What does ISACA stand for?
Information Systems Audit and Control Association
What COBIT stand for?
Control Objectives for Information and Related Technology
What is COBIT?
COBIT is a framework developed by the ISACA for IT and IT governance. COBIT provides a systematic way of inter-grating IT with business strategy and business risk.
To satisfy business objectives, COBIT information needs to conform to the following criteria:
a.. Effectiveness - relevant, timely, accurate, consistent, usable
b. Efficiency - developed through the optimal use of resources
c. Confidentiality - protect from unauthorized disclosure
d. Integrity - accurate, complete, consistent with values
e. Availability - available when required
f. Compliance - comply with applicable laws, regs, and contractual arrangements
Reliability - available to management to exercise fiduciary and governance responsibilities.
Implementing COBIT involves establishing processes and employing the following resources:
a. applications - systems and procedures to process info
b. information - The data
c. infrastructure - the technology and facilities
d. People - the personnel
COBIT defines IT activities in a process model within the following 4 domains:
a. plan
b. Acquire and Implement
C. Deliver and support
d. Monitor and evaluate
For COBIT, I T systems should be measurement driven. COBIT deals with measurement issues by providing the following:
a. Maturity Models
b. Performance goals and metrics
c. Activity goals
For COBIT, what are Maturity Models?
Maturity Models are models used to evaluate the sophistication of I T processes rated for a maturity level of nonexistent 0, to optimized 5.
For COBIT, what are performance goals and metrics?
Performance goals and metrics are used to demonstrate how processes meet business and I T goals by using outcome measurements, key goal indicators, and key performance indicators, KPIS.
For COBIT, what are activity goals?
Activity goals are used to establish what needs to happen inside a process to achieve the required performance and how to measure it.
What are the Principles of Reliable Systems?
A reliable system is one that is capable of operating without material error, fault, or failure during a specified period in a specified environment.
What are the 5 principles of reliable systems?
1. Security
2. Availability
3. Processing Integrity
4. Online Privacy
5. Confidentiality
What is the Principle of Reliability for Security?
The system is protected against unauthorized access, both physical and logical.
What are examples of the principle of reliability for security , physical and logical?
Physical Access - Weather, acts of war and disgruntled employees or others.
Logical Access - Malicious or accidental alteration of, or damage to, files and/or the system; computer based fraud; unauthorized access to confidential data
What is the Principle of Reliability for Availability?
The system is available for operation and use as committed or agreed. The system is available for operation and use in conformity with the entity's availability policy
What are examples of the principle of reliability for availability?
Examples of Risk: System failure results in interruption of business operations and Loss of data.
What is the Principle of Reliability for Processing Integrity?
System processing is complete, accurate, timely and authorized.
What are examples of the principle of reliability for processing integrity?
Invalid, incomplete, or inaccurate
1. Input data
2. Data processing
3. Updating of master files and
4. creation of output
What is the Principle of Reliability for Online Privacy?
Personal information obtained as a result of e-commerce is collected, used, disclosed and, retained as committed or agreed.
What are examples of the principle of reliability for online privacy?
Disclosure of customer information or that of others such as:
1. social security numbers
2. Credit card numbers
3. credit rating and
4. Medical conditions
What is the Principle of Reliability for Confidentiality?
Information designated as confidential is protected as committed and agreed.
What are examples of the principle of reliability for confidentiality?
Examples of confidential data that might be disclosed are: 1. 1. Transaction details
2. Engineering details of product
3. Business plans
4. Banking information
5. Legal Documents
6. Inventory or other account information
7. Customer lists and
8. Confidential details of operations
What are the 7 factors of the control environment?
I - Integrity and ethical values
C - Commitment to competence
H - Human resource policies and practices
A - Assignment of authority and responsibility
M - Management's philosophy and operating style
B - BOD and audit committee participation
O - Organizational structure
What 2 functions are the Information systems department involved with?
1. Systems development and
2. data processing
What are the 5 steps in the system development life-cycle?
1. Software concept - identify the need of the new system
2. Requirements analysis - determine the needs of the users
3. Architectural design - determining the hardware, software, people, etc. needed
4. Coding and debugging - acquiring and testing the software
5. System testing - testing and evaluating the functionality of the system.
What does segregation of controls entail?
1. segregate functions between info syst department and user department.
2. don not allow the information systems dept to initiate or authorize transactions.
3. Segregate programming, data entry, operations, and the library
4. Separation of key functions
What key functions should be segregated?
1. system analysis
2. systems programming
3. application s programming
4. database administration
5. data preparation
6. operations
7. library and
8. data control
What does a systems analyst do?
A systems analyst analyzes of present user environment and may 1. recommend specific changes, 2. recommend the purchase of a new system or 3. design an new information system.
What is a flow chart used for in system analysis?
A flow chart is a tool used by the analyst to define the systems requirements.
What does a systems programmer do?
A systems programmer is responsible for implementing, modifying, and debugging the software necessary for making the hardware work.
What does an applications programmer do?
The applications programmer is responsible for writing, testing and debugging the application programs from the sepcifications provided by the systems analyst.
What does a database administrator do?
The database administrator is responsible for maintaining the database and restricting access to the database to authorized personnel.
What is data reparation?
Data may be prepared by user departments and input by key to storage devices.
What does the operator do?
The operator is responsible for the daily computer operations of both the hardware and the software. The operator should have a run manual.
What does the help desk do?
The Help desks assist users with systems problems and obtaining technical support/vendor assistance.
At a minimum, what duties should be segregated?
A a minimum, an attempt should be made to segregate programming, operations, and the library functions,
What does the Web administrator do?
The web administrator is responsible of overseeing the development, planning, and the implementation of a website.
What does the web master do?
The webmaster is responsible for providing expertise and leadership in the development of a website, including the design, analysis, security, maintenance, content development, and updates.
What does a web designer do?
A web designer is responsible for creating the visual content of the website.
What does the web coordinator do?
The web coordinator is responsible for the daily operations of the website.
What does an internet developer do?
An internet developer is responsible for writing programs for commercial sue.
What do intranet/extranet developers do?
Intranet and Extranet developers are responsible for writing programs based on the needs of the company.
What impact do changes in computerized information systems and operations have on financial reporting?
The impact do changes in computerized information systems and operations may increase the risk of improper financial reporting?
What are computerized accounting systems affected by?
They are affected by whether the company sues small computers and or a complex mainframe.
What does proper monitoring of a computerized system require?
Proper monitoring of a computerized system requires adequate computer skills to evaluate the propriety of processing of computerized applications.
What is a common method of monitoring for inappropriate access?
Review system access log.
How can IT facilitate monitoring?
1. IT can constantly evaluate data and transactions based on established criteria and highlight items that appear to be inconsistent or unusual and
2. IT can capture samples of items for audit by internal auditors.
How are control activities divided when a compute is involved?
Control activities in which a computer is involved may be divided into the following categories: 1. general control, 2. application control (programmed or manual), and 3. User
List the 4 types of general controls?
1. Developing new programs and systems,
2. changing existing programs and systems,
3. controlling access to programs and data, and
4. controlling computer operations.
What do general controls do?
General controls increase the assurance that programmed control activities operate effectively during the period.
List 2 computer application control activities.
1. Programmed control activities, and
2. manual follow up of computer exception reports.
What are programmed Control Activities?
Programmed Control Activities relate to specific computer applications and are embedded in the computer program used in the financial reporting system.
What are manual follow up of computer exception reports?
manual follow up of computer exception reports involves employee follow up if items listed on computer exception reports.
What do user control activities to test the completeness and accuracy of computer processed transactions represent?
They represent manual checks of computer output against source documents or other input, and thus provide assurance that programmed aspects of the accounting system and control activities have operated effectively.
What is a parity check?
A special bit is added to each character that can detect if the hardware loses a bit during the internal movement of a character.
What is Echo Check?
It is primarily used in telecommunications transmissions. During the sending and receiving of characters, the receiving hardware repeats back to the sending hardware what is received to the sending hardware automatically resents any characters that were received incorrectly?
What are diagnostic routines?
Hardware and software supplied by the manufacturer to check the internal operations and devices within the computer system.
What is boundary protection?
To ensure that simultaneous jobs running on CUPs cannot destroy or change the allocated memory of another job, the systems software contains boundary protections controls.
What should system specification documents detail?
They should detail such matters as performance levels, reliability, security and privacy, constraints and limitations, functional capabilities, and data structure and elements.
Where are suggestions for system changes from users and information system personnel documented?
They should be documented in a change request log.
What do proper change control procedures entail?
1. the IS manager should review all changes.
2. The modified program should be appropriately tested
3. Details of all changes should be documented and
4. A code comparison program may be sued to compare source and /or object codes of a controlled copy of a program with the program currently being used to process data.
What types of controls might be used to limit access to physical access to computer facilities?
Possible controls include using a guard, automated key cards, and manual key locks, as well as the new access devices that permit access through fingerprints or palm prints. Also use a visitor entry log to documents those how have had access to the area.
What is the most used control to limit access to software?
The most used control is a combination of a unique identification code and a confidential password.
What are key characteristics of a good password?
1. passwords should be made up of a combination of alpha, numeric, and symbol elements.
2. Passwords should be changed periodically, and
3. Passwords should be disabled promptly when an employee leaves the company.
What is call back?
Call back is a specialized form of user identification in which the user dials the system, identifies himself and and is disconnected from the system. Then either 1. the individual manually finds the authorization number, or 2. the system automatically finds the authorized telephone number of the individual and calls back.
What is contingency processing?
Plans developed to prepare for system failure.
What should contingency plans detail?
The plans should detail the responsibilities of individuals, as well as the alternate processing sites that should be utilized.
What are internal and external labels?
The use of lables allows the computer operator to determine whether the correct file has been selected for processing.
List 3 input controls?
1. inputs should be properly authorized and approved,
2. They system should verify all significant data fields used to record information, and
3. Conversion of data into matching readable form should be controlled and verified for accuracy.
What are input validation controls?
1. preprinted forms,
2. check digits,
3. control, batch or proof totals,
4. has total,
5. record count,
6. limit test,
7. menu driven input,
8. field check,
9. validity check,
10. missing data check,
11. field size check,
12. logic check,
13. redundant data check and closed loop verification.
How do pre-printed forms assist with input validation?
Information is preassigned a place and a format on the input form.
What is a check digit and what does it do?
A check digit is an extra digit added to an identification number to detect certain types of data transmission errors.
What are batch or proof totals?
A total of one numerical field for all the records of a batch that normally would be added
What is a hash total?
A control total where the total is meaningless for financial purposes
What is record count?
The control total of the total records processed.
What is limits test?
A test of the reasonableness of a field of data, given a predetermined upper and or lower limit.
What is mine driven input?
As input is entered, the operator responds to a menu prompting the proper response.
What is field check?
A control that limits the types of characters accepted into a specific data field.
What is validity check?
A control that allows only "valid" transactions or data to be entered into the system.
What is missing data check?
A control that searches for blanks inappropriately existing in input data.
What is field size check?
A control of an exact number of characters to be input.
What is logic check?
Ensures the illogical combinations of input are not accepted.
What is redundant data check?
Redundant data check uses two identifiers in each transaction record to confirm that the correct master file record is being updated.
What is closed loop verification?
It is a control that allows data entry personnel to check the accuracy of input data. This may be used instead of a redundant data check.
What are processing controls essential?
Processing controls are essential to ensure the integrity of data.
What do application controls, manual follow up of computer exception reports involve?
These controls involve employee follow up of items listed on computer exception reports. Their effectiveness depends on the effectiveness of both the programmed control activities that produce the reports and the manual follow up activities.
What do user control activities to test the completeness and accuracy of computer processed controls entail?
These manual controls, previously referred to as output controls include: 1. checks of computer output against source documents, 2. reviewing computer processing logs and 3. maintaining proper procedures and communications specifying authorized recipients of output.
What should a disaster recovery and business continuity plan allow a firm to do?
1. minimize the extent of disruptions, damage, and loss,
2. establish an alternate method for processing information,
3. resume normal operations as quickly as possible and
4. train and familiarize personnel to perform emergency operations.
What should a disaster recovery and business continuity plan include?
A plan should include priorities, insurance, backup approaches, specific assignments, period testing and updating, and documentation
List two backup approaches?
1. Batch systems and 2. online databases and master files systems.
What is a batch system?
The most common batch system is the Grandfather-Father-Son method.
How does the Grandfather-Father-Son batch system operate?.
A master file is updated with the day' transaction files. After the update, the new file master file is the son. The file from which the father was developed with the transaction files of the appropriate day is the grandfather? The grandfather and son files are stored in different locations.If the son were destroyed, it could be reconstructed by rerunning the father file and the related transaction files.
What is a checkpoint?
Similar to G-F-S, at certain points the system makes a copy of the database and this checkpoint is stored on a separate disk or tape. If a problem occurs the system is restarted at the last checkpoint and updated with subsequent transactions.
What is a rollback?
A rollback undoes changes made to a database to a point at which it was functioning properly.
List 4 different types of backup facilities?
1. Reciprocal agreement,
2. Hot site,
3. Cold site and
4. Internal site, and Mirrored web server.
What is a reciprocal agreement?
An agreement between tow or more organizations to aid each other with their data processing needs in the event of a disaster. "Mutual Aid Pact"
What is a Hot Site?
A commercial disaster recovery service that allows a business to continue computer operations in the event of computer disaster. "Recovery Operations Center" ROC
What is a cold Site?
Similar to a hot site but the customer provides and installs the equipment needed to continue operations. It is less expensive to get in full operation after a disaster. "Empty Shell"
What is an internal site?
Large organizations with multiple data processing centers sometimes rely upon their own sites for backup in the event of a disaster.
What is a mirrored web server?
An exact copy of a website which is the best way to back up the website.
List the specific assignments that should be included in a disaster recovery plan?
a. arrange for new facilities,
b. computer operations,
c. installing software,
d. establishing data communications facilities,
e. recovering vital records and
f. arranging for forms and supplies.
