent limitations. ICFR is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. ICFR also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements will not be prevented, or detected and corrected, on a timely basis by ICFR.AU-C 940
A
Internal Control Over Financial Reporting (ICFR)
8
Q
Internal controls are the policies and procedures established by management to provide reasonable assurance that its objectives will be achieved. These policies and procedures are categorized several ways:Accounting controlsAdministrative controls (management controls)Formal policies and directives such as board of director’s resolutions, office manuals, and written instructionsInformal policies and procedures such as oral directions from a supervisorImplicit policies and procedures such as unwritten and unspoken operating habits and standardsAccording to COSO (the Committee of Sponsoring Organizations of the Treadway Commission) in the research studyInternal Control—Integrated Framework:”Internal control is a process, effected by an entity’s board of directors, management and other personnel, which is designed to provide reasonable assurance regarding the achievement of objectives in one or more categories:”Effectiveness and efficiency of operations”Reliability of financial information”Compliance with applicable laws and regulations”Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated into the management process. The components are:”Control Environment”Risk Assessment”Control Activities”Information and Communication”Monitoring Activities”
A
Internal Control
9
Q
An internal audit is an examination of accounting records and other evidence to establish compliance with the entity’s policies and procedures. An internal audit is performed by an employee of the entity. (See “audit” for the definition of an external audit.)
A
Internal Audit
10
Q
Interactive visualization tools allow the user to interact with data by drilling down into charts and graphics, changing the data, and observing the revised output.
A
Interactive Visualization
11
Q
Integrity is the protection of data from unauthorized tampering. The system accomplishes its objectives in an unimpaired manner: processing is complete, accurate, timely, and free from unauthorized or inadvertent system manipulation.
A
Integrity (IT)
12
Q
Inherent risk is the likelihood there are material misstatements before considering internal controls.
A
Integrity
13
Q
Inherent risk is the likelihood there are material misstatements before considering internal controls.
A
Inherent Risk
14
Q
Infrastructure as a service (IaaS) is a virtualized computer environment delivered as a service over the internet by a provider. Infrastructure can include servers, network equipment, and software. It is also called hardware as a service (HaaS).
A
Infrastructure as a Service (IaaS)
15
Q
Information technology (IT) is any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For the purpose of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which (1) requires the use of such equipment or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The terminformation technologyincludes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.
A
Information Technology (IT)
16
Q
An information system is a collection of methods, practices, algorithms, and methodologies that transform data into information and knowledge desired and useful for individual and group users in organizations and other entities. It can involve a combination of work practices, information, people, and technologies organized to accomplish goals in an organization.
A
Information System
17
Q
Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.
A
Information Security Policy
18
Q
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
A
Information Security
19
Q
The ability to associate positively the identity of a user with the method and degree of accesses to a system.
A
Information and Communication
20
Q
Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control.Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: It enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.
A
Individual Accountability
21
Q
To be independent is to be free from conflicts of interest and bias, self-governing, impartial, not subject to control by others, not requiring or relying on something else, not contingent, and acting with integrity and objectivity (i.e., with judgment that is unimpaired and without bias or prejudice).Independence Rule(ET 1.200.001): “A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council.” (ET 1.200.001.01)Independence is the cornerstone on which the audit, or attest, function of the accounting profession is based. It is the independence of the auditor that assures the public of the fair presentation of the audited financial statements. The audit opinion is the “Independent Auditor’s Report” (AU-C 600.A98 requires that the word “independent” appear in the title of the report).The auditor’s independence recognizes the need for fairness—fairness to the owners and managers of the company and also to creditors and those who may rely wholly or in part on the auditor’s report.Independence is the ability to act with integrity and objectivity andnotto compromise one’s judgment or conceal or modify an honest opinion. Auditors (both external and internal) must be capable of acting in an honest, unbiased fashion, maintaining the ability to use judgment free from influence by or subordination to the will, opinion, and judgment of others.The CPA must be independent not only infactbut also inappearance.This means both that a true conflict must not exist (the fact of independence) and that the appearance, or impression, of conflict must not exist (the appearance of independence). Hence, there must not be a compromise to the perception of the independence of the CPA in the mind of a reasonable observer, no matter how innocent the questionable circumstances may truly be. Any appearance of the lack of independence would erode the public’s confidence in the profession as quickly as the fact of a lack of independence.The “reasonable person” concept is applicable, i.e., whether or not a reasonable person, having all the facts and the normal strength of character, concludes that a specific relationship is lacking in independence, represents a conflict of interest, or is a threat to a CPA’s integrity or objectivity.
A
Independence
22
Q
The income statement is a financial statement that shows an organization’s revenues and expenses for a defined period of time. The income statement is the financial statement used most often by investors as it provides information concerning the firm’s ability to sustain ongoing operations profitably. The income statement is also the statement that is most readily understood. The single-step income statement displays the net income from ordinary operations without intermediate calculations. The multi-step income statement uses intermediate steps such as gross profit in displaying the net income from ordinary operations.
A
Income Statement
23
Q
The mitigation of violations of security policies and recommended practices.
A
Incident Handling
24
Q
Implementation is the process of installing a computer. It includes selecting and installing the equipment, training personnel, establishing operating policies, and getting the software onto the system and functioning properly.
A
Implementation
25
Information that is unique within a security domain and that is recognized as denoting a particular entity within that domain.
Identity
26
Identification is the process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names.
Identification
27
The native protocol of the web, used to transfer hypertext documents.
Hypertext Transfer Protocol (HTTP)
28
A hot site is a completely operational data processing facility configured to meet the user's requirements that can be made available to a disaster-stricken organization on short notice.
Hot Site
29
The term "host" can refer to almost any kind of computer, from a centralized mainframe that is a host to its terminals, to a server that is host to its clients, to a desktop personal computer that is host to its peripherals. In network architectures, a client station (user's machine) is also considered a host because it is a source of information to the network in contrast to a device such as a router or switch that directs traffic.
Host
30
Honeypots are computers that security administrators place as a trap for intruders. A honeynet is a combination of two or more networked honeypots. Honeypots are hosts that have no authorized users other than the honeypot administrators because they serve no business function; all activity directed at them is considered suspicious.
Honeypots
31
A computationally efficient algorithm that maps a variable-sized amount of text (input) into a fixed-sized output (hash value of 128-bit string). This type of algorithm produces a secure checksum for each message, making it almost impossible to change the message if the checksum is unknown. Hash functions are used in creating digital signatures. A function that maps a bit string or arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties: One-way—It is computationally infeasible to find any input that maps to any pre-specified output. Collision resistant—It is computationally infeasible to find any two distinct inputs that map to the same output.
Hash Function
32
Algorithm that creates a hash based on a message.
Hash Algorithm
33
A condensed representation of the message, called a message digest.
Hash
34
Hadoop is a free, open-source software framework that stores large amounts of data and rapidly runs applications on clusters of commodity hardware.
Hadoop
35
Generally accepted auditing standards (GAAS) are the Statements on Auditing Standards issued by the Auditing Standards Board (ASB), the senior committee of the AICPA designated to issue pronouncements on auditing matter for nonissuers. The Compliance with Standards Rule (ET 1.310.001) of the AICPA Code of Professional Conduct requires any AICPA member who performs an audit of a nonissuer to comply with the standards promulgated by the ASB.
Generally Accepted Auditing Standards (GAAS)
36
Generally accepted accounting principles (GAAP) are basic accounting principles and standards and specific conventions, rules, and regulations that define accepted accounting practice at a particular time by incorporation of consensus and substantial authoritative support. The Financial Accounting Standards Board (FASB) Accounting Standards Codification (Codification) is the source of authoritative generally accepted accounting principles (GAAP) recognized by the FASB to be applied by nongovernmental entities. Rules and interpretive releases of the Securities and Exchange Commission (SEC) under authority of federal securities laws are also sources of authoritative GAAP for SEC registrants. In addition to the SEC's rules and interpretive releases, the SEC staff issues Staff Accounting Bulletins that represent practices followed by the staff in administering SEC disclosure requirements, and it utilizes SEC Staff Announcements and Observer comments made at Emerging Issues Task Force (EITF) meetings to publicly announce its views on certain accounting issues for SEC registrants. (FASB ASC 105-10-05-1) Accounting and financial reporting practices not included in the Codification are nonauthoritative. Sources of nonauthoritative accounting guidance and literature include, for example, the following: Practices that are widely recognized and prevalent either generally or in the industry FASB Concepts Statements American Institute of Certified Public Accountants (AICPA) Issues Papers International Financial Reporting Standards (IFRS) of the International Accounting Standards Board Pronouncements of professional associations or regulatory agencies Technical Information Service Inquiries and Replies included in AICPA Technical Practice Aids Accounting textbooks, handbooks, and articles The appropriateness of other sources of accounting guidance depends on its relevance to particular circumstances, the specificity of the guidance, the general recognition of the issuer or author as an authority, and the extent of its use in practice. (FASB ASC 105-10-05-3)
Generally Accepted Accounting Principles (GAAP)
37
The means of communicating between networks. It is designed to reduce the problems of interfacing different networks or devices. The networks involved may be any combination of local networks which employ different level protocols or local and long-haul networks.
Gateway
38
A functional item is one that performs the tasks or actions that it was created for. It is designed either to perform some task or action or to have a specific purpose. Functional is useful, practical, utilitarian, operative, serviceable, or working.
Functional
39
A flowchart is a graphic depiction, using uniform symbols to show the control flow, primary actions, and interrelationships of a task or a set of tasks. A flowchart can be created by a computer program, a computer system, the systems staff, or accountants and auditors.
Flowchart
40
Fixed assets are tangible (i.e., having physical substance), long-lived (more than one accounting period) assets held for and used in the operations of the enterprise which provide measurable future benefits. They represent a bundle of benefits acquired by the entity to be used over the life of the asset (which covers several accounting periods) and are recorded initially at acquisition cost, which is then allocated to the periods benefited through depreciation (except for land). There is a periodic charge to expense of that portion of the cost which was “consumed” in the form of benefits received from the use of the asset. Fixed assets are never written up to reflect appraisal, market, or current values but are written down to reflect a permanent decline in usefulness to the net realizable value at that date (e.g., obsolete equipment). Fixed assets are also known as “capital assets,” and that term is customary for governmental accounting. The three general categories of capital assets are as follows: Nondepreciable (e.g., land) Depreciable (e.g., office buildings, factories, warehouses, equipment, machinery, tools, furniture, and fixtures) Depletable (e.g., timber, mineral, oil, and gas rights) For state and local governments, fixed assets are termed “general capital assets” and infrastructure assets such as sidewalks are also reportable as general capital assets. Capital assets are reported in government-wide financial statements but they are not reported in governmental funds.
Fixed Asset
41
A mechanism to protect IS computing sites against Internet-borne threats. It can be thought of as a pair of mechanisms: one that exists to block traffic and the other to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic.A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Firewall
42
A financial statement is a structured representation of historical financial information, including related notes, intended to communicate an entity’s economic resources and obligations at a point in time or the changes therein for a period of time in accordance with a financial reporting framework.Financial statements ordinarily refer to a complete set of financial statements as determined by the requirements of the applicable financial reporting framework.
Financial Statements
43
A means to exchange files across a network.
File Transfer Protocol (FTP)
44
The aggregate of all processes and procedures in a system designed to inhibit unauthorized access, contamination, or elimination of a file.
File Protection
45
A field check is an edit check in which the characters in a field are examined to ensure they are of the correct field type (e.g., numeric data in numeric fields).
Field Check
46
Fault tolerant control is the ability of a processor to maintain effectiveness after some subsystems have failed. These are hardware devices or software products such as disk mirroring or server mirroring aimed at reducing loss of data due to system failures or human errors. This is a technical and preventive control and ensures availability control.
Fault Tolerant Control
47
The fair value of an investment is the amount that the asset could reasonably expect to receive for it in a current sale between a willing buyer and a willing seller, that is, other than in a forced or liquidation sale. Fair value shall be measured by the market price if there is an active market for the investment. If there is no active market for the investment but there is a market for similar investments, selling prices in that market may be helpful in estimating fair value. If a market price is not available, a forecast of expected cash flows, discounted at a rate commensurate with the risk involved, may be used to estimate fair value. The fair value of an investment shall be reported net of the brokerage commissions and other costs normally incurred in a sale.For tax purposes, the fair market value is usually referred to as the sale price between a willing seller and a willing buyer when neither is compelled to buy or sell.
Fair Market Value (FMV)
48
A fact table is a primary table in a dimensional model and contains measurements/facts and a foreign key to the dimension table.
Fact Table
49
Any observable occurrence in a network or system.
Event
50
The error log is the record of data input and data processing errors.
Error Log
51
Any participant in an authentication exchange, such a participant may be human or nonhuman, and may take the role of a claimant and/or verifier. It can be either a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information). A collection of information items that can conceptually be grouped together and distinguished from their surroundings. An entity is described by its attributes. Entities can be linked, or have relationships to other entities. Either a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information).
Entity
52
An enterprise resource planning (ERP) system integrates all aspects of an organization's activities into one accounting information system.
Enterprise Resource Planning (ERP) System
53
In encryption, data is processed through a formula that substitutes other characters for the original characters, such as a = m, p = z, or e = k; thus, the word “ape” would be changed to “mzk.” Whenever data is encrypted, it must be decrypted to be used. Data may be encrypted so that it can be transmitted between computers to prevent interception of the data. Encryption is also used to store data so that others cannot read it.
Encryption
54
An emphasis-of-matter or other-matter paragraph is an additional paragraph(s) added to the standard auditor's report to fulfill the need to add explanatory language to the report. The need for an emphasis-of-matter or other-matter paragraph may or may not affect the unmodified opinion. An “emphasis of matter” paragraph is included in the auditor's report that is required by GAAS, or is included at the auditor's discretion, and refers to a matter appropriately presented or disclosed in the financial statements that, in the auditor's professional judgment, is of such importance that it is fundamental to the users' understanding of the financial statements. An “other matter” paragraph is included in the auditor's report that is required by GAAS, or is included at the auditor's discretion, and refers to a matter other than those presented or disclosed in the financial statements that, in the auditor's professional judgment, is relevant to the users' understanding of the audit, the auditor's responsibilities, or the auditor's report.
Emphasis-of-Matter (and Other-Matter) Paragraph
55
Electronic data processing (EDP) is the use of automated methods to process data. EDP uses simple, repetitive activities to process large volumes of similar information.
Electronic Data Processing (EDP)
56
Efficiency is the relationship of inputs to outputs. It is performing in the least wasteful manner and is not necessarily accompanied by effectiveness. Efficient performance uses the appropriate (expected, standard, budgeted) quantity and cost of inputs (e.g., man-hours) to produce the output.
Efficiency
57
Effectiveness is the degree to which objectives are achieved; producing the desired effect or result. Effectiveness is not necessarily accompanied by efficiency.
Effectiveness
58
The unauthorized interception of information-bearing emanations through the use of methods other than wiretapping.
Eavesdropping
59
Each entity in a network, such as a computer, requires a uniquely identifiable network address for proper delivery of message information. DNS is a protocol used to manage name lookups for converting between decimal and domain name versions of an address. It uses a name-server (DNS server), which contains a universe of names called name-space. Each name-server is identified by one or more IP addresses. One can intercept and forge traffic for arbitrary name-nodes, thus impersonating IP addresses. Secure DNS can be accomplished with cryptographic protocols for message exchanges between name-servers.
Domain Name System (DNS)
60
In computing, documentation is the instructions for operators, descriptions of procedures, and other descriptive material about a program or a system. These instructions can be classified as administrative, systems, or operating.In systems analysis, documentation is the preparation and production of documents for system analysis, programming, and system operation. Good documentation is essential to system In auditing, documentation is the use of documentary evidence to support or substantiate a claim or opinion. Documentary evidence (in an accounting sense) includes checks, invoices, contracts, and minutes of meetings. Documentary evidence may also include third-party documents such as bank statements or escrow account balances held by banks. maintenance and modification.
Documentation
61
Distributed data processing is a network of interdependent computers where certain functions are centralized, other functions are decentralized, and processing is shared among two or more computers. It is an alternative to both centralization and decentralization. Distributed data processing provides infrastructure services that facilitate the rapid development, deployment, and management of distributed applications in the telecommunications arena and integrate all telecommunications management and control functions into a unified logical software architecture supported by a single distributed control platform.
Distributed Data Processing
62
The ongoing process of assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an acceptable level of risk.
Disk Management
63
A disk drive is a device equipped with one or more heads that read and write data.
Disk Drive
64
A means of restricting access to objects based on the identity and need-to-know of the user, process and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. Compare to mandatory access control.
Discretionary Access Control (DAC)
65
A disclaimer of opinion is an expression of no opinion. (AU-C 700.03) A disclaimer of opinion is warranted when restrictions on the scope of the audit are so severe, whether client imposed or due to other reasons, that the auditors are unable to obtain sufficient appropriate audit evidence to enable them to form an opinion. Example: Instances of limitations on scope include the client's refusal to allow the confirmation of receivables or the lack of a beginning inventory physical count (i.e., when the auditor is hired after the beginning of the fiscal year). It is only when the auditors are unable to overcome these limitations by other audit procedures that a disclaimer of opinion is warranted. A disclaimer of opinion because of a scope limitation requires modification of the standard auditor's responsibility paragraph and, in all cases, the substantive reasons for the disclaimer should be explained in a separate emphasis-of-matter or other-matter paragraph.
Disclaimer of Opinion
66
A disaster recovery plan (or business continuity plan) is the process, policies, and procedures of restoring operations critical to the resumption of business, including gaining access to data (records, hardware, software, etc.), communications, workspace, and other business processes.
Disaster Recovery Plan
67
The dimension table contains the descriptive information about the numerical values in the fact table; in other words, the table contains the dimensions of a fact. They are joined to the fact table through a foreign key. For example, dimension tables for a customer application might include attributes such as customer_name, customer_address, customer_contact, and customer_preference.
Dimension Table
68
A cryptographic method, provided by public-key cryptography and used by a message's recipient or any third party to verify the identity of the message's sender and the integrity of the message. A sender creates a digital signature or a message by transforming the message with his private key. A recipient, using the sender's public key, verifies the digital signature by applying a corresponding transformation to the message and the signature. Same as the electronic signature. The result of a cryptographic transformation of data that, when properly implemented, provides the services of origin authentication, data integrity, and signer nonrepudiation. A nonforgeable transformation of data that allows the proof of the source (with nonrepudiation) and the verification of the integrity of that data. Data that can be generated only by an agent that knows some secret key, and hence is evidence that such an agent must have generated it. An asymmetric key operation where the private key is used to digitally sign an electronic document and the public key is used to verify the signature. Digital signatures provide authentication and integrity protection.
Digital Signature
69
A detective control is a control that provides an alert after an unwanted event. A detective control is designed to catch an error and provide the feedback necessary so corrective action may be taken. Examples: Detective controls in a manual system would include independent account reconciliations or independent transaction authorization. Detective controls in an automated system would include batch total or hash total.
Detective Control
70
Detection risk is the risk that auditors fail to detect a material misstatement in financial statements.
Detection Risk
71
A denial-of-service attack bombards the receiving server with so much information that it shuts down, preventing legitimate users from accessing the service or resources they need.
Denial of Service (DOS)
72
In the decision-making process, a policy or course of action is selected from a set of possible or available alternatives. This process is the principal activity of management.
Decision-Making Process
73
The process of choosing between or among alternative courses of action is decision making. Decision making is future-oriented and, in general, for short-run decisions only variable costs, but not all variable costs, are relevant. Fixed costs must be considered when they will be altered by the decision. Relevant factors in the decision-making process include the following: The objective or goal whose achievement is desired (Why is this decision necessary?) The alternative courses of action identified The costs that are relevant to the decision (quantitative factors) Factors that cannot be expressed in dollars (qualitative factors, such as public or employee reaction to the decision)
Decision Making
74
A DBMS (database management system) consists of computer program(s) for organizing, accessing, and modifying a database. It is a collection of programs that enables users to store, modify, or extract information from a database.
Database Management System (DBMS)
75
A database is a collection of interrelated information that can be used for a variety of purposes. A database is managed by a computer program called a database management system (DBMS).
Database
76
A data warehouse is a type of data management system that supports business intelligence activities, mainly analytics.
Data Warehouse
77
Data visualization is a general term that describes any effort to help people understand the significance of data by placing it in a visual (pictorial or graphical) context, helping to understand and communicate complex concepts and ideas.
Data Visualization
78
Data transformation increases the efficiency of analytic and business processes to enable better data-driven decision making. It can be performed during data extraction from the source systems.
Data Transformation
79
Data stewards define and maintain data. They enforce data governance policies and procedures as well as train new data owners and employees in data governance.
Data Steward
80
Data retention is storing data for a specific period, as determined by an organization's policies, legal requirements, or business needs. It requires establishing guidelines to determine how long different data types should be kept before they are deleted or archived. Data retention policies are essential for managing data effectively and ensuring compliance with regulations.
Data Retention
81
A data repository, also known as a data library or data archive, can be defined as a place that holds data, makes data available for use, and organizes data in a logical manner to be mined for data reporting, sharing, and analysis. It is a tool that helps in scientific research as well as managing business data. Examples of data repositories are data warehouses, data lakes, data marts, metadata repositories, and data cubes.
Data Repository
82
Data redundancy refers to the storage of the same item of data in two or more places (files) within an entity's information system.
Data Redundancy
83
A data processing system is a system for assembling, recording, classifying, storing, analyzing, and reporting data. The system can be manual, mechanical, or computerized. Electronic data processing (EDP) is often used to mean performing these tasks with a computer.
Data Processing System
84
Data processing is a sequence of steps to record, classify, and summarize data using a computer program.
Data Processing
85
Data owners are individuals who have direct responsibility for data. They provide protection and ensure quality of data as a business asset.
Data Owner
86
Data modeling is a process of mapping and creating visuals of the information system to illustrate the type of data used and stored in the information system, the relationship among the data types, and the ways and formats in which data can be organized. It enables the developers to understand the requirements of the users in order to build systems that can be used to meet those requirements.Data models can take various forms, including conceptual, logical, and physical models, each serving specific purposes in data management. Data modeling provides a structured approach to designing and managing data, which is essential for building effective databases, data warehouses, and information systems that support an organization's operations and decision-making processes.
Data Modeling
87
Data-mining technology helps examine large amounts of data to discover patterns. With data-mining software, companies can pinpoint what is relevant, use that information to assess likely outcomes, and then accelerate the pace of making informed decisions.
Data Mining
88
A data mart is a subset of a data warehouse focused on a particular line of business or department. A data mart is more secure because it limits authorized users to isolated data sets and denies access to all data in the data repository.
Data Mart
89
Data loading involves loading data into a target data warehouse database; it is the final step of the ETL (extract, transform, and load) process.
Data Load
90
A data lake is a large data repository that stores unstructured data.
Data Lake
91
The data governance committee sets policies and procedures for data governance. It works with the chief data officer (CDO) to establish the “who, what, when, where, and why” of data governance.
Data Governance Committee
92
Data governance is used by organizations to manage, utilize, and protect their data. It is about the roles, responsibilities, and processes for ensuring accountability for and ownership of data assets. Data governance is a system that defines who within an organization has authority and control over data as well as how data may be used. It protects company data as well as customers’ private data by setting up a data governance framework.
Data Governance
93
A data flow diagram (DFD) graphically describes the source of data, the flow of data in an organization, the processes performed on the data, where data is stored in the organization, and the destination of data. DFDs are used to document existing systems and to plan or design new ones.
Data Flow Diagram (DFD)
94
Data extraction is the process of gathering and retrieving data captured within unstructured sources, such as email, social media, images, and barcodes.
Data Extraction
95
A cryptographic key used for encrypting and decrypting data.
Data Encryption Key
96
A data dictionary is a description of all data elements, stores, and flows in a system. Typically, a master copy of the data dictionary is maintained to ensure consistency and accuracy throughout the development process.
Data Dictionary
97
Data cleansing involves checking data against predefined rules.
Data Cleansing
98
Data analytics rapidly examine large amounts of data (i.e., big data) to identify hidden patterns and correlations.
Data Analytics
99
In electronic data processing (EDP), data is characters processed in computer systems and stored in computer files. Data is raw; information is developed from data. For example, the balance in your checking account is data. When it is presented in reports such as your monthly statement or tellers' display screens, it is information. Data is grouped into records. Records are made up of fields or elements. The fields are data. Thus, your checking account is a record with an account number (field), a balance (field), a name (field), etc. Volumes of data are measured in bytes. One byte can equal one character of information. Large amounts of data are measured in thousands of bytes (kilobytes (KB)), millions of bytes (megabytes (MB)), and billions of bytes (gigabytes (GB)).
Data
100
Cybersecurity is the practice of protecting systems, networks, devices, programs, and data from digital attack, damage, or unauthorized access.
Cybersecurity
101
Cyber resilience is the ability of an organization to manage cyberattacks while continuing to run its operations effectively.
Cyber Resilience
102
Customer relationship management (CRM) is a technology for managing all of an entity’s relationships and interactions with current and potential customers to provide for more streamlined processes that result in increased profitability.
Customer Relationship Management (CRM)
103
Cryptography is used by cryptocurrencies to secure and verify transactions as well as to control the creation of new units of cryptocurrency. Cryptography scrambles plaintext into ciphertext (i.e., unintelligible text) and vice versa.
Cryptography
104
Cryptocurrency is a digital or virtual currency (such as Bitcoin) which functions as an online medium of exchange, allowing owners of the currency to buy goods and services. A cryptocurrency uses cryptography to secure and verify transactions as well as to control the creation of new units of cryptocurrency.
Cryptocurrency
105
Any action, device, procedure, technique, or other measure that reduces the vulnerability of or threat to a system. Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.
Countermeasures
106
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private-sector organizations listed below and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
COSO
107
Corrective controls remedy problems discovered through detective controls. They include procedures to identify the cause of a problem, correct errors arising from the problem, and modify the system so that future errors may be minimized or eliminated. One such procedure is the maintenance of backup copies of key transaction and master files, so that damaged or destroyed files can be restored. Also included are procedures for correcting any errors found during the data verification process and resubmitting the related transactions for subsequent processing. In addition, a log of such errors may be maintained to facilitate follow-up procedures and ensure that proper corrective action is taken.
Corrective Controls
108
Relative to electronic data processing (EDP), conversion is the phase in the system development life cycle (SDLC) where old or manual files are transferred to the new system. The term may also be used to refer to the change from one processor or processing environment to another, as when the entity buys new computer equipment. This phase is particularly important to the internal auditor because care must be taken to ensure the integrity of the transferred information.
Conversion
109
A control objective is the aim or purpose of specified controls. Control objectives address the risks that the controls are intended to mitigate.In the context of internal control over financial reporting (ICFR), a control objective generally relates to a relevant assertion for a significant class of transactions, account balance, or disclosure and addresses the risk that the controls in a specific area will not provide reasonable assurance that a misstatement or omission in that relevant assertion is prevented, or detected and corrected, on a timely basis. (AU-C 940)
Control Objective
110
According to AU-C 315.A79, the control environment is as follows: "The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure."
Control Environment
111
AU-C 315.21 and .A102–.A103 state that control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control activities have various objectives and are applied at various organizational and functional levels.
Control Activities
112
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. Continuous monitoring, as defined in the 2009 COSO Guidance on Monitoring Internal Control Systems, serves as both a preventive and a corrective control, and ensures: operational effectiveness and efficiency, reliability of financial reporting, and compliance with applicable laws and regulations.
Continuous Monitoring
113
A contingency plan is a plan for responding to the loss or failure of a system. The plan describes the necessary steps to take in order to ensure the continuity of core business processes. It includes emergency response, backup operations, and post-disaster recovery. It is synonymous with a disaster plan and emergency plan.
Contingency Plan
114
Consolidation is a reporting procedure in which the financial statements of the parent and the subsidiary are combined. The financial statements are prepared by the parent, not by the subsidiary. Consolidation is a reporting procedure only. It does not affect the accounting records of either the parent or the subsidiary.All majority-owned subsidiaries must be consolidated with the parent unless control does not rest with the majority owner (e.g., if the subsidiary is in legal reorganization or bankruptcy).
Consolidation
115
The quality of data can be measured using the criterion of consistency: The data should reflect the same information across all systems, and the systems should be in sync with each other across the enterprise.
Consistency (Data)
116
Configuration management is a procedure for applying technical and administrative direction and surveillance to: identify and document the functional and physical characteristics of an item or system, control any changes to such characteristics, and record and report the change, process, and implementation status. The configuration management process must be carefully tailored to the capacity, size, scope, phase of the life cycle, maturity, and complexity of the system involved. Configuration management is the process of controlling the software and documentation so they remain consistent as they are developed or changed. It is the management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system.
Configuration Management
117
Configuration control is the process of controlling modifications to the system's hardware, firmware, software, and documentation that provided sufficient assurance that the system is protected against the introduction of improper modifications prior to, during, and after system implementation.
Configuration Control
118
The configuration is the relative or functional arrangement of components in a computer system.
Configuration
119
The confidentiality criterion of Trust Services assesses whether the service organization’s information that is designated “confidential” is protected as committed or agreed to in the contract. Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations (e.g., company personnel, business plans, intellectual property, or internal price lists).
Confidentiality (Trust Services Criteria)
120
A concept that applies to data that must be held in confidence and that describes the status and degree of protection that must be provided for such data about individuals as well as organizations. Ensuring that data is disclosed only to authorized subjects. The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and while in transit. It is assurance that information is not disclosed to unauthorized individuals, processes, or devices. It is preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Confidentiality
121
Computing security methods are security safeguards implemented within the IS, using the networking, hardware, software, and firmware of the IS. This includes the following: the hardware, firmware, and software that implements security functionality and the design, implementation, and verification techniques used to ensure that system assurance requirements are satisfied.
Computing Security Methods
122
A computer virus is a segment of executable code that attaches itself to an executable system component. Viruses are contagious and are easily spread from one system to another when those systems share programs or files. Many viruses lie dormant for long periods of time, doing nothing other than copying themselves to other files and systems. Viruses do not usually leave any external signs of their presence, so when they trigger, they can cause unexpected and widespread damage. A virus may destroy or alter data or programs, take control of the computer, destroy the hard disk's file allocation table (FAT), make it impossible to boot the system, intercept and change transmissions, or print messages to the screen. As the virus spreads, it takes up disk space, clogs communications, and hinders system performance.
Computer Virus
123
Computer security is the protection of a computer system's assets and its information from unauthorized use, disclosure, alteration, manipulation, and destruction.
Computer Security
124
Misrepresentation, alteration, or disclosure of data in order to obtain something of value (usually for monetary gain). A computer system must have been involved in the perpetration or cover-up of the act or series of acts. A computer system might have been involved through improper manipulation of input data; output or results; applications programs; data files; computer operations; communications; or computer hardware, systems software, or firmware.
Computer Fraud
125
Completeness is an audit internal control objective. Completeness controls are designed to ensure that all valid transactions are recorded and none omitted. Example: Completeness controls include periodic accounting for the number sequence of prenumbered forms to ascertain that all validly used forms have been recorded (e.g., shipping documents).
Completeness
126
A cold site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.
Cold Site
127
Code is the instructions or statements of a computer program, a system of symbols to convert alphanumeric data into a transmittable form, or a set of rules for the manner in which data must be represented.
Code
128
COBIT is issued by ISACA (the Information Systems Audit and Control Association) and stands for Control Objectives for Information and Related Technologies (COBIT). The COBIT framework focuses on information technology management and governance.
COBIT
129
Cloud computing is the delivery of computing services including servers, databases, storage, networking, software, and analytics over the internet—in other words, “the cloud”—offering flexible resources, economies of scale, and faster innovation.
Cloud Computing
130
"The cloud" is a metaphor for a global network, first used in reference to the telephone network and now commonly used to represent the internet. Clouds can be public, private, or hybrid.
Cloud
131
The client/server model states that a client (user), whether a person or a computer program, may access authorized services from a server (host) connected anywhere on the distributed computer system. The services provided include database access, data transport, data processing, printing, graphics, electronic mail, word processing, or any other service available on the system. These services may be provided by a remote mainframe using long haul communications or within the user's workstation in real-time or delayed (batch) transaction mode. Such an open access model is required to permit true horizontal and vertical integration.
Client-Server
132
The result of transforming plaintext with an encryption algorithm. Also known as cryptotext. It is encrypted (enciphered) data.
Ciphertext
133
A checkpoint is a place in a computer program where its status can be recorded or its information saved (dumped) and later execution can be resumed from that point rather than from the beginning of the program.
Checkpoint
134
A check digit is a specific type of input control, consisting of a single digit at the end of an identification code that is computed from the other digits in a field. If the identification code is mis-keyed, a formula or algorithm will reveal that the check digit is not correct, and the field will not accept the entry. For example, the formula for a seven-digit account number could be the sum of double, add, double, add, double, add, and subtracted from the next multiple of 10. In this case, 123456 would have a check digit of 0 and the full account number would be 1234560 (2 + 2 + 6 + 4 + 10 + 6 = 30; the next multiple of 10 is 30, so 30 - 30 = 0). If 1233560 is keyed instead of 1234560, the formula will not produce the proper check digit and the account number will be rejected. There are many different formulas or algorithms for calculating check digits.
Check Digit
135
Change management in IT uses standardized methods, processes, and procedures to efficiently and promptly handle changes to the control IT infrastructure. Change management maintains the balance between needed changes and the potential negative impact of such changes on service. Changes in the IT infrastructure may arise reactively (responding to problems or externally imposed requirements such as legislative changes), proactively (seeking greater efficiency and effectiveness or implementing new business initiatives), or from service improvement initiatives and other programs or projects.
Change Management
136
The administrative act of approving a computer system for use in a particular application. A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Certification
137
A business impact analysis (BIA) is an analysis of an IT system's requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
Business Impact Analysis (BIA)
138
A business continuity plan (BCP) is the documentation of a predetermined set of instructions or procedures that describe how an organization's business functions will be sustained during and after a significant disruption.
Business Continuity Plan (BCP)
139
“Brute force” is a type of attack under which every possible combination of cryptographic keys, passwords, user IDs, and PINs is tried in an attempt to break into a computer system or network.
Brute-Force Attack
140
Brouters are routers that can also bridge; they route one or more protocols and bridge all other network traffic.
Brouters
141
A device that connects similar or dissimilar LANs together to form an extended LAN.
Bridges
142
Blockchain is a digitized, decentralized, public ledger of all cryptocurrency transactions. Completed blocks are recorded and added to the chain in chronological order, allowing market participants to keep track of digital currency transactions without central recordkeeping.
Blockchain
143
Biometric security systems measure physical traits that make each person unique. Such traits include speech patterns, eye and finger physiology, written signature dynamics, and other common physical traits. The ideal system must be reliable and yet flexible in handling minor changes in physical characteristics. Oftentimes, a lack of flexibility can create a problem for a person who cuts their finger or wakes up with a hoarse voice. The system also requires the user be physically present to gain access to the system.
Biometric Security Systems
144
An image or template of a physiological attribute (e.g., a fingerprint) that may be used to identify an individual. Biometrics may be used to unlock authentication tokens and prevent repudiation of registration.
Biometric
145
Big data describes the large volume of data available to business on a day-to-day basis which is analyzed for insights that lead to better decisions and strategic business moves. Big data is often defined by the three "V's": volume, velocity, and variety.
Big Data
146
Batching is the grouping together of similar transactions or data so they can be processed by a computer system as a single unit or transmitted at a single point of time.
Batching
147
Batch total is an input control, the sum of the number of items or total amount. Input is compared to processing; a mismatch of the number of items or sum of the totals (e.g., sum of invoice totals) between input and processing indicates that an item was lost or processed twice.
Batch Total
148
In batch processing, items to be processed are collected in groups to permit fast and convenient processing (processed as a group). Records of all transactions affecting a particular master file (e.g., payroll) are accumulated over a period of time (e.g., one week) and are then arranged in sequence and processed against the master file.
Batch Processing
149
A version of software used as a starting point for later versions.
Baseline
150
Backup procedures are the provisions made for the recovery of data files and program libraries, and for restart or replacement of computer equipment after the occurrence of a system failure or of a disaster.
Backup Procedures
151
Backup controls are a set of controls that provide a safeguard against loss of important parts of a database such as control files, redo logs, and data files by providing a representative copy of the data. The controls also provide safeguards against application errors.
Backup Controls
152
A backup, or the process of backing up, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event (data deletion or corruption). A backup is a system, device, file, disk, or facility that can be used in the event of malfunction or when the original source of data is lost. Backups can be a simple form of disaster recovery and should be part of a disaster recovery plan; however, backups should not alone be considered disaster recovery.
Backup
153
A hidden flaw in a system mechanism that can be triggered to circumvent the system's security. Synonymous with trap door.
Back Door
154
The availability criterion of Trust Services assesses whether the service organization’s system, product, or service is available for operation and use as committed or agreed to by a contract or service level agreement (SLA). This principle pertains to security-related criteria that may affect availability, monitoring such items as network performance and availability, site failover, and security incident handling.
Availability (Trust Services Criteria)
155
The probability that a given resource will be usable during a given time period. The security goal that generates the requirement for protection against intentional or accidental attempts to: perform unauthorized deletion of data or otherwise cause of denial of service or data. It also refers to timely and reliable access to and use of data and information services for authorized users.
Availability
156
Automation is the technology which allows machines to perform tasks once performed by humans via programmed commands, combined with automatic feedback control, to ensure proper execution of the instructions without human intervention.
Automation
157
1. Determining whether a subject is trusted to act for a given purpose, for example, allowed to read a particular file.
2. The granting or denying of access rights to a user, program, or process.
Authorization
158
Providing assurance regarding the identity of a subject or object, for example, ensuring that a particular user is who he claims to be. Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system. The process of establishing confidence in user identities.
Authentication
159
1. To verify the identity of a user, device, or other entity in a computer system, often as prerequisite to allowing access to resources in a system.
2. To verify the integrity of data that have been stored, transmitted or otherwise exposed to possible unauthorized modification.
Authenticate
160
The audit trail (audit log) is the path left by a transaction when it is processed. The trail begins with the original source document or documents, proceeds through the transactions, entries, and posting of records, and is completed with the financial statements. Source document → Journal → Ledger → Financial statements The traditional audit trail is characterized by accessible records, observable activities, source documents, detailed chronological journals, and ledger summaries. For entities with highly complex information technology systems, the audit trail is partially or completely electronic. Information technology (IT) has impacted the audit trail in the following ways: Source documents may no longer be produced—access to documents is more difficult. Ledger summaries may be replaced by electronic master files. Printed data may not be available. Processing activities are difficult to observe—much of the processing is automated within the system.
Audit Trail (Audit Log)
161
A party who is not the claimant or verifier but wishes to successfully execute the authentication protocol as a claimant.
Attacker
162
The act of trying to bypass security controls on a system. An attack may be active, resulting in the alteration of data, or passive, resulting in the release of data.Note: The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures. An attempt to obtain a subscriber's token or to fool a verifier into believing that an unauthorized individual possesses a claimant's token.
Attack
163
Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
Asymmetric Keys
164
Assets are information resources that support an organization's mission.
Asset
165
Programs that perform specific tasks, such as word processing, database management, or payroll. Software that interacts directly with some non-software system (e.g., human, robot, etc.).
Application Software
166
Application programs are computer programs designed to perform a specific function directly for the user or for another application. Examples of application programs include word processors, database programs, and financial programs. The program processes specific files or performs specific functions such as receivables or payroll.
Application Program
167
“Application controls” refers to the transactions and data relating to each computer-based application system and are, therefore, specific to each such application. The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein. Application controls consist of input controls, processing controls, and output controls.
Application Controls
168
An application is a computer program for performing a specific function, such as a payroll program.
Application
169
Because of the danger of computer viruses and their effects, many reliable companies have created antivirus programs. These programs usually have most or all of the following functions: Virus protection—monitors computer activities in order to detect unauthorized or suspicious functions which may indicate a virus in operation. Virus identification—matches the specific virus with known types to ascertain its effects and the best course of recovery. This may also lend a clue as to the origin of the virus and includes scanning disks to locate viruses. Vaccination—utilities used to remove detected viruses from your system. Note: different utilities will be required to recover damaged files if a virus has been activated.
Antivirus Software
170
Any condition which departs from the expected. This expectation can come from documentation (e.g., requirements specifications, design documents, user documents) or from perceptions or experiences. An anomaly is not necessarily a problem in the software, but a deviation from the expected, so that errors, defects, faults, and failures are considered anomalies.
Anomaly
171
An adverse opinion is an “overall” audit opinion which states that the financial statements do not present fairly the financial position or the results of operations or cash flows in conformity with an applicable financial reporting framework (AU-C 705.09). Auditors must have as much sufficient appropriate audit evidence to support an adverse opinion as for an unmodified opinion.An adverse opinion is warranted when the departure from an applicable financial reporting framework or the inconsistency is sufficiently material or sufficiently pervasive as to misrepresent the financial position or results of operations or cash flows or when the auditor believes the entity is not a going concern.An adverse opinion requires the disclosure of all the substantive reasons for the adverse opinion and the principal effects of the inconsistency on the financial statements, if known, or a statement in a separate emphasis-of-matter or other-matter paragraph preceding the opinion paragraph that the effects are not reasonably determinable.
Adverse Opinion
172
The AES specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called cipher text; decrypting the cipher text converts the data back into its original form, called plain text. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. AES is an encryption algorithm for securing sensitive but unclassified material.
Advanced Encryption Standard (AES)
173
An administrator is a person appointed by the court to handle the affairs of a person who has died intestate (without a will) or a deceased person whose will did not establish a valid executor. The administrator is empowered by the court to administer an estate, to act for the estate, and to carry out the terms of the will. The administrator is empowered to marshal the assets and pay the debts of the estate, and distribute the remaining assets as specified in the will or, if intestate, to distribute the assets according to the laws of descent and distribution in that state. Administrators are empowered to sell assets to pay debts. It is a fiduciary relationship and has certain duties and liabilities; powers, duties, and liabilities are identical to those of executors.
Administrator
174
An attack on the authentication protocol where the attacker transmits data to the claimant or verifier. Examples of active attacks include a man-in-the-middle, impersonation, and session hijacking.
Active Attack
175
Accurate information is information that correctly and precisely represents a recorded event. Accurate calculations are prepared without errors and reprinted and copied as originally derived. Accuracy is an audit internal control objective. Accuracy controls are designed to ensure that dollar amounts are computed correctly. Examples of accuracy controls include use of a current approved price list, verification of multiplication and addition, matching of quantities ordered, received, and invoiced
Accuracy
176
1. A management's formal acceptance of the adequacy of a computer system's security.
2. The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Accreditation
177
An accounting system is a set of processes, procedures, and software tools designed to capture, process, store, and analyze financial data. Accounting systems are crucial for maintaining accurate financial records, ensuring compliance with financial regulations, and producing financial statements and reports.
Accounting System
178
Accountability is the obligation to explain one's actions or to justify what one does. Accountability is one of the primary objectives of financial reporting. It is information about how management discharged its stewardship responsibility to owners or to the citizenry regarding the use of resources entrusted to it. “Accountability requires governments to answer to the citizenry—to justify the raising of public resources and the purposes for which they are used.” (GASBCS 1.56)
Accountability
179
Hardware or software features, operating procedures, management procedures, and various combinations of these designed to prevent and detect unauthorized access and to permit authorized access in an automated system.
Access Control Mechanism
180
A list of the subjects that are permitted to access an object and the access rights of each subject.
Access Control List
181
1. The process of limiting access to the resources of a system only to authorized programs, processes or other systems (in a network). Synonymous with controlled access and limited access.
2. It enables authorized use of a resource while preventing unauthorized use or use in an unauthorized manner.
Access Control
182
A specific type of interaction between a subject and an object that results in the flow of information from one to the other. A subject's right to use an object.
Access
