Chapter 10

Enterprise controls are those controls that affect the entire organization and
influence the effectiveness of other controls.
Security policy a comprehensive plan that helps protect an enterprise from both
internal and external threats.
Physical security refers to any measures that an organization uses to protect its
facilities, resources, or its proprietary data that are stored on physical media.
Logical Security uses technology to limit access to only authorized individuals to
the organizations systems and information, such as password controls.
Integrated security system supported by a comprehensive security policy, can
significantly reduce the risk of attack because it increases the costs and resources
needed by an intruder.
IT general controls affect the integrity of the entire information system.
Biometric identification devices identify distinctive user physical characteristics
such as voice patterns, fingerprints, facial patterns and features, retina prints, body
odor, signature dynamics and keyboarding methods.
Virtual private network a security appliance that runs behind a university or
companys firewall and allows remote users to access entity resources by using
wireless, handheld devices.
Data encryption minimizes the risk of unauthorized access to data through
electronic eavesdropping. It can be used to prevent a companys competitors from
electronically monitoring confidential data transmissions.
Electronic eavesdropping unauthorized access to the computer system and its
data which allows computer users to observe transmissions intended for someone
else.
Checkpoint control procedure that helps to recover from hardware failure. Under a
checkpoint control procedure, which is performed at periodic intervals during
processing, a companys computer network system temporarily does not accept
new transactions.
Routing verification procedures help to ensure that no transactions or messages
are routed to the wrong computer network system address.
Message acknowledgement procedures are useful for preventing the loss of part
or all of a transaction or message on a computer network system.
Red flags certain behaviors that employees display when they are defrauding
Business continuity planning is a more comprehensive approach to making sure
organizational activities continue normally.
Disaster recovery involves the processes and procedures that organizations follow
to resume business after a disruptive event such as an earthquake, a terrorist
attack, or a serious computer virus.
Hot site has a computer system with capabilities similar to the system it will
replace.
Flying-start site a hot site that also includes up-to-date backup data because it can
assume full data processing operations within a matter of seconds or minutes.
Cold site is a location where power and environmentally controlled space are
available to install processing equipment on short notice.
Fault tolerant systems organizations use these to deal with computer errors and
keep functioning so that data is accurate and complete. They are often based on the
concept of redundancy.
Disk mirroring or disk shadowing this process involves writing all data in parallel to
multiple disks.
Rollback processing transactions are never written to disk until they are complete.
Hot backup is a backup performed while the database is online and available for
read/write.
Cold backup is performed while the database is offline and unavailable to its users.
Electronic vaulting the data on backup media can be electronically transmitted to
a remote site.
Uninterruptible power system is an auxiliary power supply that can smooth the
flow of power to the computer thereby preventing the loss of data to momentary
surges or dips in power.
Application controls purpose is to prevent, detect, and correct errors and
irregularities in processing transactions.
Input controls help ensure the validity, accuracy, and completeness of the data
entered into an AIS.
Validation routines or edit programs are programs or subroutines that check the
validity and accuracy of input data after the data have been entered and recorded
on a machine-readable file.
Edit tests- examine selected fields of input data and reject those transactions whose
data fields do not meet the pre-established standards of data quality.
Processing controls focus on the manipulation of accounting data after they are
input to the computer system.
Output controls objective is to ensure the outputs validity, accuracy, and
completeness.
Two major types of output application controls validating processing results, and
regulating the distribution and use of printed output.

Chapter 11

ACFE- an international professional organization committed to detecting, deterring,

and preventing fraud and white collar crime.
Computer crime means that someone manipulates a computer or computer data,
by whatever method, to dishonestly obtain money, property, or some other
advantage, or cause significant loss
Computer abuse means that someone, who does not have permission, uses or
accesses someone elses computer.
Logic bomb a computer program that remains dormant until some specified
circumstance or data triggers the program to action.
Financial fraud type of computer crime with which most professional accountants
are familiar.
Fraudulent financial reporting happens when corporate officials such as senior-
ranking executives intentionally falsify accounting records to mislead analysts,
creditors, or investors.
Data diddling means changing data before, during, or after they are entered into a
computer system.
Ethical hackers these are network and computer experts who purposefully attack a
secured system to help its owners find any vulnerabilities that could be exploited by
a malicious hacker.
Computer virus is an attachment to other files or programs that destroys
computer files, disrupts operating system activities, or damages program software.
Computer worms do not actually destroy data, but merely replicate themselves
repeatedly until the user runs out of internal memory or disk space.
Firewalls limit external access to company computers.
Antivirus software are computer programs that scan inputs for virus-like coding,
identify active viruses already lodged in computer systems, clean infected system.
Social engineering tactic used by hackers to gain access to passwords. This means
posing as bonda fide employees and convincing network administration to give
them passwords over the phone.
Identity theft refers to an act in which someone wrongfully obtains and uses
another persons personal data for fraud or deception.
Dumpster diving stealing personal information from garbage cans.
Phishing scams use emails or web sites that claim to be legitimate but that ask
you to provide or update your personal information such as account number, credit
card number, or password.
Smishing is a similar scam using text messages on cellphones.

Chapter 12

Audit to examine and ensure

Auditing with the computer using the computer itself as an audit tool
Generalized audit software packages enable auditors to review computer files
without continually rewriting processing programs.
Automated workpapers allow internal and external auditors to automate and
standardize specific audit tests and audit documentation.
Auditing around the computer basic auditing approach, to follow the audit trail up
to the point at which accounting data entered and computer and to pick these data
up again when they reappeared in processed form as compute output. It assumes
that the presence of accurate output verifies proper processing operations.
Auditing through the computer auditor should follow the audit trail through the
internal computer operations phase of automated data processing, attempts to
verify that the processing controls involved in the AIS programs are functioning
properly.
Test data set of transactions that tests, as completely as possible, the range of
exception situations that might occur.
Parallel stimulation the auditor creates a second system that duplicates a portion
of the clients system.
Program change controls these are internal control procedures developed to
protect against unauthorized program changes.
Information technology governance is the process of using IT resources effectively
to meet organizational objectives.
Fraud triangle triangle that includes there elements that indicate potential fraud.