ISC Vocabulary for Brainscape a-i testing

Question 1

Refers to sending a network packet that appears to come from a source other than its actual source.

Answer 1

IP Spoofing

Question 2

A boundary or connection point between two systems, components, or entities meet and interact with each other that works as per the expectation of the users to help new and seasonal staff learn even the most feature-rich system quickly.

Answer 2

Intuitive Interface

Question 3

These types of systems are configured to both detect and prevent potential attacks on the IT environment and assets. Some of these are also designed to reconfigure other security mechanisms such as a firewall. These types of systems effectively limit damage to affected systems and must be appropriately configured to accept or deny network traffic correctly.

Answer 3

Intrusion Prevention Systems (IPS)

Question 4

This is a type of software application that can be implemented on host operating systems or as a network device to monitor for signs of intruder activity and attacks. This software looks for suspicious activity and alerts administrators. A system that detects and identifies unauthorized or unusual activity on the hosts and networks; this is accomplished by the creation of audit records and checking the audit log against the intrusion thresholds. It detects break-ins or break-in attempts either manually or via software expert systems that operate on logs or other information available on the network.

Answer 4

Intrusion Detection System (IDS)

Question 5

An IEEE Standard, RFC 2411, protocol that provides security capabilities at the Internet Protocol (IP) layer of communications. IPsec’s key management protocol is used to negotiate the secret keys that protect VPN communications, and the level and type of security protections that will characterize the VPN. The most widely used key management protocol is the Internet key exchange (IKE) protocol. IPsec is a standard consisting of IPv6 security features ported over to the current version of IP, IPv4. IPsec security features provide confidentiality, data integrity, and non-repudiation.

Answer 5

Internet Protocol Security (IPsec)

Question 6

As stated on the IASB website(www.ifrs.org), the International Accounting Standards Board is an independent, not-for-profit, private-sector organization working in the public interest. Its principal objectives are:to develop a single set of high-quality, understandable, enforceable, and globally accepted International Financial Reporting Standards (IFRS) through its standard-setting body,to promote the use and rigorous application of those standards,to take account of the financial reporting needs of emerging economies and small and medium-sized entities (SMEs), andto bring about convergence of national accounting standards and IFRS to high-quality solutions.

Answer 6

International Accounting Standards Board (IASB)

Question 7

Internal control over financial reporting (ICFR) is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with the applicable financial reporting framework and includes those policies and procedures that:pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity;provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the applicable financial reporting framework, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; andprovide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity’s assets that could have a material effect on the financial statements.ICFR has inherent limitations. ICFR is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. ICFR also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements will not be prevented, or detected and corrected, on a timely basis by ICFR.AU-C 940

Answer 7

Internal Control Over Financial Reporting (ICFR)

Question 8

Internal controls are the policies and procedures established by management to provide reasonable assurance that its objectives will be achieved. These policies and procedures are categorized several ways:Accounting controlsAdministrative controls (management controls)Formal policies and directives such as board of director’s resolutions, office manuals, and written instructionsInformal policies and procedures such as oral directions from a supervisorImplicit policies and procedures such as unwritten and unspoken operating habits and standardsAccording to COSO (the Committee of Sponsoring Organizations of the Treadway Commission) in the research studyInternal Control—Integrated Framework:”Internal control is a process, effected by an entity’s board of directors, management and other personnel, which is designed to provide reasonable assurance regarding the achievement of objectives in one or more categories:”Effectiveness and efficiency of operations”Reliability of financial information”Compliance with applicable laws and regulations”Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated into the management process. The components are:”Control Environment”Risk Assessment”Control Activities”Information and Communication”Monitoring Activities”

Answer 8

Internal Control

Question 9

An internal audit is an examination of accounting records and other evidence to establish compliance with the entity’s policies and procedures. An internal audit is performed by an employee of the entity. (See “audit” for the definition of an external audit.)

Answer 9

Internal Audit

Question 10

Interactive visualization tools allow the user to interact with data by drilling down into charts and graphics, changing the data, and observing the revised output.

Answer 10

Interactive Visualization

Question 11

Integrity is the protection of data from unauthorized tampering. The system accomplishes its objectives in an unimpaired manner: processing is complete, accurate, timely, and free from unauthorized or inadvertent system manipulation.

Answer 11

Integrity (IT)

Question 12

Inherent risk is the likelihood there are material misstatements before considering internal controls.

Answer 12

Integrity

Question 13

Inherent risk is the likelihood there are material misstatements before considering internal controls.

Answer 13

Inherent Risk

Question 14

Infrastructure as a service (IaaS) is a virtualized computer environment delivered as a service over the internet by a provider. Infrastructure can include servers, network equipment, and software. It is also called hardware as a service (HaaS).

Answer 14

Infrastructure as a Service (IaaS)

Question 15

Information technology (IT) is any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For the purpose of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which (1) requires the use of such equipment or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The terminformation technologyincludes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.

Answer 15

Information Technology (IT)

Question 16

An information system is a collection of methods, practices, algorithms, and methodologies that transform data into information and knowledge desired and useful for individual and group users in organizations and other entities. It can involve a combination of work practices, information, people, and technologies organized to accomplish goals in an organization.

Answer 16

Information System

Question 17

Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

Answer 17

Information Security Policy

Question 18

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Answer 18

Information Security

Question 19

The ability to associate positively the identity of a user with the method and degree of accesses to a system.

Answer 19

Information and Communication

Question 20

Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control.Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: It enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.

Answer 20

Individual Accountability

Question 21

To be independent is to be free from conflicts of interest and bias, self-governing, impartial, not subject to control by others, not requiring or relying on something else, not contingent, and acting with integrity and objectivity (i.e., with judgment that is unimpaired and without bias or prejudice).Independence Rule(ET 1.200.001): “A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council.” (ET 1.200.001.01)Independence is the cornerstone on which the audit, or attest, function of the accounting profession is based. It is the independence of the auditor that assures the public of the fair presentation of the audited financial statements. The audit opinion is the “Independent Auditor’s Report” (AU-C 600.A98 requires that the word “independent” appear in the title of the report).The auditor’s independence recognizes the need for fairness—fairness to the owners and managers of the company and also to creditors and those who may rely wholly or in part on the auditor’s report.Independence is the ability to act with integrity and objectivity andnotto compromise one’s judgment or conceal or modify an honest opinion. Auditors (both external and internal) must be capable of acting in an honest, unbiased fashion, maintaining the ability to use judgment free from influence by or subordination to the will, opinion, and judgment of others.The CPA must be independent not only infactbut also inappearance.This means both that a true conflict must not exist (the fact of independence) and that the appearance, or impression, of conflict must not exist (the appearance of independence). Hence, there must not be a compromise to the perception of the independence of the CPA in the mind of a reasonable observer, no matter how innocent the questionable circumstances may truly be. Any appearance of the lack of independence would erode the public’s confidence in the profession as quickly as the fact of a lack of independence.The “reasonable person” concept is applicable, i.e., whether or not a reasonable person, having all the facts and the normal strength of character, concludes that a specific relationship is lacking in independence, represents a conflict of interest, or is a threat to a CPA’s integrity or objectivity.

Answer 21

Independence

Question 22

The income statement is a financial statement that shows an organization’s revenues and expenses for a defined period of time. The income statement is the financial statement used most often by investors as it provides information concerning the firm’s ability to sustain ongoing operations profitably. The income statement is also the statement that is most readily understood. The single-step income statement displays the net income from ordinary operations without intermediate calculations. The multi-step income statement uses intermediate steps such as gross profit in displaying the net income from ordinary operations.

Answer 22

Income Statement

Question 23

The mitigation of violations of security policies and recommended practices.

Answer 23

Incident Handling

Question 24

Implementation is the process of installing a computer. It includes selecting and installing the equipment, training personnel, establishing operating policies, and getting the software onto the system and functioning properly.

Answer 24

Implementation

Question 25

Information that is unique within a security domain and that is recognized as denoting a particular entity within that domain.

Answer 25

Identity

Question 26

Identification is the process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names.

Answer 26

Identification

Question 27

The native protocol of the web, used to transfer hypertext documents.

Answer 27

Hypertext Transfer Protocol (HTTP)

Question 28

A hot site is a completely operational data processing facility configured to meet the user’s requirements that can be made available to a disaster-stricken organization on short notice.

Answer 28

Hot Site

Question 29

The term “host” can refer to almost any kind of computer, from a centralized mainframe that is a host to its terminals, to a server that is host to its clients, to a desktop personal computer that is host to its peripherals. In network architectures, a client station (user’s machine) is also considered a host because it is a source of information to the network in contrast to a device such as a router or switch that directs traffic.

Answer 29

Host

Question 30

Honeypots are computers that security administrators place as a trap for intruders. A honeynet is a combination of two or more networked honeypots. Honeypots are hosts that have no authorized users other than the honeypot administrators because they serve no business function; all activity directed at them is considered suspicious.

Answer 30

Honeypots

Question 31

A computationally efficient algorithm that maps a variable-sized amount of text (input) into a fixed-sized output (hash value of 128-bit string). This type of algorithm produces a secure checksum for each message, making it almost impossible to change the message if the checksum is unknown. Hash functions are used in creating digital signatures.A function that maps a bit string or arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties:One-way—It is computationally infeasible to find any input that maps to any pre-specified output.Collision resistant—It is computationally infeasible to find any two distinct inputs that map to the same output.

Answer 31

Hash Function

Question 32

Algorithm that creates a hash based on a message.

Answer 32

Hash Algorithm

Question 33

A condensed representation of the message, called a message digest.

Answer 33

Hash

Question 34

Hadoop is a free, open-source software framework that stores large amounts of data and rapidly runs applications on clusters of commodity hardware.

Answer 34

Hadoop

Question 35

Generally accepted auditing standards (GAAS) are the Statements on Auditing Standards issued by the Auditing Standards Board (ASB), the senior committee of the AICPA designated to issue pronouncements on auditing matter for nonissuers. The Compliance with Standards Rule (ET 1.310.001) of the AICPA Code of Professional Conduct requires any AICPA member who performs an audit of a nonissuer to comply with the standards promulgated by the ASB.

Answer 35

Generally Accepted Auditing Standards (GAAS)

Question 36

Generally accepted accounting principles (GAAP) are basic accounting principles and standards and specific conventions, rules, and regulations that define accepted accounting practice at a particular time by incorporation of consensus and substantial authoritative support.The Financial Accounting Standards Board (FASB)Accounting Standards Codification(Codification) is the source of authoritative generally accepted accounting principles (GAAP) recognized by the FASB to be applied by nongovernmental entities. Rules and interpretive releases of the Securities and Exchange Commission (SEC) under authority of federal securities laws are also sources of authoritative GAAP for SEC registrants. In addition to the SEC’s rules and interpretive releases, the SEC staff issues Staff Accounting Bulletins that represent practices followed by the staff in administering SEC disclosure requirements, and it utilizes SEC Staff Announcements and Observer comments made at Emerging Issues Task Force (EITF) meetings to publicly announce its views on certain accounting issues for SEC registrants. (FASB ASC 105-10-05-1)Accounting and financial reporting practices not included in the Codification are nonauthoritative. Sources of nonauthoritative accounting guidance and literature include, for example, the following:Practices that are widely recognized and prevalent either generally or in the industryFASB Concepts StatementsAmerican Institute of Certified Public Accountants (AICPA) Issues PapersInternational Financial Reporting Standards (IFRS) of the International Accounting Standards BoardPronouncements of professional associations or regulatory agenciesTechnical Information Service Inquiries and Replies included in AICPA Technical Practice AidsAccounting textbooks, handbooks, and articlesThe appropriateness of other sources of accounting guidance depends on its relevance to particular circumstances, the specificity of the guidance, the general recognition of the issuer or author as an authority, and the extent of its use in practice. (FASB ASC 105-10-05-3)

Answer 36

Generally Accepted Accounting Principles (GAAP)

Question 37

The means of communicating between networks. It is designed to reduce the problems of interfacing different networks or devices. The networks involved may be any combination of local networks which employ different level protocols or local and long-haul networks.

Answer 37

Gateway

Question 38

A functional item is one that performs the tasks or actions that it was created for. It is designed either to perform some task or action or to have a specific purpose. Functional is useful, practical, utilitarian, operative, serviceable, or working.

Answer 38

Functional

Question 39

A flowchart is a graphic depiction, using uniform symbols to show the control flow, primary actions, and interrelationships of a task or a set of tasks. A flowchart can be created by a computer program, a computer system, the systems staff, or accountants and auditors.

Answer 39

Flowchart

Question 40

Fixed assets are tangible (i.e., having physical substance), long-lived (more than one accounting period) assets held for and used in the operations of the enterprise which provide measurable future benefits. They represent a bundle of benefits acquired by the entity to be used over the life of the asset (which covers several accounting periods) and are recorded initially at acquisition cost, which is then allocated to the periods benefited through depreciation (except for land). There is a periodic charge to expense of that portion of the cost which was “consumed” in the form of benefits received from the use of the asset. Fixed assets areneverwritten up to reflect appraisal, market, or current values but are written down to reflect a permanent decline in usefulness to the net realizable value at that date (e.g., obsolete equipment). Fixed assets are also known as “capital assets,” and that term is customary for governmental accounting.The three general categories of capital assets are as follows:Nondepreciable (e.g., land)Depreciable (e.g., office buildings, factories, warehouses, equipment, machinery, tools, furniture, and fixtures)Depletable (e.g., timber, mineral, oil, and gas rights)For state and local governments, fixed assets are termed “general capital assets” and infrastructure assets such as sidewalks are also reportable as general capital assets. Capital assets are reported in government-wide financial statements but they are not reported in governmental funds.

Answer 40

Fixed Asset

Question 41

A mechanism to protect IS computing sites against Internet-borne threats. It can be thought of as a pair of mechanisms: one that exists to block traffic and the other to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic.A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Answer 41

Firewall

Question 42

A financial statement is a structured representation of historical financial information, including related notes, intended to communicate an entity’s economic resources and obligations at a point in time or the changes therein for a period of time in accordance with a financial reporting framework.Financial statements ordinarily refer to a complete set of financial statements as determined by the requirements of the applicable financial reporting framework.

Answer 42

Financial Statements

Question 43

A means to exchange files across a network.

Answer 43

File Transfer Protocol (FTP)

Question 44

The aggregate of all processes and procedures in a system designed to inhibit unauthorized access, contamination, or elimination of a file.

Answer 44

File Protection

Question 45

A field check is an edit check in which the characters in a field are examined to ensure they are of the correct field type (e.g., numeric data in numeric fields).

Answer 45

Field Check

Question 46

Fault tolerant control is the ability of a processor to maintain effectiveness after some subsystems have failed. These are hardware devices or software products such as disk mirroring or server mirroring aimed at reducing loss of data due to system failures or human errors. This is a technical and preventive control and ensures availability control.

Answer 46

Fault Tolerant Control

Question 47

The fair value of an investment is the amount that the asset could reasonably expect to receive for it in a current sale between a willing buyer and a willing seller, that is, other than in a forced or liquidation sale. Fair value shall be measured by the market price if there is an active market for the investment. If there is no active market for the investment but there is a market for similar investments, selling prices in that market may be helpful in estimating fair value. If a market price is not available, a forecast of expected cash flows, discounted at a rate commensurate with the risk involved, may be used to estimate fair value. The fair value of an investment shall be reported net of the brokerage commissions and other costs normally incurred in a sale.For tax purposes, the fair market value is usually referred to as the sale price between a willing seller and a willing buyer when neither is compelled to buy or sell.

Answer 47

Fair Market Value (FMV)

Question 48

A fact table is a primary table in a dimensional model and contains measurements/facts and a foreign key to the dimension table.

Answer 48

Fact Table

Question 49

Any observable occurrence in a network or system.

Answer 49

Event

Question 50

The error log is the record of data input and data processing errors.

Answer 50

Error Log

Question 51

Any participant in an authentication exchange, such a participant may be human or nonhuman, and may take the role of a claimant and/or verifier. It can be either a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information).A collection of information items that can conceptually be grouped together and distinguished from their surroundings. An entity is described by its attributes. Entities can be linked, or have relationships to other entities.Either a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information).

Answer 51

Entity

Question 52

An enterprise resource planning (ERP) system integrates all aspects of an organization’s activities into one accounting information system.

Answer 52

Enterprise Resource Planning (ERP) System

Question 53

In encryption, data is processed through a formula that substitutes other characters for the original characters, such as a = m, p = z, or e = k; thus, the word “ape” would be changed to “mzk.” Whenever data is encrypted, it must be decrypted to be used. Data may be encrypted so that it can be transmitted between computers to prevent interception of the data. Encryption is also used to store data so that others cannot read it.

Answer 53

Encryption

Question 54

An emphasis-of-matter or other-matter paragraph is an additional paragraph(s) added to the standard auditor’s report to fulfill the need to add explanatory language to the report. The need for an emphasis-of-matter or other-matter paragraph may or may not affect the unmodified opinion.An “emphasis of matter” paragraph is included in the auditor’s report that is required by GAAS, or is included at the auditor’s discretion, and refers to a matter appropriately presented or disclosed in the financial statements that, in the auditor’s professional judgment, is of such importance that it is fundamental to the users’ understanding of the financial statements.An “other matter” paragraph is included in the auditor’s report that is required by GAAS, or is included at the auditor’s discretion, and refers to a matter other than those presented or disclosed in the financial statements that, in the auditor’s professional judgment, is relevant to the users’ understanding of the audit, the auditor’s responsibilities, or the auditor’s report.

Answer 54

Emphasis-of-Matter (and Other-Matter) Paragraph

Question 55

Electronic data processing (EDP) is the use of automated methods to process data. EDP uses simple, repetitive activities to process large volumes of similar information.

Answer 55

Electronic Data Processing (EDP)

Question 56

Efficiency is the relationship of inputs to outputs. It is performing in the least wasteful manner and is not necessarily accompanied by effectiveness. Efficient performance uses the appropriate (expected, standard, budgeted) quantity and cost of inputs (e.g., man-hours) to produce the output.

Answer 56

Efficiency

Question 57

Effectiveness is the degree to which objectives are achieved; producing the desired effect or result. Effectiveness is not necessarily accompanied by efficiency.

Answer 57

Effectiveness

Question 58

The unauthorized interception of information-bearing emanations through the use of methods other than wiretapping.

Answer 58

Eavesdropping

Question 59

Each entity in a network, such as a computer, requires a uniquely identifiable network address for proper delivery of message information. DNS is a protocol used to manage name lookups for converting between decimal and domain name versions of an address. It uses a name-server (DNS server), which contains a universe of names called name-space. Each name-server is identified by one or more IP addresses. One can intercept and forge traffic for arbitrary name-nodes, thus impersonating IP addresses. Secure DNS can be accomplished with cryptographic protocols for message exchanges between name-servers.

Answer 59

Domain Name System (DNS)

Question 60

In computing, documentation is the instructions for operators, descriptions of procedures, and other descriptive material about a program or a system. These instructions can be classified as administrative, systems, or operating.In systems analysis, documentation is the preparation and production of documents for system analysis, programming, and system operation. Good documentation is essential to system In auditing, documentation is the use of documentary evidence to support or substantiate a claim or opinion. Documentary evidence (in an accounting sense) includes checks, invoices, contracts, and minutes of meetings. Documentary evidence may also include third-party documents such as bank statements or escrow account balances held by banks. maintenance and modification.

Answer 60

Documentation

Question 61

Distributed data processing is a network of interdependent computers where certain functions are centralized, other functions are decentralized, and processing is shared among two or more computers. It is an alternative to both centralization and decentralization. Distributed data processing provides infrastructure services that facilitate the rapid development, deployment, and management of distributed applications in the telecommunications arena and integrate all telecommunications management and control functions into a unified logical software architecture supported by a single distributed control platform.

Answer 61

Distributed Data Processing

Question 62

The ongoing process of assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an acceptable level of risk.

Answer 62

Disk Management

Question 63

A disk drive is a device equipped with one or more heads that read and write data.

Answer 63

Disk Drive

Question 64

A means of restricting access to objects based on the identity and need-to-know of the user, process and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. Compare to mandatory access control.

Answer 64

Discretionary Access Control (DAC)

Question 65

A disclaimer of opinion is an expression ofnoopinion. (AU-C 700.03)A disclaimer of opinion is warranted when restrictions on the scope of the audit are so severe, whether client imposed or due to other reasons, that the auditors are unable to obtain sufficient appropriate audit evidence to enable them to form an opinion.Example:Instances of limitations on scope include the client’s refusal to allow the confirmation of receivables or the lack of a beginning inventory physical count (i.e., when the auditor is hired after the beginning of the fiscal year).It is only when the auditors are unable to overcome these limitations by other audit procedures that a disclaimer of opinion is warranted.A disclaimer of opinion because of a scope limitation requires modification of the standard auditor’s responsibility paragraph and, in all cases, the substantive reasons for the disclaimer should be explained in a separate emphasis-of-matter or other-matter paragraph.

Answer 65

Disclaimer of Opinion

Question 66

A disaster recovery plan (or business continuity plan) is the process, policies, and procedures of restoring operations critical to the resumption of business, including gaining access to data (records, hardware, software, etc.), communications, workspace, and other business processes.

Answer 66

Disaster Recovery Plan

Question 67

The dimension table contains the descriptive information about the numerical values in the fact table; in other words, the table contains the dimensions of a fact. They are joined to the fact table through a foreign key. For example, dimension tables for a customer application might include attributes such as customer_name, customer_address, customer_contact, and customer_preference.

Answer 67

Dimension Table

Question 68

A cryptographic method, provided by public-key cryptography and used by a message’s recipient or any third party to verify the identity of the message’s sender and the integrity of the message. A sender creates a digital signature or a message by transforming the message with his private key. A recipient, using the sender’s public key, verifies the digital signature by applying a corresponding transformation to the message and the signature. Same as the electronic signature.The result of a cryptographic transformation of data that, when properly implemented, provides the services of origin authentication, data integrity, and signer nonrepudiation.A nonforgeable transformation of data that allows the proof of the source (with nonrepudiation) and the verification of the integrity of that data. Data that can be generated only by an agent that knows some secret key, and hence is evidence that such an agent must have generated it.An asymmetric key operation where the private key is used to digitally sign an electronic document and the public key is used to verify the signature. Digital signatures provide authentication and integrity protection.

Answer 68

Digital Signature

Question 69

A detective control is a control that provides an alert after an unwanted event. A detective control is designed to catch an error and provide the feedback necessary so corrective action may be taken.Examples:Detective controls in a manual system would include independent account reconciliations or independent transaction authorization.Detective controls in an automated system would include batch total or hash total.

Answer 69

Detective Control

Question 70

Detection risk is the risk that auditors fail to detect a material misstatement in financial statements.

Answer 70

Detection Risk

Question 71

A denial-of-service attack bombards the receiving server with so much information that it shuts down, preventing legitimate users from accessing the service or resources they need.

Answer 71

Denial of Service (DOS)

Question 72

In the decision-making process, a policy or course of action is selected from a set of possible or available alternatives. This process is the principal activity of management.

Answer 72

Decision-Making Process

Question 73

The process of choosing between or among alternative courses of action is decision making. Decision making is future-oriented and, in general, for short-run decisions only variable costs, but not all variable costs, are relevant. Fixed costs must be considered when they will be altered by the decision. Relevant factors in the decision-making process include the following:The objective or goal whose achievement is desired (Why is this decision necessary?)The alternative courses of action identifiedThe costs that are relevant to the decision (quantitative factors)Factors that cannot be expressed in dollars (qualitative factors, such as public or employee reaction to the decision)

Answer 73

Decision Making

Question 74

A DBMS (database management system) consists of computer program(s) for organizing, accessing, and modifying a database. It is a collection of programs that enables users to store, modify, or extract information from a database.

Answer 74

Database Management System (DBMS)

Question 75

A database is a collection of interrelated information that can be used for a variety of purposes. A database is managed by a computer program called a database management system (DBMS).

Answer 75

Database

Question 76

A data warehouse is a type of data management system that supports business intelligence activities, mainly analytics.

Answer 76

Data Warehouse

Question 77

Data visualization is a general term that describes any effort to help people understand the significance of data by placing it in a visual (pictorial or graphical) context, helping to understand and communicate complex concepts and ideas.

Answer 77

Data Visualization

Question 78

Data transformation increases the efficiency of analytic and business processes to enable better data-driven decision making. It can be performed during data extraction from the source systems.

Answer 78

Data Transformation

Question 79

Data stewards define and maintain data. They enforce data governance policies and procedures as well as train new data owners and employees in data governance.

Answer 79

Data Steward

Question 80

Data retention is storing data for a specific period, as determined by an organization’s policies, legal requirements, or business needs. It requires establishing guidelines to determine how long different data types should be kept before they are deleted or archived. Data retention policies are essential for managing data effectively and ensuring compliance with regulations.

Answer 80

Data Retention

Question 81

A data repository, also known as a data library or data archive, can be defined as a place that holds data, makes data available for use, and organizes data in a logical manner to be mined for data reporting, sharing, and analysis. It is a tool that helps in scientific research as well as managing business data. Examples of data repositories are data warehouses, data lakes, data marts, metadata repositories, and data cubes.

Answer 81

Data Repository

Question 82

Data redundancy refers to the storage of the same item of data in two or more places (files) within an entity’s information system.

Answer 82

Data Redundancy

Question 83

A data processing system is a system for assembling, recording, classifying, storing, analyzing, and reporting data. The system can be manual, mechanical, or computerized. Electronic data processing (EDP) is often used to mean performing these tasks with a computer.

Answer 83

Data Processing System

Question 84

Data processing is a sequence of steps to record, classify, and summarize data using a computer program.

Answer 84

Data Processing

Question 85

Data owners are individuals who have direct responsibility for data. They provide protection and ensure quality of data as a business asset.

Answer 85

Data Owner

Question 86

Data modeling is a process of mapping and creating visuals of the information system to illustrate the type of data used and stored in the information system, the relationship among the data types, and the ways and formats in which data can be organized. It enables the developers to understand the requirements of the users in order to build systems that can be used to meet those requirements.Data models can take various forms, including conceptual, logical, and physical models, each serving specific purposes in data management. Data modeling provides a structured approach to designing and managing data, which is essential for building effective databases, data warehouses, and information systems that support an organization’s operations and decision-making processes.

Answer 86

Data Modeling

Question 87

Data-mining technology helps examine large amounts of data to discover patterns. With data-mining software, companies can pinpoint what is relevant, use that information to assess likely outcomes, and then accelerate the pace of making informed decisions.

Answer 87

Data Mining

Question 88

A data mart is a subset of a data warehouse focused on a particular line of business or department. A data mart is more secure because it limits authorized users to isolated data sets and denies access to all data in the data repository.

Answer 88

Data Mart

Question 89

Data loading involves loading data into a target data warehouse database; it is the final step of the ETL (extract, transform, and load) process.

Answer 89

Data Load

Question 90

A data lake is a large data repository that stores unstructured data.

Answer 90

Data Lake

Question 91

The data governance committee sets policies and procedures for data governance. It works with the chief data officer (CDO) to establish the “who, what, when, where, and why” of data governance.

Answer 91

Data Governance Committee

Question 92

Data governance is used by organizations to manage, utilize, and protect their data. It is about the roles, responsibilities, and processes for ensuring accountability for and ownership of data assets. Data governance is a system that defines who within an organization has authority and control over data as well as how data may be used. It protects company data as well as customers’ private data by setting up a data governance framework.

Answer 92

Data Governance

Question 93

A data flow diagram (DFD) graphically describes the source of data, the flow of data in an organization, the processes performed on the data, where data is stored in the organization, and the destination of data. DFDs are used to document existing systems and to plan or design new ones.

Answer 93

Data Flow Diagram (DFD)

Question 94

Data extraction is the process of gathering and retrieving data captured within unstructured sources, such as email, social media, images, and barcodes.

Answer 94

Data Extraction

Question 95

A cryptographic key used for encrypting and decrypting data.

Answer 95

Data Encryption Key

Question 96

A data dictionary is a description of all data elements, stores, and flows in a system. Typically, a master copy of the data dictionary is maintained to ensure consistency and accuracy throughout the development process.

Answer 96

Data Dictionary

Question 97

Data cleansing involves checking data against predefined rules.

Answer 97

Data Cleansing

Question 98

Data analytics rapidly examine large amounts of data (i.e., big data) to identify hidden patterns and correlations.

Answer 98

Data Analytics

Question 99

In electronic data processing (EDP), data is characters processed in computer systems and stored in computer files. Data is raw; information is developed from data. For example, the balance in your checking account is data. When it is presented in reports such as your monthly statement or tellers’ display screens, it is information.Data is grouped into records. Records are made up of fields or elements. The fields are data. Thus, your checking account is a record with an account number (field), a balance (field), a name (field), etc.Volumes of data are measured in bytes. One byte can equal one character of information. Large amounts of data are measured in thousands of bytes (kilobytes (KB)), millions of bytes (megabytes (MB)), and billions of bytes (gigabytes (GB)).

Answer 99

Data

Question 100

Cybersecurity is the practice of protecting systems, networks, devices, programs, and data from digital attack, damage, or unauthorized access.

Answer 100

Cybersecurity

Question 101

Cyber resilience is the ability of an organization to manage cyberattacks while continuing to run its operations effectively.

Answer 101

Cyber Resilience

Question 102

Customer relationship management (CRM) is a technology for managing all of an entity’s relationships and interactions with current and potential customers to provide for more streamlined processes that result in increased profitability.

Answer 102

Customer Relationship Management (CRM)

Question 103

Cryptography is used by cryptocurrencies to secure and verify transactions as well as to control the creation of new units of cryptocurrency. Cryptography scrambles plaintext into ciphertext (i.e., unintelligible text) and vice versa.

Answer 103

Cryptography

Question 104

Cryptocurrency is a digital or virtual currency (such as Bitcoin) which functions as an online medium of exchange, allowing owners of the currency to buy goods and services. A cryptocurrency uses cryptography to secure and verify transactions as well as to control the creation of new units of cryptocurrency.

Answer 104

Cryptocurrency

Question 105

Any action, device, procedure, technique, or other measure that reduces the vulnerability of or threat to a system.Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

Answer 105

Countermeasures

Question 106

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private-sector organizations listed below and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

Answer 106

COSO

Question 107

Corrective controls remedy problems discovered through detective controls. They include procedures to identify the cause of a problem, correct errors arising from the problem, and modify the system so that future errors may be minimized or eliminated. One such procedure is the maintenance of backup copies of key transaction and master files, so that damaged or destroyed files can be restored. Also included are procedures for correcting any errors found during the data verification process and resubmitting the related transactions for subsequent processing. In addition, a log of such errors may be maintained to facilitate follow-up procedures and ensure that proper corrective action is taken.

Answer 107

Corrective Controls

Question 108

Relative to electronic data processing (EDP), conversion is the phase in the system development life cycle (SDLC) where old or manual files are transferred to the new system.The term may also be used to refer to the change from one processor or processing environment to another, as when the entity buys new computer equipment.This phase is particularly important to the internal auditor because care must be taken to ensure the integrity of the transferred information.

Answer 108

Conversion

Question 109

A control objective is the aim or purpose of specified controls. Control objectives address the risks that the controls are intended to mitigate.In the context of internal control over financial reporting (ICFR), a control objective generally relates to a relevant assertion for a significant class of transactions, account balance, or disclosure and addresses the risk that the controls in a specific area will not provide reasonable assurance that a misstatement or omission in that relevant assertion is prevented, or detected and corrected, on a timely basis. (AU-C 940)

Answer 109

Control Objective

Question 110

According to AU-C 315.A79, the control environment is as follows: “The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.”

Answer 110

Control Environment

Question 111

AU-C 315.21 and .A102–.A103 state that control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks that threaten the achievement of the entity’s objectives. Control activities have various objectives and are applied at various organizational and functional levels.

Answer 111

Control Activities

Question 112

Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational environment.Continuous monitoring, as defined in the 2009 COSOGuidance on Monitoring Internal Control Systems,serves as both a preventive and a corrective control, and ensures:operational effectiveness and efficiency,reliability of financial reporting, andcompliance with applicable laws and regulations.

Answer 112

Continuous Monitoring

Question 113

A contingency plan is a plan for responding to the loss or failure of a system. The plan describes the necessary steps to take in order to ensure the continuity of core business processes. It includes emergency response, backup operations, and post-disaster recovery. It is synonymous with a disaster plan and emergency plan.

Answer 113

Contingency Plan

Question 114

Consolidation is a reporting procedure in which the financial statements of the parent and the subsidiary are combined. The financial statements are prepared by the parent, not by the subsidiary. Consolidation is a reporting procedure only. It does not affect the accounting records of either the parent or the subsidiary.All majority-owned subsidiaries must be consolidated with the parent unless control does not rest with the majority owner (e.g., if the subsidiary is in legal reorganization or bankruptcy).

Answer 114

Consolidation

Question 115

The quality of data can be measured using the criterion of consistency: The data should reflect the same information across all systems, and the systems should be in sync with each other across the enterprise.

Answer 115

Consistency (Data)

Question 116

Configuration management is a procedure for applying technical and administrative direction and surveillance to:identify and document the functional and physical characteristics of an item or system,control any changes to such characteristics, andrecord and report the change, process, and implementation status.The configuration management process must be carefully tailored to the capacity, size, scope, phase of the life cycle, maturity, and complexity of the system involved. Configuration management is the process of controlling the software and documentation so they remain consistent as they are developed or changed. It is the management of security features and assurances through control of changes made to a system’s hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system.

Answer 116

Configuration Management

Question 117

Configuration control is the process of controlling modifications to the system’s hardware, firmware, software, and documentation that provided sufficient assurance that the system is protected against the introduction of improper modifications prior to, during, and after system implementation.

Answer 117

Configuration Control

Question 118

The configuration is the relative or functional arrangement of components in a computer system.

Answer 118

Configuration

Question 119

Theconfidentialitycriterion of Trust Services assesses whether the service organization’s information that is designated “confidential” is protected as committed or agreed to in the contract. Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations (e.g., company personnel, business plans, intellectual property, or internal price lists).

Answer 119

Confidentiality (Trust Services Criteria)

Question 120

A concept that applies to data that must be held in confidence and that describes the status and degree of protection that must be provided for such data about individuals as well as organizations.Ensuring that data is disclosed only to authorized subjects.The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and while in transit. It is assurance that information is not disclosed to unauthorized individuals, processes, or devices. It is preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Answer 120

Confidentiality

Question 121

Computing security methods are security safeguards implemented within the IS, using the networking, hardware, software, and firmware of the IS. This includes the following:the hardware, firmware, and software that implements security functionality andthe design, implementation, and verification techniques used to ensure that system assurance requirements are satisfied.

Answer 121

Computing Security Methods

Question 122

A computer virus is a segment of executable code that attaches itself to an executable system component. Viruses are contagious and are easily spread from one system to another when those systems share programs or files. Many viruses lie dormant for long periods of time, doing nothing other than copying themselves to other files and systems. Viruses do not usually leave any external signs of their presence, so when they trigger, they can cause unexpected and widespread damage. A virus may destroy or alter data or programs, take control of the computer, destroy the hard disk’s file allocation table (FAT), make it impossible to boot the system, intercept and change transmissions, or print messages to the screen. As the virus spreads, it takes up disk space, clogs communications, and hinders system performance.

Answer 122

Computer Virus

Question 123

Computer security is the protection of a computer system’s assets and its information from unauthorized use, disclosure, alteration, manipulation, and destruction.

Answer 123

Computer Security

Question 124

Misrepresentation, alteration, or disclosure of data in order to obtain something of value (usually for monetary gain). A computer system must have been involved in the perpetration or cover-up of the act or series of acts. A computer system might have been involved through improper manipulation of input data; output or results; applications programs; data files; computer operations; communications; or computer hardware, systems software, or firmware.

Answer 124

Computer Fraud

Question 125

Completeness is an audit internal control objective. Completeness controls are designed to ensure that all valid transactions are recorded and none omitted. Example: Completeness controls include periodic accounting for the number sequence of prenumbered forms to ascertain that all validly used forms have been recorded (e.g., shipping documents).

Answer 125

Completeness

Question 126

A cold site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.

Answer 126

Cold Site

Question 127

Code is the instructions or statements of a computer program, a system of symbols to convert alphanumeric data into a transmittable form, or a set of rules for the manner in which data must be represented.

Answer 127

Code

Question 128

COBIT is issued by ISACA (the Information Systems Audit and Control Association) and stands for Control Objectives for Information and Related Technologies (COBIT). The COBIT framework focuses on information technology management and governance.

Answer 128

COBIT

Question 129

Cloud computing is the delivery of computing services including servers, databases, storage, networking, software, and analytics over the internet—in other words, “the cloud”—offering flexible resources, economies of scale, and faster innovation.

Answer 129

Cloud Computing

Question 130

“The cloud” is a metaphor for a global network, first used in reference to the telephone network and now commonly used to represent the internet. Clouds can be public, private, or hybrid.

Answer 130

Cloud

Question 131

The client/server model states that a client (user), whether a person or a computer program, may access authorized services from a server (host) connected anywhere on the distributed computer system. The services provided include database access, data transport, data processing, printing, graphics, electronic mail, word processing, or any other service available on the system. These services may be provided by a remote mainframe using long haul communications or within the user’s workstation in real-time or delayed (batch) transaction mode. Such an open access model is required to permit true horizontal and vertical integration.

Answer 131

Client-Server

Question 132

The result of transforming plaintext with an encryption algorithm. Also known as cryptotext. It is encrypted (enciphered) data.

Answer 132

Ciphertext

Question 133

A checkpoint is a place in a computer program where its status can be recorded or its information saved (dumped) and later execution can be resumed from that point rather than from the beginning of the program.

Answer 133

Checkpoint

Question 134

A check digit is a specific type of input control, consisting of a single digit at the end of an identification code that is computed from the other digits in a field. If the identification code is mis-keyed, a formula or algorithm will reveal that the check digit is not correct, and the field will not accept the entry.For example, the formula for a seven-digit account number could be the sum of double, add, double, add, double, add, and subtracted from the next multiple of 10. In this case, 123456 would have a check digit of 0 and the full account number would be 1234560 (2 + 2 + 6 + 4 + 10 + 6 = 30; the next multiple of 10 is 30, so 30 - 30 = 0). If 1233560 is keyed instead of 1234560, the formula will not produce the proper check digit and the account number will be rejected.There are many different formulas or algorithms for calculating check digits.

Answer 134

Check Digit

Question 135

Change management in IT uses standardized methods, processes, and procedures to efficiently and promptly handle changes to the control IT infrastructure. Change management maintains the balance between needed changes and the potential negative impact of such changes on service. Changes in the IT infrastructure may arise reactively (responding to problems or externally imposed requirements such as legislative changes), proactively (seeking greater efficiency and effectiveness or implementing new business initiatives), or from service improvement initiatives and other programs or projects.

Answer 135

Change Management

Question 136

The administrative act of approving a computer system for use in a particular application.A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Answer 136

Certification

Question 137

A business impact analysis (BIA) is an analysis of an IT system’s requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

Answer 137

Business Impact Analysis (BIA)

Question 138

A business continuity plan (BCP) is the documentation of a predetermined set of instructions or procedures that describe how an organization’s business functions will be sustained during and after a significant disruption.

Answer 138

Business Continuity Plan (BCP)

Question 139

“Brute force” is a type of attack under which every possible combination of cryptographic keys, passwords, user IDs, and PINs is tried in an attempt to break into a computer system or network.

Answer 139

Brute-Force Attack

Question 140

Brouters are routers that can also bridge; they route one or more protocols and bridge all other network traffic.

Answer 140

Brouters

Question 141

A device that connects similar or dissimilar LANs together to form an extended LAN.

Answer 141

Bridges

Question 142

Blockchain is a digitized, decentralized, public ledger of all cryptocurrency transactions. Completed blocks are recorded and added to the chain in chronological order, allowing market participants to keep track of digital currency transactions without central recordkeeping.

Answer 142

Blockchain

Question 143

Biometric security systems measure physical traits that make each person unique. Such traits include speech patterns, eye and finger physiology, written signature dynamics, and other common physical traits. The ideal system must be reliable and yet flexible in handling minor changes in physical characteristics. Oftentimes, a lack of flexibility can create a problem for a person who cuts their finger or wakes up with a hoarse voice. The system also requires the user be physically present to gain access to the system.

Answer 143

Biometric Security Systems

Question 144

An image or template of a physiological attribute (e.g., a fingerprint) that may be used to identify an individual. Biometrics may be used to unlock authentication tokens and prevent repudiation of registration.

Answer 144

Biometric

Question 145

Big data describes the large volume of data available to business on a day-to-day basis which is analyzed for insights that lead to better decisions and strategic business moves. Big data is often defined by the three “V’s”: volume, velocity, and variety.

Answer 145

Big Data

Question 146

Batching is the grouping together of similar transactions or data so they can be processed by a computer system as a single unit or transmitted at a single point of time.

Answer 146

Batching

Question 147

Batch total is an input control, the sum of the number of items or total amount. Input is compared to processing; a mismatch of the number of items or sum of the totals (e.g., sum of invoice totals) between input and processing indicates that an item was lost or processed twice.

Answer 147

Batch Total

Question 148

In batch processing, items to be processed are collected in groups to permit fast and convenient processing (processed as a group). Records of all transactions affecting a particular master file (e.g., payroll) are accumulated over a period of time (e.g., one week) and are then arranged in sequence and processed against the master file.

Answer 148

Batch Processing

Question 149

A version of software used as a starting point for later versions.

Answer 149

Baseline

Question 150

Backup procedures are the provisions made for the recovery of data files and program libraries, and for restart or replacement of computer equipment after the occurrence of a system failure or of a disaster.

Answer 150

Backup Procedures

Question 151

Backup controls are a set of controls that provide a safeguard against loss of important parts of a database such as control files, redo logs, and data files by providing a representative copy of the data. The controls also provide safeguards against application errors.

Answer 151

Backup Controls

Question 152

A backup, or the process of backing up, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event (data deletion or corruption). A backup is a system, device, file, disk, or facility that can be used in the event of malfunction or when the original source of data is lost. Backups can be a simple form of disaster recovery and should be part of a disaster recovery plan; however, backups should not alone be considered disaster recovery.

Answer 152

Backup

Question 153

A hidden flaw in a system mechanism that can be triggered to circumvent the system’s security. Synonymous with trap door.

Answer 153

Back Door

Question 154

Theavailabilitycriterion of Trust Services assesses whether the service organization’s system, product, or service is available for operation and use as committed or agreed to by a contract or service level agreement (SLA). This principle pertains to security-related criteria that may affect availability, monitoring such items as network performance and availability, site failover, and security incident handling.

Answer 154

Availability (Trust Services Criteria)

Question 155

The probability that a given resource will be usable during a given time period.The security goal that generates the requirement for protection against intentional or accidental attempts to:perform unauthorized deletion of data orotherwise cause of denial of service or data.It also refers to timely and reliable access to and use of data and information services for authorized users.

Answer 155

Availability

Question 156

Automation is the technology which allows machines to perform tasks once performed by humans via programmed commands, combined with automatic feedback control, to ensure proper execution of the instructions without human intervention.

Answer 156

Automation

Question 157

1. Determining whether a subject is trusted to act for a given purpose, for example, allowed to read a particular file.
2. The granting or denying of access rights to a user, program, or process.

Answer 157

Authorization

Question 158

Providing assurance regarding the identity of a subject or object, for example, ensuring that a particular user is who he claims to be.Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.The process of establishing confidence in user identities.

Answer 158

Authentication

Question 159

1. To verify the identity of a user, device, or other entity in a computer system, often as prerequisite to allowing access to resources in a system.
2. To verify the integrity of data that have been stored, transmitted or otherwise exposed to possible unauthorized modification.

Answer 159

Authenticate

Question 160

The audit trail (audit log) is the path left by a transaction when it is processed. The trail begins with the original source document or documents, proceeds through the transactions, entries, and posting of records, and is completed with the financial statements.Source document → Journal → Ledger → Financial statementsThe traditional audit trail is characterized by accessible records, observable activities, source documents, detailed chronological journals, and ledger summaries. For entities with highly complex information technology systems, the audit trail is partially or completely electronic.Information technology (IT) has impacted the audit trail in the following ways:Source documents may no longer be produced—access to documents is more difficult.Ledger summaries may be replaced by electronic master files.Printed data may not be available.Processing activities are difficult to observe—much of the processing is automated within the system.

Answer 160

Audit Trail (Audit Log)

Question 161

A party who is not the claimant or verifier but wishes to successfully execute the authentication protocol as a claimant.

Answer 161

Attacker

Question 162

The act of trying to bypass security controls on a system. An attack may be active, resulting in the alteration of data, or passive, resulting in the release of data.Note:The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures.An attempt to obtain a subscriber’s token or to fool a verifier into believing that an unauthorized individual possesses a claimant’s token.

Answer 162

Attack

Question 163

Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.

Answer 163

Asymmetric Keys

Question 164

Assets are information resources that support an organization’s mission.

Answer 164

Asset

Question 165

Programs that perform specific tasks, such as word processing, database management, or payroll. Software that interacts directly with some non-software system (e.g., human, robot, etc.).

Answer 165

Application Software

Question 166

Application programs are computer programs designed to perform a specific function directly for the user or for another application. Examples of application programs include word processors, database programs, and financial programs. The program processes specific files or performs specific functions such as receivables or payroll.

Answer 166

Application Program

Question 167

“Application controls” refers to the transactions and data relating to each computer-based application system and are, therefore, specific to each such application. The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein. Application controls consist of input controls, processing controls, and output controls.

Answer 167

Application Controls

Question 168

An application is a computer program for performing a specific function, such as a payroll program.

Answer 168

Application

Question 169

Because of the danger of computer viruses and their effects, many reliable companies have created antivirus programs. These programs usually have most or all of the following functions:Virus protection—monitors computer activities in order to detect unauthorized or suspicious functions which may indicate a virus in operation.Virus identification—matches the specific virus with known types to ascertain its effects and the best course of recovery. This may also lend a clue as to the origin of the virus and includes scanning disks to locate viruses.Vaccination—utilities used to remove detected viruses from your system. Note: different utilities will be required to recover damaged files if a virus has been activated.

Answer 169

Antivirus Software

Question 170

Any condition which departs from the expected. This expectation can come from documentation (e.g., requirements specifications, design documents, user documents) or from perceptions or experiences. An anomaly is not necessarily a problem in the software, but a deviation from the expected, so that errors, defects, faults, and failures are considered anomalies.

Answer 170

Anomaly

Question 171

An adverse opinion is an “overall” audit opinion which states that the financial statements donotpresent fairly the financial position or the results of operations or cash flows in conformity with an applicable financial reporting framework (AU-C 705.09). Auditors must have as much sufficient appropriate audit evidence to support an adverse opinion as for an unmodified opinion.An adverse opinion is warranted when the departure from an applicable financial reporting framework or the inconsistency is sufficiently material or sufficiently pervasive as to misrepresent the financial position or results of operations or cash flows or when the auditor believes the entity is not a going concern.An adverse opinion requires the disclosure of all the substantive reasons for the adverse opinion and the principal effects of the inconsistency on the financial statements, if known, or a statement in a separate emphasis-of-matter or other-matter paragraph preceding the opinion paragraph that the effects are not reasonably determinable.

Answer 171

Adverse Opinion

Question 172

The AES specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called cipher text; decrypting the cipher text converts the data back into its original form, called plain text. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. AES is an encryption algorithm for securing sensitive but unclassified material.

Answer 172

Advanced Encryption Standard (AES)

Question 173

An administrator is a person appointed by the court to handle the affairs of a person who has died intestate (without a will) or a deceased person whose will did not establish a valid executor. The administrator is empowered by the court to administer an estate, to act for the estate, and to carry out the terms of the will. The administrator is empowered to marshal the assets and pay the debts of the estate, and distribute the remaining assets as specified in the will or, if intestate, to distribute the assets according to the laws of descent and distribution in that state. Administrators are empowered to sell assets to pay debts. It is a fiduciary relationship and has certain duties and liabilities; powers, duties, and liabilities are identical to those of executors.

Answer 173

Administrator

Question 174

An attack on the authentication protocol where the attacker transmits data to the claimant or verifier. Examples of active attacks include a man-in-the-middle, impersonation, and session hijacking.

Answer 174

Active Attack

Question 175

Accurate information is information that correctly and precisely represents a recorded event. Accurate calculations are prepared without errors and reprinted and copied as originally derived. Accuracy is an audit internal control objective. Accuracy controls are designed to ensure that dollar amounts are computed correctly. Examples of accuracy controls include use of a current approved price list, verification of multiplication and addition, matching of quantities ordered, received, and invoiced

Answer 175

Accuracy

Question 176

1. A management’s formal acceptance of the adequacy of a computer system’s security.
2. The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Answer 176

Accreditation

Question 177

An accounting system is a set of processes, procedures, and software tools designed to capture, process, store, and analyze financial data. Accounting systems are crucial for maintaining accurate financial records, ensuring compliance with financial regulations, and producing financial statements and reports.

Answer 177

Accounting System

Question 178

Accountability is the obligation to explain one’s actions or to justify what one does. Accountability is one of the primary objectives of financial reporting. It is information about how management discharged its stewardship responsibility to owners or to the citizenry regarding the use of resources entrusted to it. “Accountability requires governments to answer to the citizenry—to justify the raising of public resources and the purposes for which they are used.”(GASBCS 1.56)

Answer 178

Accountability

Question 179

Hardware or software features, operating procedures, management procedures, and various combinations of these designed to prevent and detect unauthorized access and to permit authorized access in an automated system.

Answer 179

Access Control Mechanism

Question 180

A list of the subjects that are permitted to access an object and the access rights of each subject.

Answer 180

Access Control List

Question 181

1. The process of limiting access to the resources of a system only to authorized programs, processes or other systems (in a network). Synonymous with controlled access and limited access.
2. It enables authorized use of a resource while preventing unauthorized use or use in an unauthorized manner.

Answer 181

Access Control

Question 182

A specific type of interaction between a subject and an object that results in the flow of information from one to the other. A subject’s right to use an object.

Answer 182

Access