Flashcards in IT Auditing Deck (23):
What does a program taking longer than usual to load or execute indicates? What's the remedy? What can cause the problem to be worse?
It is a symptom of a virus.
Best remedy is stop and run the antivirus program to identify and eliminate or quarantine the virus.
(Think: Stop, Drop what you are doing, and Roll the Antivirus program)
Testing the system by running a different application program; rebooting the system; and even backing up hard disk files to floppies can cause the virus to spread.
Risk analysis in IT (disaster management)
Process to determine what the organization defines as a disaster and evaluates the effects of that potential disaster. High-level analysis.
Foundation for contingency planning strategies (the how-to-handle plans)
In disaster management, what do system back up analysis, vendor supply agreement analysis, and contingent facility contract analysis represent?
They represent contingency planning strategies to react to a disaster. They are the result of Risk Analysis.
Batch Processing from accounting standpoint
Updating master files periodically to capture all transactions that occurred during a period of time.
Transactions are grouped in batches and processed as a batch.
Input control that works as an edit test by determining whether a batch of input data is following the proper numerical or alphabetical sequence
Input control that works as an edit test by comparing identification numbers or transactions codes to a table of valid identification numbers or codes maintained in the system
EX - In CostPoint, we had to enter G/L account code that mataches one of the account codes in the systems or the J/E did not go through
Input control that works as an edit test where the computer checks to see if all the data needed for a specific transaction has been entered by the user.
If there is still information missing, e.g. no matching debit or credit amount or description, the system will prompt the user to re-check and enter the info needed to complete the entry.
Input control that works as an edit test to ensure that a numerical amount of a record does not go over the predetermined amount (limit)
Advantages and Disadvantages of Encryption
Advantage - more secured even though it is not absolute secrecy
Disadvantage - slows down the system; increases the system's overhead
Remember - there is no such thing as absolute security in encryption. Absolutes only exists in theoretical math.
Batch and hash totals
Input controls to detect errors
hash totals add up to nonsense number to use as a control number, e.g. adding up all the last 4 digits of everyone's SSN
Records recount of each run
Input control that detects errors
Examples of preventative controls
Proper segregation of duties,
and user codes
Examples of recovery methods
Back up copies of activity and master files
What does a compiler do?
Translates program code (human language) into machine language that the CPU can understand and execute
Distributed data processing network
Network of computers that are connected, but each computer can process its own data.
It is a hybrid of centralization and decentralization.
What is COBIT?
Control Objectives for Information and Related Technology
Developed by Information Systems Audit and Control Association (ISACA)
Framework of generally applicable IT security and control practices
What does COBIT provide more specifically?
1) Help companies find a Balance between risk and controls in their information systems
2) Find practices that give Assurance that security and IT controls are adequate
3) Guidance to Auditors on forming opinion and how to advise management on internal control
How does COBIT framework look at controls? Sum up how COBIT looks at these controls?
Looks at controls in three different ways:
1) Business requirements
2) IT resources
3) IT processes
COBIT's approach is that every control activity in a company's information system satisfies a Business Requirement by using its IT Resources and applying them to an IT Process to meet that business requirement.
Each control activity utilizes IT resources, applies to a process, and satisfies a business requirement.
What are the usual risks with clients who use a LAN and PC's as its information system?
This is an example of End-User Computing.
Typical risks are:
-lack of documentation of the procedures to ensure complete capture of data. End users are notorious for not documenting. They tend to go off on their own.
-poor security controls over sensitive data sitting on the PC's. Remember the LAN does not store the data, all it does is connect the PC's, so they can "talk" to each other.
-Incomplete data communications, meaning the LAN could go off-line without any warning before you have any chance to back up the data
What is End-User Computing (EUC)? What is an example? What's the downside?
The end users create, control, and implement their own information systems. They don't use a mainframe or anything central to backup the data they are using.
An example is using a PC.
The downside is the end users are left to their own devices and they can simply choose to not document any procedures that they developed. They don't bother to think that someone else might have to take over their work. They don't plan ahead.
Also, what the end-users are doing might not be compatible with the organization's overall system. Like using a sales report that is only a Word document and the company-wide system must have the data in Excel format. It can cause a problem.
What is so great about a mainframe?
It can store the data in one central place unlike end-user computing (LAN plus a bunch of PC's).
What is risky about PC's compared to a mainframe?
1) Easy to hack into a PC since it is usually linked to a network. Leaves the network more exposed.
2) Easy to steak a PC (physical access is harder to control)
3) Difficult to segregate duties in a PC and network area because one person could be in charge of both developing and operating the the IT system through a PC
4) End users can do whatever they want and can be lazy with documentation. They are left to their own devices and could come up with their own IT system that isn't compatible with the company-wide's system.