IS 414 CH. 7 Flashcards
(32 cards)
Threat/event
Any potential adverse occurrence
Exposure/impact
the potential dollar loss from a threat
Likelihood
the probability that a threat will come to pass
Internal controls
the processes and procedures implemented to provide reasonable assurance that control objectives are met
Control Concepts/Objectives
SMPPPEC
+Safeguard assets - prevent or detect their unauthorized acquisition, use, or disposition
+Maintain records in sufficient detail to report company assets accurately and fairly
+Provide accurate and reliable information
+Prepare financial reports in accordance with established criteria
+Promote and improve operational efficiency
+Encourage adherence to prescribed managerial policies
+Comply with applicable laws and regulations
Preventive controls
controls that deter problems before they arise
EX: hiring qualified personnel, segregating duties, and controlling physical access to assets and info
Detective controls
controls designed to discover control problems that were not prevented
EX: duplicate checking of calculations, and preparing bank reconciliations, and monthly trial balances
Corrective controls
Controls that identify and correct problems as well as correct and recover from the resulting errors
EX: maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing
general controls
Controls designed to make sure an organization’s information system and control environment is stable and well managed
examples include: security, software acquisition, development, IT infrastructure
application controls
controls that prevent, detect, and correct transaction errors and fraud in application programs
concerned with validity, accuracy, completeness, and authorization
Internal controls perform 3 functions and segregating into 2 categories
preventive, detective, corrective
general, application
new rules for auditors
- auditors must report specific info to company’s audit committee (crucial accounting practices/policies)
- prohibited from certain nonaudit services such as designing and implementing IS
- audit firms cannot perform services for company where top management was employed by firm and audit company within last 12 months
new rules for audit committee
- part of the board of directors
- independent from company
- 1 person has to be financial expert
- hire, compensate, oversee auditors who report directly to them
new rules for management
- CEO and CFO must certify that
(1) financial statements and disclosures are
(a) fairly presented
(b) reviewed by management
(c) not misleading
(2) tell auditors about internal control weaknesses and fraud - disclose changes in financial conditions on timely basis
- can be fined if rules violated
new rules for internal controls
report must be given with financial statements that states
(1) management is responsible for establishing and maintaining adequate internal control system
(2) attest to their accuracy
(3) report significant weaknesses or material noncompliance
COBIT Framework (MCASE)
COBIT - Control Objectives for Information and Related Technology
- Meeting stakeholder needs
- Covering the enterprise end to end
- Applying a single, integrated framework
- Separating governance from management
- Enabling a holistic approach
GOVERNANCE vs. Management
Governance: create value by optimizing use of organizational resources to produce desired benefits in a manner that effectively addresses risk
Responsibility of the board of directors:
(1) evaluate stakeholders need to justify objectives
(2) provide management with direction by prioritizing objectives
(3) monitor management’s performance
Governance vs. MANAGEMENT
responsible for planning, building, running, and monitoring the activities and processes used by the organization to pursue the objectives established by the board of directors
periodically provide board of directors with feedback to modify existing plans and procedures or develop new strategies to respond to changes in business objectives and new developments in IT
Figure 7-2 Governance (EDM –> FmBROS)
Evaluate, Direct, Monitor
- Ensure governance framework setting and maintenance
- Ensure benefits delivery
- Ensure risk optimization
- Ensure resource optimization
- Ensure stakeholder transparency
Figure 7-2 Governance (APO –> FSAI, PBHR, ASQRS)
Align, Plan, and Organize
- Manage IT management framework
- Manage Strategy
- Manage enterprise architecture
- Manage Innovation
- Manage portfolio
- Manage budget/costs
- Manage human resources
- Manage relationships
- Manage service agreements
- Manage suppliers
- Manage quality
- Manage risk
- Manage security
Figure 7-2 Governance (BAI –> PRICE, CAtKAC)
Build, Acquire, Implement
- Manage programs/projects
- Manage requirement definitions
- Manage solution identification and build
- Manage availability and capacity
- Manage organizational change enablement
- Manage changes
- Manage change acceptance and transitioning
- Manage knowledge
- Manage asset
- Manage configuration
Figure 7-2 Governance (DSS –> OSiP, CSB)
Design, Service, Support
- Manage operations
- Manage Service requests and incidents
- Manage problems
- Manage continuity
- Manage security service
- Manage business processes and controls
Figure 7-2 Governance (MEA –> PC, SIC, CER)
Monitor, evaluate, assess
- Monitor, evaluate, assess performance and conformance
- Monitor, evaluate, assess systems of internal control
- Monitor, evaluate, assess compliance with external requirements
COSO - IC
Committee of Sponsoring Organizations - Internal Control
