-
What regulations require organizations to protect the privacy of customer information?
- Health Insurance Portability and Accountability Act (HIPPA)
- Financial Services Modernization Act (aka, Gramm-Leach-Bliley Act)
-
A reliable system produces information that is:
- Accurate
- Timely
- reflects results of only Authorized transactions
-
Source Data Controls that regulate integrity of input are:
- Forms design
- Pre-numbered forms sequence test
- Turnaround documents
- Cancellation and storage of documents
- Segregation of duties
- Visual scanning
- Check digit verification
- RFID security
-
Data Entry Controls to validate input are:
- Field check
- Sign check
- Limit check
- Range check
- Size check
- Completeness check
- Validity check
- Reasonableness test
-
When using batch processing, the following data entry controls should be used:
- Sequence check
- Error log
- Batch totals
-
Examples of online data entry controls:
- Automatic entry of data
- Prompting
- Pre-formatting
- Closed-loop verification
- Transaction logs
- Error messages
-
Processing controls to ensure data is processed correctly include:
- Data matching
- File labels
- Recalculation of batch totals
- Cross-footing balance test
- Write-protection mechanisms
- Database processing integrity procedures
- Data conversion controls
-
Data transmission controls
controls to minimize the risk of data transmission errors
-
two basic types of data transmission controls
- Parity checking
- Message acknowledgment techniques
-
Output controls
- User review of output
- Reconciliation procedures
- external data reconciliation
-
Threats to availability
- Hardware and software failures
- Natural and man-made disasters
- Human error
- Worms and viruses
- Denial-of-service attacks and other sabotage
-
effective disaster recovery and business continuity plans include:
- Data backup procedures
- Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc)
- Thorough documentation
- Periodic testing
- Adequate insurance
-
What is the purpose of audit planning?
Determine why, how, when, and by whom the audit will be performed
-
The purpose of an information system audit is:
to review and evaluate the internal controls that protect the system.
-
Types of security errors and fraud faced by companies:
- Accidental or intentional damage to system assets
- Unauthorized access, disclosure, or modification of data and programs
- Theft
- Interruption of crucial business activities
-
Auditors test security controls by:
- Observing procedures
- Verifying that controls are in place and work as intended
- Investigating errors or problems to ensure they were handled correctly
- Examining any tests previously performed
-
Two things can go wrong in program development:
- Inadvertent errors due to careless programming or misunderstanding specifications
- Deliberate insertion of unauthorized instructions into the programs
-
What is an auditor's role in system development?
- Should not be involved in system development
- Should gain an understanding of development procedures by discussing them with management, users, and IS personnel
- Should review policies, procedures
-
To test system development controls, auditors should:
- Interview managers and system users
- Examine development approvals
- Examine test specifications, review test data, and evaluate the results
-
During systems review, auditors should:
- Examine the policies, procedures, and standards for the changes
- Review a complete set of final documentation materials for recent program changes
- Review the procedures used to restrict logical access
-
Techniques to detect unauthorized program changes:
- Reprocessing
- Parallel simulation
-
Processing test data involves:
testing a program by processing a hypothetical series of valid and invalid transactions
-
embedded audit modules
- segments of program code that:
- perform audit functions
- report test results to the auditor
- store collected evidence for auditor review
-
Auditors commonly use five concurrent audit techniques:
- An integrated test facility (ITF) technique
- A snapshot technique
- A system control audit review file (SCARF)
- Audit hooks
- Continuous and intermittent simulation (CIS)
-
ITF technique
Places a small set of fictitious records in the master files
-
Snapshot technique
examines the way transactions are processed
-
System control audit review file (SCARF)
uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance
-
a SCARF file or audit log include transactions that:
- Exceed a certain dollar amount
- Involve inactive accounts
- Deviate from company policy
- Contain write-downs of asset values
-
Audit hooks
audit routines that flag suspicious transaction
-
Continuous and Intermittent Simulation (CIS)
embeds an audit module in a database management system
|
|
