IT Flashcards
Elements of Accounting Systems
- People
- Procedures
- Hardware
- Software
- Data
Risks in Computer-Based Systems
Systems, programs and people (FUNI) •Reliance on FAULTY systems or programs •UNAUTHORIZED changes in master files, systems, or programs •Failure to make NEEDED changes •Inappropriate INTERVENTION (by people)
COBIT purpose
Align IT and business goals/strategies
Link business risks, control needs and IT
Common language for users, auditors, management, and business process owners in identifying risks and structuring controls.
Determine how much to invest in IT control
COBIT Framework Defined
To provide the information that the organization needs to achieve its objectives, IT resources needed to be managed by a set of naturally grouped processes.
Process orientation to exercise responsibilities, achieve goals and manage risks.
CIRCLE (a) IT processes (b) Business requirements (c) IT resources
COBIT Information Attributes
- Effective
- Efficient
- Confidential
- Integrity
- Available
- Compliant
- Reliable
COBIT and COSO
Both concerned with monitoring of organizational processes
FOCUS:
•COSO: organizational control and processes
•COBIT: IT controls and processes
According to the COBIT model, identify 5 physical resources that, together, comprise an IT system
- People
- Applications
- Technology
- Facilities
- Data
According to the COBIT model, what are the four IT domains?
- Planning and organization
- Acquisition and implementation
•the process of identifying automated solutions. - Delivery and support
•the process of ensuring security and continuous service. - Monitoring
What are the three major components of the COBIT model?
- Domains and processes
- Information criteria
- IT resources
ERP Goals
- Integration (goal visibility): Integrate all data into 1 data base with user-Defined views
- Cost Savings: decrease system maintenance costs (only one system to maintain)
- Employee Empowerment: Improves Communication and decision making by increasing information availability
- “Best Practices”: include most successful business processes of an industry.
Enterprise Architecture Defined
An organizations enterprise architecture is its efforts to understand, manage, and plan for IT assets. An organizations IT security governance plan must articulate with, and be informed by, the organizations enterprise architecture plan.
Enterprise-Wide or Enterprise Resource Planning (ERP) Systems Defined
ERPS provide transaction processing, management support, and decision-making support in a single, integrated, organization-wide package. By integrating all data and processes of an organization into a unified system, ERPs attempt to manage and eliminate the organizational problem of consolidating information across departments, regions, or divisions.
Online Transaction Processing (OLTP) System
The modules comprising the core business functions: sales, production, purchasing, payroll, financial reporting, etc. These functions collect the operational day for the organization and provide the fundamental motivation for the purchase of an ERP.
Online analytical Processing (OLAP) System
Incorporates data warehouse and data mining capabilities within the ERP.
*provides an integrated view of transactions in all parts of the system.
•primarily concerned with collecting data (not analyzing it) across the organization.
PaaS Defined
The use of the cloud to CREATE (not access) software.
SaaS Defined
The use of the cloud to ACCESS software.
Three important functions (segregate) of IT department rolls
- Application Development: SAFEGUARD ASSETS (applications in development)
- Systems Administration and Programming: Grant AUTHORIZATION (access)
- Computer Operations: EXECUTE events, safeguard archived IP
Segregation of Duties: Data Control (Clerk)
Control document flows, schedule batches for data entry and editing, reconcile control totals (reconciling + authorizing function)
Segregation of Duties: Computer Operators
Operate the (mainframe) computer, load program and data files, run programs (execute transactions)
Segregation of Duties: File Librarian
Maintain files and data that are not online in file library, check files in and out to support scheduled jobs. Should not have access to operating equipment or data outside of library.
Inadequate Scope and Agility
IT investments in business units, inadequately scaled to meet changing business needs
Digitization Defined
Moving data to electronic form.
Governance Defined
The processes and structures, to oversee the activities of the organization in pursuit of organizational objectives.
Oversight Defined
Process of managing and monitoring an organizations operations to achieve internal control and effectively manage risk.
Product Differentiation Defined
Setting your product apart from your competitors’
Common Problems with IT Investments
- Lack of IT strategic focus - many IT investments are “bottom up”.
- Lack of strategic investment - over-investment in existing businesses and inadequate investment in “transformative” technologies.
- Inadequate scope and agility - IT investments in business units, inadequately scaled to meet changing business needs.
Governance is primarily the responsibility of
THE BOARD
Operational, Transaction Processing, Systems (TPS)
Support large volume, day-to-day activities of business.
•purchasing of goods/svcs, mfg activities, sales to customers, cash collections, payroll.
Transaction types
•Non-financial (placing orders for goods, accepting orders from customers)
•Financial (billing a customer, receiving pmt, paying employees)
GENERATE DEBIT AND CREDIT ENTRIES INTO ACCOUNTS.
Knowledge Management Systems (KM)
Components:
Knowledge base, knowledge database, provides means to collect, organize, and develop relations among information.
Management Information System (MIS)
Support routine, lower to mid level management.
- Primarily synthesize (analyze) data from TPSs (internal data)
- Tasks: structured problems
Ex: compare planning info (budgets, forecasts) data with outcomes. , AR Aging
Accounting Information System (AIS) is a subset of:
Management Information Systems (MIS)
•AIS generated debits and credits (ex: A/R transactions – aging)
Decision Support Systems (DSS)
Support mid and upper level management.
Tasks: manage non-routine problems and long-range planning.
Often integrate external (market-level) with TPS data.
Include significant analytical and statistical capabilities.
Two types of DSS (decision support systems)
DATA DRIVEN: process large amounts of data to find relations and patterns. Ex: data warehousing and data mining.
MODEL DRIVEN: use models to forecast outcomes, model-driven analytics.
DSS Examples Used by Audit Firms
Client risk Assessment
Client acceptance and retention
Internal control documentation and testing
Compute audit sample sizes
Group Support Systems (GSS)
Facilitate group collaboration
May include functions such as calendars, meeting scheduling, and document sharing.
Executive Support Systems (ESS) or Strategic Support Systems (SSS)
Similar to DSS •Support forecasting and long-range, strategic decisions •Greater use of external data •primarily to support top management. •DSS for dummies
•can be for a specific purpose (monitoring competitive price)
Flat File Systems
Early IT Systems
Separate programs and data sheets
Each application has separate data and programs (think going into multiple places to change the same thing)
•Data sharing across applications through separate programs
•Select data records from one application and reformat for other application.
•data redundancies.
Database Systems
Pool data into logically related files (the database).
MIS always implemented into a database environment.
Data Warehouses and Mining
System to collect, organize, integrate, and store entity-wide data.
Easy access to large quantities of varied data from across the organization.
Data Mining
Exploration, aggregation, and analysis of data in the data warehouse using analytical tools and exploratory techniques.
Data Warehousing
Relational data of archived operational transactions and other data.
Often incorporated in a data-driven DSS
May include external data.
Drill Down
Move from summary to detailed information.
Associated with data warehouses
Ability to move from summary to granular information.
Slicing and Dicing
View data in multiple ways.
A specialized version of a data warehouse
A data mart
Bit
Binary digit
Zero or one
Byte
Logical grouping of bits
Must be to the power of 2 (2^n)
Field (attribute)
- logical group of bytes
- identify a characteristic or attribute of an entity (invoice, customer, product, etc)
- in databases, fields are also known as “attributes”
Record
- a group of related fields (attributes)
* describe an example of an entirety (a specific invoice, a particular customer)
File (Table)
•collection of related records for one specific entity ( an invoice file, a customer file, a product file)
Database
A set of logically related files.
Systems Software
Programs that run computer and support system management (operating system is more important)
Programming Languages
- Used to create applications.
- Now, most are “third” or “fourth generation” languages, many are object-oriented programming languages (OOPL) (Ex: Java)
- All must be converted to “first generation” language (Ex: 0s and 1s) (from source to object code)
Application Software
End-user programs that you know and love.
Categories:
General (word processors, spreadsheets, databases)
Specific (a marketing IS for a clothing designer)
Runs on a specific operating system and hardware environment.
Operating System
- Interface between user and hardware.
- Defined what commands can be issued and how (typing in a command, pointing and clicking) Ex: Microsoft, Mac.
- Controls all input and output in computer systems.
Database Management System (DBMS)
“Middleware” program (between the Software and hardware, or application software and operating system)
Manages the database.
Data Definition Language (DDL)
- User can define tables and fields and relations among the tables
- Uses meta-data (data about data) to define the database elements
- Example commands: create, drop, alter (of fields and tables)
Data Manipulation Language (DML)
- User can add, delete or update records
* Example commands: update, insert, delete (of records)
Data Query Language (DQL)
- User can extract information.
- Most relational databases use structured query language (SQL) to extract fat (text approach)
- Query-By-Example (QBE): graphic interface with “drag and drop” fields to create query (graphic approach)
Database Controls - DBMS includes:
- No collisions - concurrent access management (only one person in at a time)
- No hackers or creepers - Access controls
- Data definition standards, data element standards
- Backup and recovery procedures
- Update privileges
- Data elements and relationship controls
Inputs and Output terminology
Peripherals = input and output devices = I/O devices
Input devices
Input devices instruct the CPU and supply data to be processes.
Ex: keyboard, mouse, trackball, touch-screen technology, microphones and voice recognition technology, point of sale (POS) scanners.
Output devices
Transfer data from the processing unit to other formats.
- printers,plotters–paper output
- monitors, flat panel displays, CRT (cathode ray tube) displays–visual output
- speakers, voice output communication aids (VOCAs)–auditory output
Central Processing Unit (CPU)
CONTROL UNIT: interprets program instructions
ARITHMETIC LOGIC UNIT (ALU): performs arithmetic calculations
Primary storage (main memory)
Stores programs and data when in use.
- Random Access Memory (RAM)– stores data temporarily (information in process in computer system)
- Read-Only Memory (ROM)– permanently stores data needed by computer
Solid State Drivers (SSDs)
Form of secondary storage.
Flash drives, USB, jump, thumb drives
No moving parts. Similar to the RAM.
Server
A computer that provides resource on a computer network.
Computer hardware
Physical equipment of the computer system.
How does system capture data and update master file? Two primary methods.
- Batch: group transactions for processing (then are sorted into item number sequence)
- On-line, real-time (OLRT): Continuous, immediate Processing.
Batch Processing
Transaction and mater files must be sorted on a common key
•Low volume, periodic transactions. Transactions are independent or unimportant.
•Called “sequential-access files” because the records are in sequence.
•Alternative is “random-access files” (ex: hardware storage devices)
On-Line, Real-Time (OLRT) Processing
Continuous, immediate transaction processing.
Near simultaneous transaction entry and master files updating.
Requirements: random access storage devices, networked computer system or internet.
•single transaction, random processing technology, immediate update.
Point-of-Sale (POS) System Technology
Scanners capture data from product bar codes (fast, accurate, cheap)
Computer system connected to, or integrated with, electronic cash register.
POS Systems or terminals networked to central computer.
Big Data
Creation, analysis, storage and dissemination of extremely large data sets.
•Feasible due to advances in computer storage technologies (ex: the cloud), advanced data analytics, and massive computing power.
Gartner definition: “high volume, velocity, and/or variety Information assets that demand new, innovative forms of processing for enhanced decision making, business insights or process optimization.”
Dark Data
Data from business activities that may be reused in analytics, business relationships, or directly monetized (sold).
Activity, operational or social media data that is unused or underused.
Sometimes a synonym for “meta-data” (data about data)
IaaS
Use of the cloud to access HARDWARE
Role of the systems analyst in an IT environment
Designing systems, prepares specifications for programmers, and serves as intermediary between users and programmers.
•should not have access to an entity’s data in a large firm. (Violation of segregation of duties)
Database administrator
Responsible for establishing user names and authorizing access to specific data files and fields
IT security principles: 5 trust services principles
- Security
- Availability (is the system operational and useable as specified in commitments and agreements? Do I/Cs support system availability?)
- Processing integrity (concerns the completeness, validity, accuracy timeliness and authorization of system processing)
- Confidentiality (is the information protected consistent with the orgs commitment in agreements?)
- Privacy (does the Systems collection, use, retention, disclosure, etc followed)
10 GAPP (Generally Accepted Privacy Principles)
- Management (accountability)
- Notice (tell others of policies and procedures)
- Choice and consent (US= users can opt out of collection of personal info)
- Collection (only for identified purposes)
- Use and retention (consistent with statements about use - retain only as long as needed or by law)
- Access (people can access, review and update their info)
- Disclosure to third parties (according to policy)
- Security for privacy (protect against unauthorized access)
- Quality (personal info is accurate, complete and relevant)
- Monitoring and enforcement (monitors the entities compliance)
IT security is not just The responsibility of the IT department but also
A top management issue.
Categories of Criteria for assessing achievement of IT security principles
- Organization and management
- Communications
- Risk management and design implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations
- Change management
Time-Based Model of Controls
Given enough time and resources, preventive control can be circumvented.
Accordingly, detection and correction must be timely.
P=time it takes an intruder to break through the organizations preventive controls
D=time it takes to detect that Ana track is in progress
C=time to respond to the attack
If P > (D+C), then security procedures are effective
Defense-in-depth Strategy
The strategy of implementing multiple layers of controls to avoid having System break down
Cyber-Risk Assessment: COSO Principle 6
Organization specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objectives.
Assessing cyber risks begins with understanding the value of information systems to an organization.
Risk identification and Fraud: COSO Principles 7 & 8
Principle 7: Organization identifies, analyzes and manages risks.
Principle 8: Organization considers fraud risks.
Assess likelihood and severity of cyber risk impact.
Consider industry-specific attack.
*initiative should be lead by senior management.
COSO principle 9
Organization identifies and assesses changes that could impact internal control.
Risks; Rapidly changing technologies and amber criminals’ quick adaption to changes yield new methods of exploiting vulnerabilities.
Control Activities to address cyber risks: COSO principles 10, 11, 12
10: Organization selects and develops control activities that contribute to mitigate risks.
11: Organization selects and develops general control activities over technology to support the achievement of objectives.
12: Organization deploys control activities through policies that establish expectations and procedures that implement policies.
* control activities related to cyber risks should relate to the organizations’ objectives and cyber risk profile. (Ex: defense-in-depth Approach. Manage cyber risks through careful design and implementation of controls)
Communicating about cyber risks and controls: principle 13
Organization obtains, generated and uses relevant, quality information to support internal control.
•Information needs follow from cyber risk Assessment and control design processes.
•Formally document information requirements to support processes and controls.
•Availability of “big data” can create information overload problems.
•Transform control system data into actionable, high-quality information to support cyber-related controls.
Communicating about cyber risks and controls: principle 14
Organization internally communicates information, including objectives and responsibilities for internal control, necessary to support internal control functioning.
•Communication about cyber risks should include all personnel, personnel responsible for managing and monitoring cyber risks and controls, and the Board of Directors.
Communicating about cyber risks and controls: principle 15
Organization communicates with external parties regarding internal control.
Define Cybercrime
Illegal activity that used a computer as its means of communication, or in which a computer is the target of the crime.
Define cyber risk
The likelihood of a financial loss, a disruption or damage to an organization form failure of, or an attack on, it’s IT Systems.
All policies, including IT policies, should….
Link to entity’s strategy and objectives.
Need a process for evolving with change.
IT Policies: according to COSO
- Policies central to internal control
- Reflect managements intentions regarding actions
- Procedures are actions to implement policies
Important IT Policies
- Values and Service Culture: what is expected of IT function personnel in interactions with clients and others?
- Contractors, Employees and Sourcing: why, when and how entity selects IT Human Resources from employees vs. outside contractors.
- Electronic Communications Use: policy related to employee use of the internal, intranet, email, blogs, chat rooms and telephones.
- Use and Connection Policy: Entity’s position on the use of personal devices and applications in workplace and connection to the entity’s systems.
- Procurement: policy on procurement processes for obtaining IT services.
- Quality: statement of IT performance standards
- Regulatory Compliance: statement of regulatory requirements for IT systems.
- Security: policy related to guarding against physical or electronic threats to IT. May include disaster recovery preparation policies.
- Service management and operational service problem solving: policies for ensuring quality of live IT services.
E-Commerce
Marketing, buying, and selling of products and services via the internet
- Narrower -> Transactions between organization and trading partners.
- Business-to-business (B2B) ecommerce: the electronic processing of transactions between businesses. (ex: Processing of business transactions, electronic data interchange (EDI), supply chain management (SCM) and EFT
•Business-to-consumer (B2C) ecommerce: selling goods and services to consumers, usually on Internet and web-based technology.
•Relies on intermediaries or brothers to
facilitate the sales transaction (eBay)
E-Business
Used internet to improve business performance through connectivity.
- Business process that relies on electronic dissemination of information or automated transaction processing.
- can be within or between organizations.
- Most via the Internet using web-based technology’s
E-commerce example (B2E)
Business-to-employee e-commerce: sharing information and interacting with employees.
E-commerce example: B2G
Business-to-government e-commerce: contract bidding, property disposal, audit procurement.
E-Commerce Risks
- availability/downtime
- privacy, security and confidentiality
- authentication and nonrepudiation (after the fact, can’t claim that transaction never occurred)
- integrity
Risks of Failing to Implement EC
- Customers go elsewhere
- Limited growth
- Limited markets
E-Commerce Business Models
- E-marketplaces and exchanges
- Viral marketing
- Online direct marketing
- E-rendering Systems (putting out bids for products we need?)
- Social networking
E-Commerce depends on trust in two parties.
- Trading partner
2. The trading site or service provider
Identify five risks of e-commerce
- Risk of System unavailability
•availability/downtime - Privacy, security and confidentiality risks
- Authentication risks
- Nonrepudiation risks
- System integrity risks
E-Procurement
Where a company seeks bids to provide a product or service.
Customer Relationship Management (CRM)
Technologies for managing client e-relationships.
Ex: customer data, profitability, personalized marketing
Database of customer data
•sales force automation: tracking contacts and follow-ups
Marketing automation: “triggered” marketing (ex: Kroger promoting grocery products only to interested customers)
Customer service automation
•customer service automation: automating common customer interactions
Analytics
•sales history and projections, marketing campaign success, trends, and performance indicators
Electronic Data interchange (EDI)
- computer-to-computer exchange of business data.
- structured data and processing protocols to reduce costs and speed processing (purchase orders, confirmations, invoices, etc.)
- facilitates JIT (just-in-time) inventory
- ex: Walmart and suppliers (direct EDI connections)
- often, direct links between trading partners through intermediaries (called “service bureaus” or VANs)
- Most EDI transactions on Value Added Networks (VANs)
Value Added Networks (VANs) provide…
Audit trails, controls, and security
Often used in conjunction with EDIs
EDI alternatives
Translation software converts between standardized EDI format and internal company format.
EDI Benefits
- paperless (saves storage, filing, process costs
- zero data entry
- reduce errors in information exchange
- required by customers (ex: Walmart can force supplies to adopt a system comparable to theirs)
- real time data, no delays (faster invoicing and payments)
E-Banking
•demanded by customers
•management of e-banking requires:
Senior management of BoD oversight
Technology under Senior IT leadership
Operational management
monitoring and measuring risk
Electronic Funds Transfer (EFT)
Technology for electronically transferring money.
Increase speed and reduce cost
Electronic Wallets
Not payment systems
Programs for managing credit cards, user names, passwords and address information in easy-to-use, centralized location.
Supply Chain Management (SCM)
Process of transforming raw materials into finished product and delivering goods.
Process of planning, implementing, and controlling supply chain operations
SCM OFTEN INCLUDES EDI (ex: Walmart)
Risk: Unauthorized Cloud Activity
Response = ?
Preventive and detective controls to prevent unauthorized procurement of cloud services.
•a cloud use policy that articulates how, when, and for what uses, cloud computing is allowed.
•a list of approved cloud vendors
Policy: who can contract for cloud services and under what conditions.
Risk: Lack of Cloud Service Provider (CSP) Transparency
Response = ?
Vendor selection & assessment of CSP controls
- approved list of cloud vendors includes only vendors who provide sufficient info to enable informed risk assessments of the integrity of CSP operations.
* list of required info from CSP may depend on type of service provided (IAAS, SAAS, PAAS)
Risk: CSP Reliability and Performance
Response = ?
Effective incident management plan and procedure.
Contract with backup CSPs in case of system failure with primary CSP.
Implement CSP availability monitoring.
Risk: Cyber-Attack
Response = ?
Incident management plan that considers increased likelihood of attack on CSP.
Define Cloud Computing
Using a network of remote servers hosted on the Internet to store, manageC and process data, rather than a local server or in-house network.
What is a CSP?
Cloud service providers offer network services, infrastructure, or business applications in the cloud.
Hosted in a data center than can be accessed by companies or individuals using network connectivity.
End-User Systems Development Risks
- No knowledge or application of SDLC (systems development life cycle).
- Not integrated with existing systems
- Inadequate system testing and documentation.
- Poor data controls, system design
- Poor integration with existing systems.
- Management may rely on these systems without knowing their risks.
Small Business Environment (SBE) Characteristics
- Exclusively microcomputers
- No centralized IT department (outsourced IT?)
- Poor segregation of Duties (incompatible functions often combined)
Controlling SBE Computing Risks
Physical access: unprotected Computing site(s)?
•Give > attention to locked doors & secure storage
Logical (electronic) access: require UNs and strong PWs, automatic log outs
Data Backup: outsource, or, establish
How to consolidate data from multiple locations? (3 approaches)
- Centralized system
•data and processing at central location. - Decentralized system
•individual location processing and data - Distributed (hybrid) database system
•distribute to locations according to need
Centralized System
All data processing at one location. Users access via telecommunications channel
ADVANTAGES: enables better data security, consistency in processing.
DISADVANTAGES: high transmission costs, input/output bottlenecks at high traffic times (end of period), slow response to info requests.
Decentralized System
Each location maintains separate system and data. Summarized data sent to central office.
Use of this system is declining. Can be customized Systems.
ADVANTAGES: low transmission cost, low processing power and storage needs at central site, lower input/output bottlenecks, higher response to local needs.
DISADVANTAGES: higher data redundancy and poor information integration, higher security issues and hardware costs.
Distributed Database System Characteristics
Compromise: Seek the best of centralized and decentralized.
Database distributed across locations according to needs.
Increasingly common
ADVANTAGES: better communications between locations (all connected to distributed database), more current and complete information, reduce or eliminate need for expensive central processing center.
DISADVANTAGES: similar to centralize systems cost of communications among locations, access and update conflicts among locations.
Define computer network
Two or more computing devices connected by a communications channel.
Define Node
Network access point.
•controlling is critical to security. (Who is on the network and why?)
A connected device (computers, printers, headphones, etc.) identified by type (linked to device protocols)
Measure of network complicity.
Each Node is assigned a DNS and IP address
Network monitor displays nodes.
Define DNS
Domain Name System: translates network Node into IP address (internet protocol)
Computer Network Components: Switch (0,1) and/or router
Route traffic and may include security features (identifying nodes engaged in activity you don’t want on your network).
Routers are smarter, more complex and cost more than switches.
Computer Network Components: Network Interface Card (NIC) or Network Adapter Card (NAC)
•Circuit board and software on each Node.
•Matched to transmission media.
Ex: in each computer (to translate between the network language and the computer language)
Computer Network Components: transmission media
- Communication link between nodes (here a cable).
* May be wired or wireless.
Types of Nodes
CLIENT: usually an end user’s microcomputer, uses but does not provide network resources
SERVER: provides services or resources to network, end-users access server resources but generally don’t use directly.
LOCAL AREA NETWORK (LANs): use dedicated communication lines, cover limited area.
WIDE AREA NETWORK (WANs): uses public or shared communication lines.
STORAGE AREA NETWORK (SANs): type of LAN, dedicated to connecting storage devices to serves and other devices, centralized data storage, increased use in cloud computing.
PERSONAL AREA NETWORK (PANs): created by individual person, wireless or wired.
Wired/wireless communication media (from slowest, cheapest and least secure to fastest, most expensive and most secure)
WIRED
Twisted pair
Coaxial cable
Fiber optic cable
WIRELESS
Microwave transmission (primarily used in WANS)
Wi-Fi or spread/spectrum radio transmission
Bluetooth (used in PANs)
Wired and wireless advantages
WIRELESS: Scalable, flexible, often lower cost, mobility.
WIRED: reliable, security, speed, occasionally lower cost.
large LANs and WANs often include both.
Network Management Tools (Controls)
A. Response time reports B. Downtime reports C. Online monitors D. Network monitors E. Protocol analyzers F. Simple network management protocol (SNMP): way of monitoring network traffic G. Help desk reports
Internet Defined
A “network of networks”
•worlds largest client/server network.
Common protocol = 2 parts: TCP (Transmission Control Protocol) •breaks up sent messages into IP packets IP (Internet Protocol) •all nodes assigned an IP address for delivery of information.
Protocol Defined
Rules by which a network operates and controls flow and priority of messages.
Packet (or block) Defined
A means by which information is transmitted.
Sent files are broken down into packets which contains:
Header: routing information (address), length protocol (maybe), originating info.
Data: main message
Trailer: used in some Systems, error detection bits, end of message identifier
Email - two components
- Mail servers – hosts that deliver, forward and store mail
- Clients – link users to servers. Allow you to read, compose, send, and store email.
Uniform resource locator (URL)
Web address of a resource
Browser Defined
Translates the URL to an IP address
Sends a request for URL via HTTP (hypertext transfer protocol)
Simple Mail Transfer Protocol (SMTP)
For email services.
Internet Message Access Protocol (IMAP)
Permits access to remote mailboxes (e.g. On a server) as if they were locks (e.g. On a client system)
File transfer protocol (FTP)
For uploading and downloading files.
Instant messaging (IM)
Common for informal, internal corporate communications.
Voice over IP (VoIP)
For internet-based phone communications.
Markup (or tagging) languages
Codes that indicate how parts of a file are to be processed or displayed.
HTML (Hypertext markup language)
Core markup language (Way of tagging text for display) for web pages.
XML (extensible markup language)
For encoding (tagging) documents in machine-readable form.
XBRL (extensive business reporting language)
XML-based. For encoding and tagging financing information.
*This is the future.
•used in filing with SEC on EDGAR
•some companies now report their F/S in both paper and XBRL formats.
Monitoring Employee Internet Use
Detect and/or prevent unauthorized uses.
•non-work tasks, legal issues
National security/political control
Packet sniffers (view and capture sent information)
Desktop surveillance (keystroke + website logging)
Internet Service Providers (ISPs)
Provide access through: direct connections to Internet backbone (high speed, high capacity communication lines)
Intranets and Extranets
Private (limited access) networks built using Internet protocols.
•allows access to network resources through web browsers rather proprietary interface.
•reduces training and system development time.
•rapidly replacing traditional proprietary LANs and WANs.
•easier to use, greater security.
•intranet portal–the entry site (URL) for an intranet.
Intranets
Available only within and organization (school, business, association)
•intranets are often used to connect geographically separate LANs within a company.
Extranets
Extent intranet to associates
•extend to suppliers, customers, business partners.
Could have security issues that are not found wth intranet.
VPN (Virtual private network)
Technology to secure communications.
•extending an intranet to an extranet.
Web 2.0
Web based, collaboration and community-generated content using tools such as blogs and wiki.
RDS (really simple syndication)/ATOM feeds
Need and information source by (free) subscription.
Security Token
One-time password (device displays; user inputs devise password, user ID, and account password)
New password ~30-60 seconds
Biometric
Physical characteristic for access (thumbprint, Regina patterns)
Firewalls
All firewalls are hardware and/or software to review and filter network traffic (e.g. Block no compliant data packets based on set parameters)
TYPES/LEVELS
Network, application and personal.
Network firewall
On a network (e.g. Server)
Filters data packets based on header information (source and destination IP addresses and Communication port)
Blocks non compliant transmissions based on rules in access control list.
Very fast (examine headers only)
Application firewall
Inspect data packet content
Can perform deep packet inspection (detailed packet examination)
Personal firewalls
Software enabling end-users to block unwanted network traffic.
Usually on a home network or computer.
Intrusion Detection Systems
IDS: monitors network for anomalies.
What is unusual–3 identification methods
- Signature-based (site patterns/sources)
- Statistical-based (unusual activity-modeling)
- Neural Networks (learns from created database)
Intrusion Prevention System
IPS e.g. Honeypot/honeynet – allow hackers access to a decoy system.
Piggybacking Defined
Unauthorized user follows and uses authorized user credentials
Electrical System Risks
- Failure (outage)
- Reduced voltage (brownout)
- Sags, spikes, and surges
- electromagnetic interference (EMI)
What purpose does setting file Attributes serve
This logically restricts the ability of the user to read, write, Update, and/or delete records in a file.
Define social engineering
A zest of techniques used by attackers to fool employees into giving them access to information resources.
Encryption Defined
Process of converting a plaintext message into a secure-coded form (ciphertext).
Decryption - reverse encryption (to read a message).
Encryption key(s)
device or code that makes the message unique. Needed to encrypt or decrypt.
•an input or parameter
•device encryption e.g. On s laptop, smart phone
Key length – longer keys are slower but harder to crack
Single-key or private key encryption
One algorithm to encrypt and decrypt
Sender creates and sends ciphertext, tells which algorithm (key)
Receiver reverses process
Old=data encryption standard
New and better = Advanced Encryption Standard
Public/private-key encryption
Paired algorithms
•one to encrypt, one to decrypt
•if public encrypts, private decrypts
•if private encrypts, public decrypts
Safer but more complicated (slower)
Common in sending of message (data in transit)
“Honey” encryption
Wrong guesses about encrypting key yield falsified data that looks correct but isn’t.
Quantum encryption
Quantum encryption where data are encrypted using the Alice-in-Wonderland-like qualities of quantum computers.
Digital certificate
Electronic document that contains information
Purpose: provide identity and crest secure communication.
Certificate or certification authority (CA)
Created by Microsoft to acquire key pair, user applied for CA.
CA registers public key on server and sends private key to user. (Ie. additional layer of approval to get key)
Digital certificates
Legally recognized identification.
Uses public/private key technology.
Digital Signatures
Facilitate secure exchanges (e.g. E-commerce)
- uses public/private key paid to authenticate sender.
- provides authentication and nonrepudiation.
- weakness: public/private key pair can be acquired without verification. (Does not provide confidentiality)
Forms of asymmetric encryption
- SSL (secure socket layer)
- S-HTTP (secure hypertext transport protocol)
- SET (secure electronic transactions protocol) - used for consumer purchases
Types of Disasters
- Natural: i.e. Earthquakes, floods
- Unintentional Human: i.e. Loss of power, gas leak
- Intentional Human: i.e. Terrorist attacks, hackers, vengeful employees
Recovery Point Objective
Acceptable data loss recovery time Objective (acceptable downtime).
Determining: criticality of application, cost, time to recovery, security.
Backup Facility Types
Cold site: no computers $ Warm site: computers no data \$\$ Hot site: everything \$\$$ Mirrored site: fully redundant \$\$\$\$ Reciprocal Agreement: $?$
Disaster Recovery: Cold Site
Off-site location with electrical and other physical requirements for processing.
No equipment or files (added when needed)
1-3 day start-up typically
Cheaper
Disaster Recovery: Warm Site
Off-site location with similar computer hardware.
Does not include backed-up data (delivered when needed)
More expensive than cold-site
Disaster Recovery: Hot Site
Completely equipped including data
Near-immediate (within hours) operation
Big money (e.g. Medical, credit card systems)
Disaster Recovery: Mirrored Site
Fully redundant, fully staffed, fully equipped.
Real-time replication of mission critical systems
E.g. Credit card processing
Reciprocal Agreement (aka mutual aid pact)
Agreement between toe it more organizations to aid each other with data processing if disaster strikes.
May be cold, warm, or hot
Organizational Continuity Planning
- identify and plan for disruptions
- integrate into business culture
- recall risk management lesson / risk appetite and management.
BRM stands for
Business risk management or organizational risk management.
BCP stands for
Business continuity planning
OCP stands for
Organizational continuity plan
•process of risk Assessment, contingency planning, and long-term continuity maintenance.
BIA stands for
Business impact analysis
•risk analysis portion of BCP (business continuity planning)
Identifies maximum tolerable interruption periods of an organization by function and activity to assess risk importance and consequences.
OCP and BCP steps
- Create a OCP policy and program
- Determine critical functions / business risks
- Determine continuity strategies
- Develop and implement BCM response
- Exercise, maintain, and update plan
- Embed BCM plan into the culture
Incident Management
Map level of incidents to events to responses
E.g. 0=negligible event (e.g. Power strike)
7= crisis (pandemic virus or terrorist)
•responses mapped to level of incidents.
Plan for data back-up
- recover from equipment failures, power failures and errors
- maintain at least one remote archive off-site
- use redundant (multiple) backups.
Types of data backup procedures
- full: all data
- increment: data changed from a certain time
- differential: data changed since the last full backup
Backup & Recovery Control Principles
- At least one off-site archive
- Controls over storage libraries mirror those for data processing sites
- Many organizations outsource - choosing a vendor, consider availability, standardization, capacity, speed, and price
- Backup procedures may be full, increment, or differential
- Maintain inventory of backups that identifies data set name, volume serial number, data created, accounting period, and storage location
- Consider privacy, security and confidentiality of data (e.g. HIPPA)
- Restoration procedures integrated into organizations continuity plan (OCP)
- Backup and restoration procedures regularly tested and reviewed.
“Grandfather, father, son” system
Used when all systems were batch processing and is mostly associated with batch processing.
Son = newest Grandfather = 2 generations
Checkpoint and restart backup procedure
Common in batch processing.
Checkpoint
•point where processing accuracy is verified
•periodic backups
•if problem, return to most recent checkpoint and restart
Rollback and recovery backup procure
Common to online, real-time processing
Record processing transactions log
Periodically record master file contents
If problem, return to good master file and reprocess subsequent transactions
Fault tolerant systems
Operate despite component failure (include redundancy and corrections for component failure)
E.g. Space flight, ecommerce, bank credit card processing
*dont want outages or downtime
Network-enabled backup procedure.
High-availability clusters (HACs)
Computer clusters designed to improve service availability: common in e-commerce.
If a part of the system goes down, the other components will pickup the slack.
Network-enabled backup procedure.
Remote (online) backup by managed provider
Advantages: automated, outsource to experts, off-site, can be continuous.
Network-enabled backup procedure.
Storage Area Networks (SANs)
Replicate data from multiple sites
Data immediately available
Efficient storage for servers
Network-enabled backup procedure.
Mirroring
Maintain EXACT COPY of data set
Files are stored in same format as System (e.g. Not zipped)
Advantage: very fast
Disadvantage: storage, expensive
Used for mission critical systems
Network-enabled backup procedure.
No responsible financial services organization can operate without ______ and _____
Backup and recovery
Who commits cyber-crimes?
Nation-states and spies: foreign nations
Industrial spies: seek intellectual property and trade secrets for competitive advantage
Organized crime: e.g. Blackmails that threaten to harm data resources
Hacktivists: social or political statements e.g. Anonymous
Hackers/crackers: for fun and challenge
Categories of Computer Crime
Computer or system as target–e.g. Denial of service (DoS) attacks and hacking
Computer as subject–unlawful access to attack others. e.g. DoS infections.
Computer as tool–access data or resources. E.g. Unauthorized access breaches, phishing, key loggers
Computer as symbol/user as target–variation in computer as tool. Deceive user to obtain access e.g. Social engineering
Preventing and Detecting Computer Crimes
- Make crime harder (less likely)
- Increase the costs (difficulty) of crime
- Improve detection methods
- Reduce losses
Computer Attack Methods: back door
- software allowing unauthorized entry to System by omitting login
- once common among programmers to facilitate development
Computer Attack Methods: denial of service (DoS)
Prevent legitimate users accessing system.
Flood server with incomplete access requests
Often use botnets (zombie computers)
Computer Attack Methods: eavesdropping
Unauthorized interception of private communication.
Computer Attack Methods: email bombing or spamming
Sending thousands or millions of emails to an address.
Computer Attack Methods: logic bomb
Program planted in System dormant until event or time (e.g. Date, employer deleted from active status)
Computer Attack Methods: Malicious Software (Malware)
Exploit system and user vulnerabilities to gain or damage computer.
Examples:
VIRUS: unauthorized program that copies itself; may damage data.
WORM: virus that replicates across Systems; e.g. By sending email floods
TROJAN HORSE: Program hidden inside benign file; can insert back door into system
Packet Sniffing
Packet analyzers, network analyzers, and sniffers.
•have network control (legitimate) and data capture (nefarious) uses.
Packet=formatted block of data carried by a computer network
Packet sniffing=capture packets of data as they move across a network
Password Crackers
Software used to generate potential passwords and test to gain access.
Finds weak passwords easily.
Session Hijacking and Masquerading
Internet Protocol (IP) address–unique identifying number for each device on a networked system.
Hacker can identify IP address (e.g. Packet sniffing) and use to access network
Masquerade=hacker mimics legitimate user.
Social Engineering
Seek access by tricking employees
FISHING: fooling recipients into divulging personal financial data
Spam
Irrelevant or inappropriate email (or text or whatever messaging system comes next) messages sent to either:
•a large number of recipients.
•the same recipient many times (email bombing)
War Chalking, Driving and Walking
War Chalking: draw symbols in public places to indicate available Wi-Fi network access.
War Driving: seeking access to Wi-Fi while diving
War Walking: seeking access to Wi-Fi while walking, may lead to war Chalking.
Cyber Incident Response Process
- Planning for and testing protocol
- Event detection procedures
- Ever logging procedures
- Triage and incident analysis
- Containment and removal of threats
- Decision and action regarding event announcement or secrecy
- Incident recovery
- Closure
- Event reporting
- Monitoring and system revisions
Source Program Library Management System (SPLMS)
- an essential change control (COSO - importance in managing changes within a system of I/C)
- software and instructions for people
- for new or changed programs, SPLMS manages migration from application development test environment to production library (live status)
- SPLMS controls and validates program changes by comparing new to old code
Four Functions of SPLMS
- Store programs in the SPL (source program library)
- Retrieve programs for updating and maintenance
- Delete obsolete programs
- Audit trail; document program changes
*may be part of database system, operating system or purchased separately
What is the value (the why) of document accounting systems
- Required by law (e.g. The foreign corrupt practices act, and SOX, SEC regulations, HIPPA)
- The build and evaluate complex systems
- For training (for new employees)
- For creating sustainable/surviving systems
- For auditing (internal and external)
- For Process (re)engineering
System documentation
Overview of program, data files, processing logic, interactions with other programs and systems
- big picture of entire system
- may include requirements, architecture and design of the system
Program Documentation
Detailed description of inputs, logic, and outputs for software
•includes program flow charts, source code listings, record layouts
Operator Documentation
Also called “run manual”
How to load and execute programs and data.
Includes needed equipment, files, supplies, commands, error messages
What type of control is Documentation
General and primarily preventive
Input and origination controls
Ensure reliability of application program data and processes.
Understanding enables auditor to assess risks if absent or weak.
Some may function as input or processing controls (eg. control totals)
Best “input” control is often to automate data entry i.e. To not have manual (human) input
Origination: scanning instead of human entry
Goals: accuracy, completeness, efficiency
OLRT Systems Control: Closed Loop Verification
Use entered data to display additional (confirming data)
Helps ensure valid and correct entry
E.g. After customers account code entered, the system displays additional information about the selected customer.
Goals: C (all data entered), A (entered data accurate), E
Batch control total methods
- Financial total - add invoice amounts
- Hash total - add invoice #s
- Record count-count # of invoices
Record count goal = A & C
Sequence check Defined
Confirm numerical sequence (of check or invoice numbers
•usually automated but may be manual
Goal: C (all valid are included), V (no invalid are included)
Key Verification
Re-key (re-enter) and compare critical data
•ex: require password entry twice
Goal: Validity
Completeness or missing data check
Can’t continue until data is entered
Goal: completeness
Field check (data type/data format check)
Is data of correct type? Ex: alphabetic, numeric, characters
E.g. A zip code can only have numbers.
Goal: Accuracy
Limit tests
Numeric field with specified value(s). E.g. Need to enter a number for age that can’t be past 120
Goals: validity and accuracy
Range test
Validate upper and lower limit.
Ex: price per gallon of gas $2 < x < $10
Sign test
has correct sign (+ or -)
Ex: # purchased > 0
Valid code test (validity test)
Does entered account # exist?
In database, called referential integrity
Goals: validity and accuracy
Reasonableness check (logic test)
Do two or more fields agree?
Ex: don’t allow pay rate = “$3,500” and pay period = “hourly”
Goals: validity and accuracy
Preprinted forms and pre formatted screens
Decrease data entry errors, speed data entry
Goals: accuracy, completeness and efficiency
Default values
Pre-supplied data valued for fields
Ex: sales order date = current date
Goals: accuracy and efficiency
Automated data capture
- automated equipment to reduce manual data entry
- ex: bar code scanners
- reducing human involvement reduces errors
4 types of application controls
- Processing
- File
- Output
- Input
Application Controls: Processing
Efficiency
•accurate and complete master file update
•detect unauthorized transactions
•maintain data integrity
Application Controls: Processing (and Input)
Run-to-run Controls: use batch totals (input controls) to agree the batch from one procedure (run) to another.
*used in batch processing.
Application Controls: Processing
Audit trail control
•used mostly in OLRT processing
•transaction log = electronic audit trail
Transaction Logs (processing and output)
May include data values, time, terminal number, IP address, user name
Importance:
•GOALS: accuracy, completeness and validity
•BACKUP AND RECOVERY: essential to checkpoint and restart, and rollback and recovery systems
File Types
Master files (ex: payables, receivables, updated regularly with transactions)
Standing files (rarely changed master files)
Transaction files (events that are used to update master files)
System control parameter files
Examples of Hardware Controls
- Check digit (parity bit)
•0 or 1 included in byte to indicate if sum bits = odd or even - Read after write check
•verifies that data was correctly written to disk
•mostly used in local file operations - Echo check
•verify transmission by “echo back” received transmission to sender
•primary use = telecommunications systems - Boundary protection
•with multiple programs and/or simultaneous users
•prevents one program from overwriting data and instructions of another program
Additional file controls
Internal labels–Read by system (or removable storage)
External labels–Read by humans
Version controls–Protocols for ensuring use of the correct file version
File access and updating controls–procedure to restrict file updates and access to authorized users
Application Controls: Output
Transaction logs of printed output (built into most systems)
Access to sensitive reports through permissions and access controls (e.g. Authorization matrix)
Access Control (Outputs): Spooling printed files
Send files to queue for printing, in order sent
Control issue: sensitive output
Ex: sensitive product sales data, require printer password entry before file is printed, printed files are held by data control clerk for pickup
Hardware controls
Controls built into the computer equipment to ensure that data are transmitted and processed accurately.
The Accounting Cycle as a Set of Accounting Procedures
Competent, timely execution of the following:
- Analyze transactions and business documents.
- Journalist transactions.
- Post journal entries to accounts.
- Determine account balances and prepare a trial balance.
- Journalize and post adjusting entries.
- Prepare financial statements and reports.
- Journalize and post-closing entires.
- Balance the accounts and prepare a post-closing trial balance.
- Repeat.
Accounting Cycles as Categories of Activity // basic exchanges typically grouped into five major transaction cycles:
Revenue cycle–interactions with customers (give goods; get cash)
Expenditure cycle–interactions with suppliers (give cash; get goods)
Production cycle–give labor and raw materials; get finished product
Human Resources/Payroll Cycle–hire,utilize, and develop labor; give cash and benefits
General ledge, reporting, financing cycle–give cash; get cash; report financial outcomes
Common Risks Across Cycles
Loss, alteration, or unauthorized disclosure of data.
Accounting system is not functioning as required by law, regulation, or organizational policy.
Control Goals Across Cycles
Completeness - All:
- transactions are properly authorized.
- record transactions are valid.
- valid and authorized transactions are recorded.
- transactions are recorded accurately.
- safeguarding - assets are safeguarded from loss or theft.
- efficiency - business activities are performed efficiently and effectively.
- compliance - the organization complies with all applicable laws and regulations.
- reporting - all financial disclosures are full/fair
- data integrity - accurate data is available when needed.
Accounting Cycle Defined
Systematic process of recording and processing financial transactions and events.
A way of categorizing similar business and accounting activities.
Define The Human Resources/payroll cycle
- records activity related to employees and payroll.
- gets funds from the financing cycle, provides labor to the production cycle, and provides data to the GL and reporting system.
Define The Financing Cycle
•gets funds from the revenue cycle, provides funds to the expenditure and HR/payroll Cycles, and provides data to the GL and reporting system.
Define The Production Cycle
•gets labor from HR/Payroll, gets money from financing, gets raw materials from expenditure, provides data to GL and reporting, provides finished goods to revenue.
Define The Revenue Cycle
- Gets finished goods from production
- provides data to GL and reporting
- provides funds to the financing.
Core Activities:
Sales: receive customer orders, approve customer credit/sales authorization.
Physical (or virtual) custody of products/svcs: fill the order and prepare for shipping, ship
AR: bill as needed, management receivables
Cash: collection and receipt of payments, reconciliation/control activities
Define The Expenditure Cycle
Gets money from financing, provides data to the GL and reporting, provides raw materials to production.
Core activities:
Request and authorize purchase, acquiring goods, taking custody and paying for goods.
Remittance Advice
Purpose: helps match payments to invoices.
Comments and Controls: Sent by customers to selling company to indicate payment.
Risks of Systems Development
- It doesn’t work the way it was designed to.
- Cost over-runs: cost more than it should have.
- Time: it falls behind schedule.
Reasons for Systems Development Failure
- Lack of senior management knowledge of, and support and involvement in, major IT projects.
- Difficulty in specifying requirements.
- Emerging technologies (hardware and software) may not work.
- Lack of standardization project management and methods.
- Resistance to change; lack of proper “change management”.
- Scope and Project creep. (Ex. Going over budget)
- Lack of user participation and support.
- Inadequate testing and training.
- Poor project management–underestimating of time, resources, and scope.
Who is involved with Systems Development Life Cycle (SDLC)
- IT Steering Committee
•Concerned with the strategic plan for IT within the organization.
•Review, approve and prioritize Systems Development proposals.
•include IT department and functional user areas - Lead Systems Analyst
•manages development team and project.
•direct contact with end users. Usually responsible for developing overall programming logic and functionality. - Systems Analysts and Application Programmers
•design, create and test system, programs, and controls in partnership with users - End users
•Identify problems and often suggest first-pass solutions.
Stages in the SDLC
*need to know the order of steps
SYSTEM PLANNING AND BUILDING 1. Planning and feasibility 2. Analysis / Requirements 3. Design 4. Development IMPLEMENTING, TESTING AND MAINTENANCE 5. Testing 6. Implementation 7. Maintenance
SDLC: Planning and Feasibility
3 dimensions of feasibility:
- Technical: Can it be built?
- Economic: Is it cost effective?
- Operational: Will it meet user needs?
If feasible, crest a project plan:
•Critical success factors: What just happen to succeed?
•Scope: Project purpose and most important goals.
•Major risks: $?, delivery date? Technology?
•Milestones and responsibilities: Who will do what, when?
SDLC: Analysis / Requirements
Systems analysts partner with end users to:
•Understand business processes and purposes.
•Document system requirements
Requirements Defined: Document that identifies system functionality Framework for system design and development Parties sign to signify agreement on requirements. (Contract).
Joint Application Development (JAD)
Collaboration of IT personnel and end users to define system.
Part of analysis/requirements in SDLC
Accountants/internal auditors role in Analysis/Requirements (SDLC)
- Prepare or evaluate RFPs (request for proposals) for hardware or software.
- Vendor evaluations: Reliability (financial and product), service commitment, training, tech support + documentation.
SLDC: Design
Design: Define systems’ technical specifications. Two components:
- Technical architecture specification: Define hardware, systems software and networking technology of systems.
- Systems model specifications: (a) Graphical models (flowcharts, etc.) describing system components and processes. (b) Create system menus and screen formats.
SDLC: Development
- Programmer sues design specifications to develop the program and data files.
- Purchases hardware and IT infrastructure specified in design.
SDLC: Testing
Does system meet the design specifications in the requirements definition?
TEST:
•With both correct and erroneous data
•At expected operational loads
TYPES OF TESTING:
•Individual processing unit: Each component works
•System testing: Modules work together
•Inter-system testing: System works with other systems
•User acceptance: System meets business needs
SDLC: Implementation
Includes:
•Data conversion (old data into new format)
•User training
SDLC: Maintenance
Monitor and update programs and/or procedures
•Remember Y2K?
System updates return to start of SDLC process. (Size will determine if you go through the whole process or just Components)
What is the pilot implementation method for new systems?
Similar to phased implementation, except divide users into smaller groups and train by groups (vs. by modules)
What is the “cold turkey” (AKA the “plunge” or “Big Bang” implementation method for new systems?
Old system is dropped and the new system is put in place all at once. RISKY!
