Sample Questions for IM341 Final.docx

Sample Questions for IM341 Final Module 5 What are the basic internal control concepts, and why are computer control and security important? Internal Control Concepts: Preventive Controls- deter problems before they arise Detective Controls- discover problems as soon as they arise Corrective Controls- remedy control problems that have been discovered General Controls- designed to make sure an organization?s control environment is stable and well managed Application Controls- prevent, detect and correct transaction error and fraud Computer control and Security are important because they: Safeguard assets Maintain records in sufficient detail Provide accurate and reliable information Provide reasonable assurance that financial reporting is prepared in accordance with GAAP Promote and improve operational efficiency Encouraging adherence to prescribed managerial policies Complying with applicable laws and regulations Difference between the COBIT, COSO, and ERM control frameworks? COBIT?allows (1) management to benchmark the security and control practices of IT environment,(2) users of IT services to be assured that adequate security and control exist, and(3) auditors to substantiate their opinions on internal control and advise on IT security and control matters COSO- defines internal controls and provides guidance for evaluating and enhancing internal control systems Five crucial components of COSO- 1. Control Environment 2. Control Activities 3. Risk assessment 4. Information and Communication 5. Monitoring Control based approach to organization ERM- expands on the elements of COSO and provides an all encompassing focus on the broader subject of Enterprise Risk Management Risk Based approach to the organization that is orient toward the future and constant change What are the major elements in the internal environment of a company? Management?s philosophy, operating style, and risk appetite The Board of Directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human Resource Standards External influences What are 4 types of control objectives that companies need to set? Strategic Objectives- high-level goals that are aligned with and support the company?s mission Operations Objectives- deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets Reporting objectives- ensure the accuracy, completeness, and reliability of internal and external company reports, of both financial and nonfinancial nature Compliance objectives- help the company comply with all applicable laws and regulations What events affect uncertainty, and how can they be identified? Threat- potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization Can be identified with any of the internal control frameworks (COSO, ERM, COBIT) How is Enterprise Risk Management model used to assess and respond to risk? Provide reasonable assurance that company objectives and goals are achieved and problems are surprises are minimized Achieve its financial and performance targets Assess risks continuously and identify the steps to take and the resources to allocate to overcome and mitigate risk Avoid adverse publicity and damage to the entity?s reputation What control activities are commonly used in companies? Control Activities- policies, procedures and rules that provide reasonable assurance that management?s control objectives are met and the risk responses are carries out Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguarding assets, records and data Independent checks on performance How do organizations communicate information and monitor control processes? ERM model using AIS- to gather, record, process, store, summarize, and communicate information about an organization Identifies and records all valid transactions Properly classify transactions Record transactions at their proper monetary value Record transactions in the proper accounting period Properly present transactions and related disclosures in the financial statements Monitoring- done with a series of ongoing events or by separate evaluation Perform ERM evaluations Implement Effective Supervision Use Responsibility accounting Monitor system activities Track purchased software and mobile devices Conduct periodic audits Employ a computer Security officer, chief compliance officer, and computer consultants Engage forensic specialists Install fraud detection software Implement fraud hotline Module 6 Questions What is the difference between authentication and authorization? Authorization- restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform Authentication- verifying the identity of the person or device attempting to access the system, ensuring that only legitimate users can access the system What is the difference between general and specific authorization? General Authorization- authorization for employees to handle routine transactions without special approval Specific Authorization- certain activities or transactions may be of such consequence requiring special authorization What are two related functions required by preventive controls? Authentication and Authorization Difference between differential, incremental, and full backups? Differential- backup changes since last full backup Incremental- backup of all changes since last back up of any kind Full backup- total backup of all files What is an achieve and how does it differ from a backup? Achieve- indefinite backup Backup- record of saved files but is typically recorded over or deleted What is the difference between a hot and cold site? Hot Site- prewired for telephone and Internet access building that also contains computing and office equipment to ready to perform essential business activities Cold Site- prewired for telephone and Internet but building is empty and does not contain computing equipment that is ready to function What is a disaster Recovery Plan? Procedure for how to recover if a disaster happens to the company or systems What is a Continuity Plan? Ensure that no matter what happens you will be able to continue operations What is Encryption? Converts plain text into cyber text to secure it What is hashing and what makes it different from encryption? Hashing- nonreversible, process of converting a small sequence of encrypted code What is difference between cyber text and plain text? Cyber text- encrypted text Plain Text- ordinary text Difference between secret key and public key encryption systems? Secret(private) Key- secretly kept key used to encrypt and decrypt Asymmetric encryption systems Public key- other key used to decrypt asymmetric systems that is widely available What controls are necessary to guard against social engineering? Training What are the 4 Source data/document controls? Form design- to ensure errors and omissions are minimized Cancellation and Storage of documents- to prevent fraudulent reentry Authorization and Segregation of Duties Visual Scanning- before entry into system What are the Data entry controls? Field Check, sign check, limit check, range check, size check, completeness check, validity check, reasonableness test, check digit verification What are the 3 output controls? User review of output Reconciliation procedures External data reconciliation What is used to create a digital signature? Asymmetric Encryption (public Key encryption) and hashing What is a digital certificate? Electronic document, created and digitally signed by a trusted 3rd party that certifies the identity of the owner of a particular public key What is an e signature? Cursive-style imprint of a person?s name that is applied to an electronic document In the procurement/Revenue cycle, digital signatures or digital certificates can be used to guard against which type of threat? Use to determine the validity of website or vender and also used to determine the validity of orders received from customers What is a field check? Data entry control that determines if the character in the field is proper type What is a sign check? Checks to see what type of arithmetic sign i.e., positive or negative What is the purpose of data entry checks? As a control for data entry errors entered into the computer What is a limit check? Data entry control that has a limit as to the # of characters allowed to be entered What is a range check? Same as a limit check but has a limit on the upper and lower end What is a size check? Determines if entry will fit into the assigned field What is a completeness check? Checks to see if the form/record being submitted is completely filled out What is a validity check? Like referential integrity, it references a record in with a master data file to ensure that it is in fact a valid record What is a reasonableness check? Visual inspection as to whether the data being submitted looks alright What is packet switching? Technology that enables multiple users to send data over the internet concurrently by separating the data into chucks to be sent What is a computer emergency response team? Group in place that responds in the event of a disaster or system breach What kind of control is a computer emergency response team? Corrective Control What does it mean if a system is fault tolerant? System will continue to function in the event of failure of one of its components What information can you use to uniquely identify a computer on a network? MAC address What is a penetration test? Check to see how vulnerable your systems are to hackers What is one approach we could take to test the effectiveness of existing security procedures? Vulnerability Scan- test procedures, and determines malfunctions Then do penetration test to see how well your procedures are