- Natural and political disasters - Software errors and equipment malfunctions - Unintentional acts - Intentional Acts

- Opportunity - Rationalization - Pressure

Test 2 Flashcards by Abby Morris

Threats to AIS

Natural and political disasters
Software errors and equipment malfunctions
Unintentional acts
Intentional Acts

How well did you know this?

Not at all

Perfectly

An intentional act where the intent is to destroy a system or some of its components

Sabotage

How well did you know this?

Not at all

Perfectly

Gaining an unfair advantage over another person

Fraud

How well did you know this?

Not at all

Perfectly

Legally, for an act to be fraudulent there must be:

False statement, representation, disclosure
Material facts
An intent to deceive
Justifiable reliance
Injury or loss

How well did you know this?

Not at all

Perfectly

Typically, business people who commit fraud. Criminals usually resort trickery or cunning, and their crimes usually involve a violation of trust or confidence

white-collar criminals

How well did you know this?

Not at all

Perfectly

Dishonest conduct by those in power and it often involves actions that are illegitimate, immoral, or incompatible with ethical standards

Corruption

How well did you know this?

Not at all

Perfectly

Misrepresenting or leaving out facts in order to promote and investment that promises fantastic profits with little or no risk

Investment fraud

How well did you know this?

Not at all

Perfectly

The theft of company assets by employees

Misappropriation of assets

How well did you know this?

Not at all

Perfectly

Fraudulent financial reporting

Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements

How well did you know this?

Not at all

Perfectly

4 actions to reduce fraudulent financial reporting

Establish an environment that contributes to integrity
Identify and understand factors that lead to fraudulent financial reporting
Assess the risk of fraudulent reporting within the company
Design and implement internal controls

How well did you know this?

Not at all

Perfectly

SAS requires auditor’s to:

Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Document and communicate findings
Incorporate a technology focus

How well did you know this?

Not at all

Perfectly

Fraud Triangle

Opportunity
Rationalization
Pressure

How well did you know this?

Not at all

Perfectly

A person’s incentive or motivation for committing fraud

Pressure

How well did you know this?

Not at all

Perfectly

The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to a personal gain

Opportunity

How well did you know this?

Not at all

Perfectly

Concealing the theft of cash by means of a series of delays in posting collections to accounts receivable

Lapping

Customer A, B, C…

How well did you know this?

Not at all

Perfectly

Cash is created using the lag between the time a check is deposited and the time it clears the bank

Check kiting

How well did you know this?

Not at all

Perfectly

Allows perpetrators to justify their illegal behavior
- justification, attitude, lack of personal integrity

Rationalization

How well did you know this?

Not at all

Perfectly

Any type of fraud that requires computer technology to perpetrate it

Computer fraud

How well did you know this?

Not at all

Perfectly

Computer fraud classifications

Input fraud
Processor fraud
Data fraud
Output fraud
Computer instructions fraud

How well did you know this?

Not at all

Perfectly

Input fraud

Simplest and most common way to commit a computer fraud is to alter or falsify computer inout

How well did you know this?

Not at all

Perfectly

Processor fraud

Includes unauthorized system use, including the theft of computer time and services

How well did you know this?

Not at all

Perfectly

Computer instructions fraud

Includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity

How well did you know this?

Not at all

Perfectly

Data fraud

illegally using, copying, browsing, searching, or harming company data

How well did you know this?

Not at all

Perfectly

Output fraud

Output can be stolen, copied, or misused
- television like signals

How well did you know this?

Not at all

Perfectly

A probability distribution for the likelihood of a digit in a large set of naturally occurring numbers

Benford's Law

6 steps criminals use to attack information systems

1. Conduct reconnoissance 2. Attempt social engineering 3. Scan the map target 4. Research 5. Execute the attack 6. Cover tracks

The unauthorized access, modification, or use of an electronic device or some element of a computer system

Hacking

Gaining control of a computer to carry out illicit activities without the user's knowledge

Hijacking

Short for robot network, is a powerful network of hijacked computers, called zombies, that are used to attack systems or spread malware

Botnet

Hijacked computers, typically part of a botnet, that are used to launch a variety of internet attacks

Zombies

Installs software that responds to the hacker's electronic instructions on unwitting PCs

Bot herder

The attacker sends so many e-mail bombs or web page requests, often more randomly generated false addresses, that the internet service provider's e-mail server or the web page server is overloaded and shuts down

Denial-of-service attack (DoS)

A trial-and-error method that uses software to guess information, such as the user ID and the password, needed to gain access to a system

Brute force attack (1) the computing power used and (2) enough time to generate the number of combinations needed

Passwords stored in or transmitted by a computer system are recovered by trying every possible combination of upper- and lower-case letters, numbers, and special characters and comparing them to a cryptographic hash of the password

Password cracking

Software generates user IDs and password guesses using a dictionary of possible user IDs and passwords to reduce the number of guesses required

Dictionary attack

Simultaneously sending the same unsolicited message to many people at the same time, often in an attempt to sell something

Spamming

Making an e-mail appear as though it originated from a different source

E-mail spoofing

Making an electronic communication look as if someone else sent it to gain the trust of the recipient

Spoofing

Displaying an incorrect number on a caller ID display to hide the caller's identity

Caller ID spoofing

Creating Internet protocol (IP) packets with a forged source IP address to conceal the identity of the sender or to impersonate another computer system

IP address spoofing

Using the short message service (SMS) to change the name or number a text message appears to come from

SMS spoofing

software program flaws that a hacker can exploit to either crash a system or take control of it

Vulnerabilities

an attack between the time a new software vulnerability is discovered and the time a software developer releases a patch that fixes the problem

zero-day attack

code released by software developers that fixes a particular vulnerability

patch

a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from a desired website

Cross-site scripting (XSS)

Happens when the amount of data entered into a program is greater than the amount of memory (the input buffer) set aside to receive it

buffer overflow attack

Malicious code in the form of an SQL query is inserted into input so it can be passed to and executed by an application program

SQL injection attack

Places a hacker between a client and a host and intercepts network traffic between them

man-in-the middle attack

Pretending to be an authorized user to access a system

masquerading/impersonation

an unauthorized party gains access to some system in connection with an authorized party

piggybacking

programming a computer to dial thousands of phone lines searching for dial-up modem lines

War dialing

driving around looking for unprotected wireless networks

war driving

attacking phone systems to obtain free phone line access; use phone lines to transmit malware; and access, steal, and destroy data

Phreaking

Using a small device with storage capacity, such as an iPod or flash drive, to download unauthorized data

Podslurping

Stealing tiny slices of money from many different accounts

Salami technique

All interest calculations are truncated at two decimal places and the excess decimals put into an account the perpetrator controls

round-down fraud

Theft of information, trade secrets, and intellectual property

Economic espionage

Using an internet auction site to defraud another person

Internet action fraud

Using the internet to pump up the price of a stock and then selling it

Internet pump-and-dump fraud

Investors are defrauded in a variety of cryptocurrency-related fraud schemes

cryptocurrency fraud

Manipulating click numbers to inflate advertising bills

Click fraud

The unauthorized copying or distribution of copyrighted software

software piracy

Techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or network - usually to get the information needed to access system and obtain confidential information

Social engineering

Assuming someone's identity, usually for economic gain, by illegally obtaining and using confidential information, such as a social security number or a bank account or credit card number

Identity theft

Using an invented scenario to increase the likelihood that a victim will divulge information or do something

Pretexting

Creating a seemingly legitimate business, collecting personal info while making a sale, and never delivering the product

Posing

Sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification and often warning of a negative consequence if it is not provided

Phishing

Voice phishing, is like phishing except the victim enters confidential data by phone

Vishing

Activities performed on stolen credit cards, including making online purchases

Carding

Redirecting website traffic to a spoofed website

Pharming

Wireless network with the same name as a legitimate wireless access point

Evil twin

setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site

Typosquatting/ URL hijacking

Searching documents and records to gain access to confidential information

Scavenging/dumpster diving

Perpetrators look over a person's shoulders in a public place to get information such as ATM PIN numbers or user IDs and passwords

Shoulder surfing

The perpetrator inserts a sleeve into an ATM that prevents the ATM from ejecting the card

Lebanese looping

Double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use

Skimming

Planting a small chip that records transaction data in a legitimate credit card reader

chipping

Any software that is used to do harm

Malware

Software secretly monitors and collects personal information about users and sends it to someone else - gathered by logging keystrokes, monitoring websites visited, and scanning documents on the computer's hard drive

Spyware

Spyware that can pop banner ads on a monitor, collect information about the user's web-surfing and spending habits, and forward it to the adware creator

Adware

Software records computer activity, such as user's keystrokes, e-mails sent and received, websites visited, and the chat session Participation

Keylogger

Set of malicious computer instructions in an unauthorized and otherwise properly functioning program

Trojan horse

Processes implemented to provide reasonable assurance

Internal Controls

Deter problems before they arise. Examples include hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information

Preventative controls

Discover problems that are not prevented. Examples include duplicate checking of calculations and preparing bank reconciliations and monthly trial balances

Detective controls

Identify and correct problems as well as correct and recover from the resulting errors. Examples include maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing

Corrective controls

Make sure an organization's control environment is stable and well managed. Examples include security; IT infrastructure; and software acquisition, development, and maintenance controls

General controls

Prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported

Application controls

Describes how a company creates vale, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values

Belief system

Helps employees act ethically by setting boundaries on employee behavior

Boundary system

Measures, monitors, and compares actual company progress to budgets and performance goals. Feedback helps management adjust and fine-tune inputs and processes so future outputs more closely match goals

Diagnostic control system

Helps managers to focus subordinates' attention to key strategic issues and to be more involved in their decisions.

Interactive control system

Passed to prevent companies from bribing foreign officials to obtain business

Foreign Corrupt Practices Act (FCPA)

Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud

Sarbanes-Oxley Act (SOX) of 2002

Control the auditing profession. Sets and enforces auditing, quality control, ethics, independence. and other auditing standards - created by SOX - 5 people

Public Company Accounting Oversight Board (PCAOB)

After SOX was passed, the SEC mandated that management must:

1. Base its evaluation on a recognized framework 2. Disclose all material internal control weaknesses 3. Conclude that a company does not have effective financial reporting internal controls if there are material weaknesses

Consolidates control standards from many different sources into a single framework that allows (1) management to benchmark security and control practices of IT environments, (2) users to be assured that adequate IT security and controls exist, and (3) auditors to substantiate their internal control operations and to advise IT security and control matters

Control Objectives for Information and Related Technology (COBIT) - developed by ISACA

A private sector group consisting of the American Accounting Association, the AICPA, the institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives institute

Committee of Sponsoring Organizations (COSO)

A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems; widely dated to be accepted authority on internal controls incorporated into policies, rules, and regulations bused to control business activities.

Internal Control - Integrated Framework (IC)

5 Components of COSO

1. Control Environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring

AKA company culture, influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk

Control environment

- Developed in 2004 by COSO The process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals.

Enterprise Risk Management (ERM)

The amount of risk they are willing to accept to achieve their goals

Risk appetite

Outside independent directors responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors, who report all critical accounting policies and practices to them

Audit Committee - Required by SOX

Explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties

Policy and procedures manual

The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal controls

Inherent Risk

The risk that remains after management implements internal controls or some other response to risk

Residual Risk

Respond to risk in one of 4 ways:

- Reduce - Accept - Share - Avoid

The mathematical product of impact and likelihood

Expected loss Expected loss = impact X likelihood

The benefits of an internal control procedure must___ its costs

exceed

Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

Control activities

Approving transactions and decisions

Authorization

Preparing source documents; entering data into computer systems; and maintaining journals, ledgers, and files, or databases

Recording

Handling cash, tools, inventory, or fixed assets; receiving informing customer checks, writing checks

Custody

Implementing control procedures to clearly divide authority and responsibility within the information system function

Segregation of systems duties

Help users to determine their information needs

Systems analysts

People who use the analysts design to create and test computer programs

Programmers

People who operate the company's computers. They ensure that data are properly entered, processed correctly, properly stored, and that needed output is produced.

Computer operators

People who record transactions, authorize data to be processed, have logical access to company data, and produce system output. Responsible for safekeeping any data they may access or distribute as system output.

Users

Make sure all information system components operate smoothly and efficiently

System administrators

Ensure that devices are linked to the organization's internal and external networks and that those networks operate properly

Network managers

Make sure that systems are secure and protected from internal and external threats

Security management

Make sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, availability

Change management

Ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of inout errors to ensure their correction and resubmission, and distributes systems output

Data control

Guides and oversees systems development and acquisition

Steering committee

Developed and updated yearly to align an organization's information system with its business strategies. Shows the projects that must be completed, addresses company's hardware, software, personnel, and infrastructure

Strategic master plan

Shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones

Project development plans

Significant points when progress is reviewed and actual and estimated completion times are compared

Project milestones

Shows when each task should be performed

Data processing schedule

Established to evaluate the system. common measurements include throughput, utilization, and response time

System performance measurement

Performed after a development project is completed to determine whether the anticipated benefits were achieved

Post-implementation review

Manage a systems development effort involving its own personnel, its client, and other vendors

Systems integrator

Independent checks on performance

- top level reviews - Analytical reviews - reconciliation of independently maintained records - comparison of actual qualities with recorded amounts - double-entry accounting - independent reviews

In charge of system security, independent of the information system function, and reports to the chief operating officer (COO) or the CEO

Computer security officer

An employee responsible for all the compliance task associated with SOX and other laws and regulatory rulings

Chief compliance officer

Specialize in fraud. a fast-growing group in the accounting profession

Forensic investigators

Discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges

computer forensics specialists

(Programs with learning capabilities) can accurately identify fraud

Neural networks

A phone number employees can call to anonymously report fraud and abuse

Fraud hotline

Employ a combination of preventative, detective, and corrective controls to protect information assets long enough for an organization to detect that an attack is occurring and to take timely steps to thwart the attack before any information is lost or compromised

Time-based model of information security

Using multiple layers of controls in order to avoid having a single point of failure

defense-in-depth

The process of verifying the identity of the person or device attempting to access the system

Authentication

Three types of credentials can be used to verify a person's identity

1) passwords or or PINS 2) something a person has, such as smart cards or ID badges 3) behavioral or physical characteristic (biometric identifier) of the person, such as fingerprints or typing patterns

The use of two or more types of authentication credentials in conjunction to achieve a greater level of security

Multi-factor authentication

The use of multiple authentication credentials of the same type to achieve a greater level if security

multimodal authentication

Connects an organization's information system to the internet

border router

a special-purpose hardware device or software running on a general-purpose computer, that controls both inbound and outbound communication between the system behind the firewall and other networks

firewall

A separate network located outside the organization's internal information system that permits controlled access from the internet to selected resources, such as the organization’s e-commerce web server

Demilitarized zone

special-purpose devices deigned to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next

Routers

A process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet

Packet filtering

A process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers

Deep packet inspection

software or hardware that monitors patterns in the traffic flow to identify and automatically block attacks

Intrusion prevention systems (IPS)

Used to identify unused and, therefore, unnecessary programs that represent potential security threats

Vulnerability scanners

A program designed to take advantage of a known vulnerability

Exploit

Is the process for regularly applying patches and updates to all software used by the organization

Patch management

The process of modifying the default configuration of endpoints to eliminate unnecessary settings and services

Hardening

The process of examining logs to identify evidence of possible attacks

Log analysis

Systems that create logs of all network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions

Intrusion detection systems

A system that looks like a legitimate part of the organization's internal network but is just a decoy system

honeypot

A team responsible for dealing with major security incidents

Computer incident response team (CRIT)

CRIT incident response team 4 steps:

1. Recognition 2. Containment 3. Recovery 4. Follow-up

An authorized attempt by either an internal audit team or an external security consulting firm to break into the organization's information system

Penetration Testing

Software that provides an additional layer of protection to sensitive information stored in digital format, offering the capability not only to limit access to specific files or documents but also to specify the actions that individuals granted access to that resource can perform

Information rights management

software that works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with the intellectual property or other sensitive data the organization wants to protect

Data loss prevention (DLP)

A detective control that enables an organization to identify confidential information that has been disclosed

Digital watermark

Protecting privacy by replacing sensitive personal information with fake data

Data masking aka tokenization

Protecting privacy by replacing sensitive personal information with fake data

Data masking aka tokenization

One of the strictest and most far-reaching privacy regulations is the

European Union's General Data Privacy Regulations (GDPR)

The processing of transforming normal content, called plaintext, into unreadable gibberish, called cipher-text

Encryption

Transforming cipher-text back into plaintext

Decryption

Uses the same key both to encrypt and decrypt. EX AES

Symmetric encryption system

Uses two keys that are created as a matched pair

Asymmetric encryption systems

key that is widely distributed and made available to everyone - asymmetric encryption

Public key

Key that is kept secret and known only to the owner of that pair keys

Private key

The process of storing a copy of an encryption key in a secure location

Key escrow

Using encryption and authentication to securely transfer information over the internet, thereby creating a "virtual" private network

Private network

The process that takes plaintext of any length and creates a short code called a message digest, popularly referred to as a hash

Hashing

Creating legally binding agreements that cannot be unilaterally repudiated by either party

nonrepudiation

Protecting Confidentiality and Privacy

1) identify and classify the information to be protected 2) encrypt the information 3) control access to the information 4) train employees to properly handle the information

Factors that influence encryption strength

1) Key length 2) encryption algorithm 3) policies for managing the cryptographic keys

Longer keys provide ___ encryption

stronger

Process of creating a digital signature

step 1: the document creator uses a hashing algorithm to generate a hash of the original document step 2: The document creator uses his/her private key to encrypt the hash created in step 1 Result: The encrypted hash is a legally-binding digital signature

An electronic document that contains an entity’s public key and certifies the identity of the owner of that particular key

digital certificate

An organization that issues public and private keys and records the public key in a digital certificate

Certificate authority

The system for issuing pairs of public and private keys and corresponding digital certificates is called a

public key infrastructure (PKI)

A distributed ledger of hashed documents with copies stored on multiple computers

blockchain

A random number; used in the process mining to validate a new block in a blockchain

nonce

determines whether the characters in a field are of the proper type. Ex. only numeric or alphabetic numbers

field check

Determines whether the data in a field have the appropriate arithmetic sign. Ex. the quantity ordered field should never be negative

Sign check

Tests a numerical amount against a fixed value. Ex. the regular hours worked field in weekly payroll input must be less than or equal to 40 hours

Limit check

Ensures that the input data will fit into the assigned field. For example, 9 digits must be in a social security number

Size check

Verifies that all required data items have been entered. Ex. inputting all customer data before shipping

Completeness check

Compares the ID code or account number in transaction data with similar data in the master file to verify that the accounts exists. Ex product number 65432 entered on sales order must match product 65432 in inventory database

Validity check

Determines the correctness of the logical relationship between two data items

Reasonableness check

ID codes can contain a ____ that is computed from the other digits. The purpose is to verify that the information on the barcode has been entered correctly.

check digit

recalculating the check digit to identify data entry errors

Check digit verification

Tests whether a transaction file is in the proper numerical or alphabetical sequence

Sequence check

Calculate numeric values for a batch of input records. Used to ensure that all records in a batch are processed correctly

Batch totals

sums a field that contains monetary values, such as the total dollar amount of all sales for a batch of sales transactions

Financial totals

Sums a non-financial numeric field, such as the total of the quantity-ordered field in a batch of sales transactions. No inherent meaning

Hash total

Number of records in a batch

Record count

The system requests each input data item and waits for an acceptable response, ensures that all necessary data are entered

Prompting

Checks the accuracy of input data by using it to retrieve and display other related information. Ex if a clerk enters na account number, the system could retrieve and display the account name so that the clerk could verify that the correct account number has been entered

Closed-loop verification

Two or more items of data must be matched before an action can take place

Data matching

Located at the beginning of each file and contains the file name, expiration date, and other identification data

Header record

Located at the end of the file; in transaction files it contains the batch totals calculated during input

trailer record

two adjacent digits were inadvertently reversed. Ex 46 instead of 64

Transportation error

A processing control that verifies accuracy by comparing two alternative ways of calculating the same total

cross-footing balance total

A processing control that verifies that the balance of a control equals zero after all entries to it have been made

zero-balance test

Protect against overwriting or erasing of data files stored on magnetic media

write-protection mechanisms

Prevent errors by locking out one user when two or more users attempt to update the same record simultaneously

Concurrent update controls

A data transmission control that uses a hash of a file to verify accuracy

checksum

an extra digit added to the beginning of every character that can be used to check transmission accuracy

Parity bit

The capability of a system to continue to performing when there is a hardware malfunction

Fault tolerance

A fault tolerance technique that records data on multiple disk drives instead of just one to reduce the risk of data loss

Redundant arrays of independent drives RAID

Provides protection in the event of a prolonged power outage, using battery power to enable the system to operate long enough to back up critical data and safely shut down

Uninterruptible power supply (UPS)

The maximum amount of data that the organization is willing to have to reenter or potentially lose

Recovery point objective (RPO)

The maximum tolerable time to restore an information system after a disaster

Recovery time objective (RTO)

Exact copy of the entire backup

full backup

Copying only the data items that have changed since the last partial backup

Incremental backup

Copies all changes made since the last full backup. Each new backup files contains the cumulative effects of all activity since the last full backup

Differential backup

Uses hashing to identify and backup only those portions of a file or database that have been updated since that last backup

Deduplication

A copy of a database, master file, or software retained indefinitely as a historical record, usually to satisfy legal and regulatory requirements