Definition of Internal Control – the process implemented to provide reasonable assurance that the following control objectives are achieved: safeguard assets, maintain detailed records, provide accurance and reliable info, prepare financial reports in accordance w/established criteria, promote operational efficiency, encourage adherence to prescribed managerial policies, comply w/ applicable laws Preventive controls – deter problems before they arise.
Examples: hire qualified personnel, segregating employee duties, and controlling physical access to assets nd info. General controls – make sure an organization’s control environment is stable and well managed. Examples: security, IT infrastruction, software acquisition, development, and maintenance controls Application controls – make sure transactions are processed correctly.
They are concerned with accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported SOX – applies to publicly held companies and their auditors and was designed to prevent financial statement fraud, ake financial reports more transparent, protect invesstors, strengthen internal controls, and punish executives who perpetrate fraud.
PCAOB – public company accounting oversight board – SOX created this to control the auditing profession. They set and enfoce auditing, quality control, ethics, independence, and other auditing standards Roles for Audit Committee – must be on the company’s board of directors and be independent of the company. One member of the committee must be a financial expert. The committee hires, compensates, and oversees the auditors, who report directly to them.
Who is responsible for establishing IC’s – senior management COBIT-control objectives for info and related technology framework – consolidates control standards from 36 different sources into one framework that allows management to benchmark security and control practices, users to be assured that adequate IR security and control exist, and auditors substantiate their internal control options. Consists of three vantage points: business objectives – info must conform to seven categories of criteria that map into the objectives established by the COSO to satisfy business objectives.
IT resources – includes people, application systems, technology, facilities, and data. IT Processes – broken into 4 domains: planning and organizing, acquisition and implementation, delivery and support, and monitoring and evaluation. 5 elements of COSO Integrated Framework – Committee of sponsoring organizations: 1 . Control environment, control activities, risk assessment, info and communication, and monitoring. Elements of ERM Model – internal environment, event identification, risk assessment, risk response, control activities, info and communication, and monitoring Strategic objectives – high-level oals that are aligned with the company’s mission, support it, and create shareholder value. They are first set Operation objectives – deal with the effectiveness and efficiency of company operations, determine how to allocate resources. Reporting objectives – help ensure the accuracy, completeness, and reliability of company reports; improve deicison making, and monitor company activities and pertormance.
Compliance objectives – help the company comply with all applicable laws and regulations Residual Risk – what remains after mamangement implements internal controls or some other response to risk. ERM responses: Accept – accept the likelihood and impact of the risk Share – share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions Avoid – avoid risk by not engaging in the activity that produces the risk.
This may require the company to sell a division, exit a product line, or not expand as anticipated Chapter 8 Integrity-the info must be produced in a cost-effective manner Availability – the info must be available whenever needed Trust Services Framework – Privacy- personal info about customers is collected, used, isclosed, and maintained only in compliance w/internal policies and external regulatory requirements and is protected from unauthorized disclosure.
Processing Integrity-data are processed accurately, completely, in a timely manner, and only with proper authorization. Security-access to the system and its data is controlled and restricted to legitimate users P>D+C, P = the time it takes an attacker to break through the organization’s preventive controls. D=the time it takes to detect that an attack is in progress. C – the time it takes to respond to an attack Preventive controls – Physical
Access The process of turning off unnecessary features in the system is known as – hardening Authentication-the process of verifying the identity of the person or device attempting to access the system Authorization- Restricting access of users to specific portions of the system as well as specific tasks Firewall-special-purpose hardware device or software running on a general”purpose computer. DMZ-demilitarized zone, a separate network that permits controlled access from the internet to selected resources, such as the organizations e-commerce web server. PS-intrustion revention systems – monitors patterns in the traffic flow rather than only inspecting individual packets, to identify and automatically block attacks. Log Analysis-the process of examining logs to identify evidence of possible attacks Intrusion Detection- IDS-consist of a set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attemped or successful intructions.
CIRT – computer incident response team (CIRT) – responsible for dealing with major incidents. Includes technical specialists nd senior operations management What is Patch Management? – process for regularly applying patches and updates to all software used by the organizations. Chapter 9 IP – internet protocol – This protocol specifies the structure ot packets sent over the internet and the route to get them to the proper destination.
SPAM – unsolicited email that contains either advertising or offensive content HIPAA – health insurance portability and accountability act – regulates spam, identity theft, protecting individual privacy Ciphertext – 3 factors that affect encryption strength – key length, encryption algorithm, policies or managing cryptographic keys Difference in hashing and encrypting – hashing is a process that takes plaintext of any length and transforms it into a short code called a hash.
Encryption is the process of transforming normal content, called plaintext, into unreadable gibberish, called ciphertext. Digital Signature – a hash of a document that is encrypted using the document creator’s private key. Digital Certificate – an electronic document that contains an entitys public key and certifies the identity of the owner of that particular public key VPN – virtual private network – it provides the unctionality of a privately owned secure network without the associate costs of leased telephone lines, satellites, and other communication equipment.
Chapter 10 Hot site-a facility that is not only prewired for telephone and internet access but also contains all the computing and office equipmen the organization needs to perform its essential business activities Cold Site – an empty building that is prewired for necessary telephone and internet access, plus a contract with one or more vendors to provide all necessary equipment within a specified period of time. Chapter 1 1
Types of internal audits: Financial audit – examines the reliability and integrity of financial transactions, accounting records, and financial statements Information systems audit – reviews the controls of an AIS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets Operational audit – concerned with the economical and efficient use of resources and the accomplishment of established goals and objectives Compliance audit – determines wheter entities are complying with applicable laws, regulations, policies, and rocedures.
Investigative audit – examines incidents of possible fraud, misappropriation of assets, waste and abuse, or improper gov’t activities. During what phase do you consider risk? – evaluation of audit evidence Collection of audit evidence: Observation-of the activities being audited; ex watching how data control personnel handle date processing. Discussions-with employees about their Jobs and about how they carry out certain procedures. Confirmations-of the accuracy of info such as a customer account balances through talking with a third party. re- erformance-of calcuations to verify quantitative info.
Vouching-for the validity of a transaction by examining supporting docs. analytical review-of relationships and trends among info to detect items that should be further investigated. What is the first step in risk based audit approach-I . Determine the threats facing the company Purpose ot Intormation Systems udi A t-to review and evaluate the internal controls that protect the system. Inadvertent programming errors and unauthorized instructions can be controlled by ? program development and acquisition Source ode comparison-program used to compare the current version of the program with the source code.
Concurrent Audits: Integrated Test Facility-inserts ficticious records that represent a fictitious division, department, customer, or supplier in company master files. Snapshot Technique-selected transactions are marked with a special code SCARF- system control audit review – uses embedded audit modules to continuously monitor transaction activity, collect date on trsactions with special audit significance Audit Hook – audit routines that notify auditors of questionable transactions, often as they occur