ACC444 Ch. 8, 9

  1. What regulations require organizations to protect the privacy of customer information?
    • Health Insurance Portability and Accountability Act (HIPPA)
    • Financial Services Modernization Act (aka, Gramm-Leach-Bliley Act)
  2. A reliable system produces information that is:
    • Accurate
    • Timely
    • reflects results of only Authorized transactions
  3. Source Data Controls that regulate integrity of input are:
    • Forms design
    • Pre-numbered forms sequence test
    • Turnaround documents
    • Cancellation and storage of documents
    • Segregation of duties
    • Visual scanning
    • Check digit verification
    • RFID security
  4. Data Entry Controls to validate input are:
    • Field check
    • Sign check
    • Limit check
    • Range check
    • Size check
    • Completeness check
    • Validity check
    • Reasonableness test
  5. When using batch processing, the following data entry controls should be used:
    • Sequence check
    • Error log
    • Batch totals
  6. Examples of online data entry controls:
    • Automatic entry of data
    • Prompting
    • Pre-formatting
    • Closed-loop verification
    • Transaction logs
    • Error messages
  7. Processing controls to ensure data is processed correctly include:
    • Data matching
    • File labels
    • Recalculation of batch totals
    • Cross-footing balance test
    • Write-protection mechanisms
    • Database processing integrity procedures
    • Data conversion controls
  8. Data transmission controls
    controls to minimize the risk of data transmission errors
  9. two basic types of data transmission controls
    • Parity checking
    • Message acknowledgment techniques
  10. Output controls
    • User review of output
    • Reconciliation procedures
    • external data reconciliation
  11. Threats to availability
    • Hardware and software failures
    • Natural and man-made disasters
    • Human error
    • Worms and viruses
    • Denial-of-service attacks and other sabotage
  12. effective disaster recovery and business continuity plans include:
    • Data backup procedures
    • Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc)
    • Thorough documentation
    • Periodic testing
    • Adequate insurance
  13. What is the purpose of audit planning?
    Determine why, how, when, and by whom the audit will be performed
  14. The purpose of an information system audit is:
    to review and evaluate the internal controls that protect the system.
  15. Types of security errors and fraud faced by companies:
    • Accidental or intentional damage to system assets
    • Unauthorized access, disclosure, or modification of data and programs
    • Theft
    • Interruption of crucial business activities
  16. Auditors test security controls by:
    • Observing procedures
    • Verifying that controls are in place and work as intended
    • Investigating errors or problems to ensure they were handled correctly
    • Examining any tests previously performed
  17. Two things can go wrong in program development:
    • Inadvertent errors due to careless programming or misunderstanding specifications
    • Deliberate insertion of unauthorized instructions into the programs
  18. What is an auditor's role in system development?
    • Should not be involved in system development
    • Should gain an understanding of development procedures by discussing them with management, users, and IS personnel
    • Should review policies, procedures
  19. To test system development controls, auditors should:
    • Interview managers and system users
    • Examine development approvals
    • Examine test specifications, review test data, and evaluate the results
  20. During systems review, auditors should:
    • Examine the policies, procedures, and standards for the changes
    • Review a complete set of final documentation materials for recent program changes
    • Review the procedures used to restrict logical access
  21. Techniques to detect unauthorized program changes:
    • Reprocessing
    • Parallel simulation
  22. Processing test data involves:
    testing a program by processing a hypothetical series of valid and invalid transactions
  23. embedded audit modules
    • segments of program code that:
    • perform audit functions
    • report test results to the auditor
    • store collected evidence for auditor review
  24. Auditors commonly use five concurrent audit techniques:
    • An integrated test facility (ITF) technique
    • A snapshot technique
    • A system control audit review file (SCARF)
    • Audit hooks
    • Continuous and intermittent simulation (CIS)
  25. ITF technique
    Places a small set of fictitious records in the master files
  26. Snapshot technique
    examines the way transactions are processed
  27. System control audit review file (SCARF)
    uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance
  28. a SCARF file or audit log include transactions that:
    • Exceed a certain dollar amount
    • Involve inactive accounts
    • Deviate from company policy
    • Contain write-downs of asset values
  29. Audit hooks
    audit routines that flag suspicious transaction
  30. Continuous and Intermittent Simulation (CIS)
    embeds an audit module in a database management system
Card Set
ACC444 Ch. 8, 9
ACC444 Ch. 8, 9