Information Systems: Characteristics and Security

Questions and Answers

What is a characteristic of a centralized system?

• All processing occurs at one location. (correct)
• It is harder to set up.
• Data is stored in diverse locations.
• Processing occurs at multiple locations.

Which of the following is a benefit of a centralized system?

• Difficult security setup
• Lower costs (correct)
• Complex setup
• High risk of disruption

What is a common challenge for growing businesses regarding information systems?

• Overlapping and redundant systems. (correct)
• Simple accounting practices
• Excessive system integration.
• Lack of any information systems.

What is a recommended compensating control for small businesses with limited segregation of duties?

Manager supervision (B)

What should physical access controls focus on in smaller companies, where employees often share resources?

Bring-your-own-device security. (C)

Where do logical access controls operate?

Company's security system on a network (B)

What type of usernames and passwords should companies require employees to use to ensure safety?

Strong usernames and passwords (D)

What is an example of a common inexpensive information system used in early-stage enterprises?

Excel (A)

What type of system is the Accounting Information System (AIS) primarily considered to be?

Transaction processing system (A)

Which level of users typically makes strategic decisions?

Executive Leadership (A)

What is the primary focus of an Accounting Information System (AIS)?

Capturing data from accounting business events (D)

Which user level is primarily involved in capturing data within an organization's information system?

Workers (B)

What is a critical requirement for an effective Transaction Processing System (TPS)?

High availability and data integrity (D)

What is the term for the level of risk before any responses are implemented?

Inherent risk (D)

Which risk response involves taking action to decrease the likelihood or impact of a risk?

Mitigate (B)

What does it mean to 'accept' a risk?

Choosing to take no action and accept the inherent risk. (B)

Which risk response strategy involves shifting the burden of a risk to another party?

Transfer (B)

What is the term for the level of risk remaining after responses have been implemented?

Residual risk (B)

What is a primary benefit of using an Enterprise Resource Planning (ERP) system?

Automating routine business processes (A)

Which of the following is a characteristic of ERP systems?

Single, cohesive system across all areas of a company (C)

What is one disadvantage of information systems for large organizations?

Expensive to maintain (B)

In a distributed system, where is data processing and storage primarily handled?

Multiple locations (C)

What is a potential drawback of using a distributed system?

Increased security risk (A)

What is a defining characteristic of a decentralized system?

Distributed processing and databases among several locations (C)

What is an advantage of a decentralized system?

Quicker transaction details with faster processing speed (B)

Which of these represents a potential negative aspect of a decentralized system?

Increased costs of multiple systems (B)

What are the three objectives of internal control according to the content?

Operations, Reporting, and Compliance (D)

Which of the following is NOT a dimension of the COSO Cube?

Financial Performance (A)

Which of the following is an example of a manual control?

A manager reviewing and initialing an employee's travel expenses. (A)

Which group has the primary responsibility to establish and maintain an adequate system of internal controls?

Management (C)

In the Three Lines of Defense model, who is independent of management and assesses the effectiveness of controls?

Internal Auditors (C)

What is the purpose of an internal control framework?

To provide guidance for establishing and maintaining internal control systems. (D)

Which law codifies the requirement that companies use an internal control framework?

The Sarbanes-Oxley Act of 2002 (D)

Which internal control framework is widely used by large organizations?

The COSO framework (D)

Which of the following is an example of application software?

Excel (C)

What type of processing involves collecting data and processing it later at a scheduled time?

Batch Processing (B)

Which of the following is a potential risk associated with purchasing third-party software?

Copyright Infringement (B)

Which of the following is a type of system software?

Operating Systems (C)

Which programming language is commonly used for database management?

Structured Query Language (SQL) (D)

What is a characteristic of real-time processing?

Transactions are processed as they occur. (A)

If a third-party vendor closes down, what is a potential risk for businesses using their software?

Disruptions due to lack of support. (D)

What is a key difference between batch processing and real-time processing?

Real-time processing requires more processing capacity. (A)

Which type of risk originates from within a company's operations?

Internal (B)

What is the definition of operational risk?

Risks that occur in a company's day-to-day activities. (D)

Which of the following is an example of financial risk?

Customers not paying on credit. (A)

Damage to a company's reputation is known as what type of risk?

Reputational risk (A)

Which of these risks is most likely to be significantly amplified via social media?

Reputational risk (B)

What is compliance risk?

The risk associated with complying with laws and regulations. (D)

What is strategic risk?

The risk associated with a company's current and new strategies. (A)

Which of the is an example of physical risk

A natural disaster damaging a company's facilities. (A)

What are the two factors that combine to make risk severity?

Risk likelihood and risk impact. (C)

In risk prioritization, what does 'risk impact' refer to?

The estimated damage resulting from a risk event. (D)

What is the initial step in the risk management process?

Risk identification (B)

What is the main goal of data security?

Protect data confidentiality, integrity, and availability (A)

Which of the following is a fundamental concept in information systems?

Data integration (B)

Which of these is a key characteristic of effective information?

Relevance (B)

What is the purpose of a disaster recovery plan?

Ensure business continuity after a disruptive event. (D)

What does risk refer to in the context of business?

The likelihood of an unfavorable event occurring. (D)

What happens to the expected enterprise value when there is insufficient risk-taking?

The expected enterprise value is low. (A)

What is the sweet spot on the Risk Level vs. Expected Enterprise Value curve?

Where there is optimal risk-taking. (C)

What does a portfolio view of risk examine?

Risk at the entity (organizational) level. (C)

What is the focus of the risk categorization step in Enterprise Risk Management (ERM)?

Grouping risks based on their types. (B)

Which of the following is the correct order of steps in Enterprise Risk Management (ERM)?

Risk Identification, Risk Categorization, Risk Prioritization, Risk Response (A)

What are the two parts of a risk statement?

The issue and the possible outcome. (C)

Which of the following phrases correctly represents the format of a risk statement?

"This issue may result in this outcome". (A)

What is a primary advantage of using a cloud system?

Pay-as-you-go model reducing upfront software costs (D)

Which of the following is a risk associated with in-house developed software related to budgeting?

The expense of hiring talent to write and maintain the system code. (A)

What is a potential scheduling risk associated with developing software in-house?

The development process might extend beyond the anticipated timeline (D)

Which of the following represents a 'Technical Specifications' risk associated with in-house software development?

The delivered software may be defectively developed. (A)

What external market risk is associated with in-house developed software?

Industry changes may require extensive software updates post-implementation. (B)

From a fraud perspective, what risk is associated with in-house software development?

Code can be written to circumvent existing fraud controls. (B)

Which of the following is a reliability risk associated with using cloud systems?

System inaccessibility due to loss of internet connectivity (D)

What is a key privacy risk when using a cloud service provider?

Potential for litigation and loss of reputation if provider fails to secure data privacy. (A)

What security risk is associated with using a cloud service?

Potential unauthorized access and malicious use of data, leading to financial loss (D)

What does SaaS stand for regarding cloud computing?

Software as a Service (A)

Flashcards

Centralized System

A setup where all data processing and storage happens in a single place.

Centralized System - Positives

Easier setup, better security, and lower costs are benefits of this system.

Centralized System - Negatives

Greater risk of disruption, bottlenecks, lag time, and remote access issues.

Segregation of Duties (Small Business)

Combining duties due to limited staff; requires compensating controls.

Physical Access Controls

Prevents unauthorized access to physical resources.

Physical Access (Small Business)

Focus shifts to securing employee-owned devices.

Logical Access Controls

Security system controls access to a network, not personal drives.

Logical Access (Small Business)

Strong passwords tied to allowed job functions.

Inherent Risk

The level of risk before any risk responses are applied.

Residual Risk

The level of risk remaining after risk responses have been implemented.

Accepting Risk

Choosing to live with the risk. No actions are taken.

Mitigating Risk

Reducing the likelihood and/or impact of a risk event.

Transferring Risk

Shifting the burden of risk to another party, usually for a fee.

Three Objectives of Internal Control

Operations, Reporting, and Compliance: the goals an organization strives to achieve.

COSO Cube

A visual representation of the COSO framework's three dimensions.

Three Dimensions of the COSO Cube

Control Objectives, Control Components, and Organizational Structure

Manual Controls

Controls requiring human judgment and interaction.

Automated Controls

Controls performed automatically by a system.

First Line of Defense

Management establishes and maintains internal controls.

Second Line of Defense

Risk management and control experts assist management.

Third Line of Defense

Internal Auditors assess the effectiveness of controls.

ERP System

A software solution that integrates all business functions into a single system.

Benefits of ERP

Automating tasks, improving quality, increasing efficiency, saving costs, and increasing data transparency.

Large Org. IS

Commonly used by large enterprises; expensive to maintain but offer scalability.

Distributed System

Uses multiple locations connected to a central site for data processing and storage.

Advantages of Distributed Systems

Reduced central processing load & improved responsiveness

Disadvantages of Distributed Systems

Increased security risks due to multiple locations and potential bottlenecks.

Advantages of Decentralized Systems

Faster transaction processing speed due to workload distribution.

Accounting Information System (AIS)

Part of information systems focused on accounting data generated by business events.

Transaction Processing System (TPS)

Systems that executes and captures data generated by accounting business events.

Effective TPS

High availability and data integrity are requirements for TPS

Levels of Users

Corporate, Upper-level management, Middle Management, Workers

Information Systems Types

Transaction processing systems, Management information systems, Decision support systems, Executive information Systems

Copyright Infringement Risk

Violating software license terms can lead to lawsuits and damage to a company's image.

Data Breach Risk (Third-Party)

Relying on third-party software introduces the risk of vulnerabilities that can be exploited.

Third-Party Vendor Disruption

If a third-party vendor shuts down, support for their software may disappear, creating problems.

Software Update Risk

Vendors may push unnecessary updates to generate extra billable hours.

Software Sourcing

Acquiring software from an external source or creating it within the organization.

Application Software

Programs designed for specific user tasks, like spreadsheets or accounting.

System Software

Software that manages computer hardware and other software.

Batch Processing

Collecting data and processing it later, usually on a schedule.

Decentralized Systems

A system with processing and storage spread across multiple interconnected locations.

Disadvantages of Decentralized Systems

Slower processing speeds, potential for errors, and inconsistent application of controls.

Decentralized Systems - Security Concerns

The risk that remains after management implements its risk response.

Definition of Preventative Controls

Controls performed by people using their knowledge, skills, and judgment.

Detective Controls

Internal auditing function provides independent assessment of control effectiveness.

Internal Risks

Risks that originate within the company's own activities and systems.

External Risks

Risks that arise from factors outside of the company's direct control.

Operational Risk

Risks that affect day-to-day activities and processes.

Financial Risk

Risks that impact the flow of money in and out of a business, possibly leading to financial losses.

Reputational Risk

Risks that can damage the company's image, brand, or reputation.

Compliance Risk

Risks related to compliance with laws and regulations.

Strategic Risk

Risks arising from the company's strategic decisions and plans.

Physical Risk

Risks stemming from natural disasters, theft, or other physical threats.

Risk Severity

A combination of how likely a risk is to occur and the potential damage if it does occur.

Risk Likelihood

The chance or probability that a risk event will happen.

What is Risk?

The chance of an unfavorable event happening.

ERM (Enterprise Risk Management)

A process to identify, categorize, prioritize, and respond to risks.

What is a Risk Statement?

A statement with two parts: the issue and the possible outcome.

Portfolio View of Risk

Looking at risk across the entire organization.

Profile View of Risk

Concentrating on risk at the level of a specific business event.

What is Risk Identification?

Figuring out what risks exist and what might result from them.

What is Risk Categorization?

Sorting risks into groups based on their kind.

What is Risk Prioritization?

Deciding which risks matter most and addressing those first.

Software as a Service (SaaS)

Software delivery model where applications are hosted by a service provider and made available to customers over the Internet.

Cloud Computing

Using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server.

Cloud System Flexibility

Potential for increased flexibility and ability to scale resources as needed when utilizing a cloud system.

Cloud Cost Savings

Reduced upfront expenses and ongoing software costs by paying only for the resources you use.

Reduced Maintenance in Cloud

Elimination of the need to manage and maintain hardware and software, shifting the responsibility to the cloud provider.

In-House Software Budgeting Risk

The expense of hiring code writers and people to maintain the system.

In-House Software Scheduling Risk

The possibility of the software taking longer to create than expected.

In-House Software Technical Risk

The potential for software to be improperly developed, not meeting requirements.

In-House Software External Market Risk

Risk that the organization might experience industry and market changes that cause the software to require extensive updates.

Cloud Reliability Risks

The risk of the cloud failing because of unreliable internet or an unreliable host of the software and secure environment.

Study Notes

Internal Controls

• Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations per PCAOB AU Section 319.06

• Internal controls are essential for dealing with risks and understanding controls, and will be reviewed in the chapter.

Categorization of Internal Controls

• Preventative controls are designed to prevent an event from occurring.
• Detective controls are designed to provide notice to the company that an event has occurred.
• Corrective controls are designed minimize or eliminate undesired outcomes when an event occurs.

Quick Class Exercise:

• A fire insurance policy for a company warehouse is a transfer, so the code is "T".
• Before any new employee is hired, a company runs a criminal background check this is preventative (P).
• Every month the company reconciles the cash account balance in the general ledger to the cash balance shown on their bank statement. This is detective (D).

Preventative Control

• Segregation of duties involves separating and assigning the three components of a transaction to separate employees.
• One component of a transaction is custody of assets.
• Another component of a transaction is authorization.
• The third component of a transaction is record keeping.
• An employee, such as the Inventory Manager or Clerk, is the only one authorized to have access to the inventory (custody).
• Another employee, such as the Purchasing Manager or Purchasing Agents, is the only person authorized to order inventory (authorization).
• A third employee, such as the Accounts Payable Manager or Clerk, is the person authorized to record increases to the inventory and accounts payable accounts for ordered and received inventory (record keeping).

Threats that can defeat internal control

• One threat is management override; when someone in a supervisory role directs one of the people that report up to them to not follow policy/ well designed control can be defeated.
• Another threat is collusion; when two or more employees work together (especially across segregated duties) a well designed control can be defeated.

Classification of Controls

• Physical controls are outside of the IT environment and govern human activities and the ability to work from home if an office is closed.
• IT General controls apply to the full set of systems used by the company requiring a password needed to access your office computer.
• IT application controls apply to a specific application; accounts payable clerk is allowed to enter AP transaction, but a payroll clerk is not allowed to enter AP transaction.

What is Risk

• Risk is the likelihood of an unfavorable event occurring and is essential in business.
• Risk is not always a bad thing.
• Focus is on unfavorable outcomes.
• The key is choosing the right level of risk.

Identifying Risks

• Risks can be related to a single business event, a business process, a business function, or the entire organization including the business model and strategy. Be as specific as possible to identify all risks
• Enterprise Risk Management (ERM) is a thorough process to identify, categorize, prioritize, and respond to an entity’s risks.

Risk Identification and Statements

• Identify existing risks and their outcomes.
• Categorize the risks based on their types; this helps fine-tune risks from entity-level to business-process-related risks.
• Prioritize risks that are most likely to occur or will have the largest impact on the organization and prioritize responding to those.
• Risk statements have two parts: the issue and the possible outcome, and are in the form of, "This issue may result in this outcome.”

Risk Categories

• Internal risks occur within the normal operations of a company and are preventable.
• External risks come from outside of a company. Some appear to be both internal and external.
• Internal risks include operational, technology and financial.
• External risks includes compliance, reputational, and strategic.

Risk Prioritization

• Risk severity is combination of risk likelihood and risk impact.
• Risk likelihood estimates the probability of occurrence.
• Risk impact estimates the damage.
• Risks are prioritized based on both factors.

Responding to Risk

• Before responding to risk, respond to the level of risk the entity faces is inherent risk.

• After a response, the remaining level of risk the entity faces is residual risk..

• There are four general types of responses to deal with each risk:

  • Accept the risk, no risk response is chosen, and the entity accepts the inherent risk.
  • Mitigate the risk by adjusting to reduce the likelihood of risk event occurring.
  • Transfer the risk transferring the risk to another entity (often in exchange for a payment).
  • Avoid the risk by avoiding events that cause the risk, and is not be possible in many cases

Example of Risk Response with Car

• You buy a new car that has a leather interior and sometimes your friends eat inside.
• Accept: Don't worry about. If someone spills, clear it and hope the stain isn't noticeable.
• Mitigate: Treat your seats with a chemical that makes the likelihood of a food stain much less.
• Transfer: Buy a specific insurance policy that covers damage to your seats.
• Avoid: Do not allow anyone to eat in your car

Types of Software

• Batch processing is when data is collected and processed later at the same scheduled time

• Real-time processing is when transactions are processed as they occur, requiring more processing capacity and complex systems and controls, order entry and shipping systems.

• Programming languages includes the coded instructions that create the software: -Structured Query Language SQL

• Application software are end-user programs that perform specific functions facilitated by apps.

• System Software includes operating systems, communications software, and utility programs.

Software Sourcing

• Software can be purchased from a third-party vendor or developed in-house, each with its own benefits and risks.
• If the business isn't adhering to software licensing policies of the software, could face legal allegations and reputational loss.
• If third-party software is not properly secure, it is vulnerable to hackers.
• Vendor may require unnecessary updates to bill additional hours to its customers that cannot be refused.

Cloud Computing

• Cloud computing is the newer model for software deployment, connecting you to software via the internet; the advantages of Software as a Service(SaaS) include increased flexibility and scalability to meet changing conditions.
• There are various budgeting, scheduling, technical specification, external market, fraud, reliability, privacy, and security risk areas of cloud computing.

Organizational Information Systems

• Alternative system configurations are available for locations common is a centralized system which connects all users to one central location.
• As businesses grow, they acquire businesses, and their systems can be integrated into a single system.
• For small businesses, use proper segregation of duties, physical and logical access.
• Business need to use policies and procedures for bring-your-own-device.
• The most important thing is to tie functions to employees with usernames and passwords.

Benefits of ERP System

• Future cost savings
• Improved data transparency and quality
• Increased business efficiencies
• Quality improvement
• Automating routine business processes
• SAP is one of the most popular ERP systems.

Manual vs. Automated Controls

• Manual controls are useful when human judgment and interaction are present, and employee travel expenses are reimbursed. Before being reviewed and initialed by manager.
• Automated controls are often more reliable and consistent, like when a transaction is entered into an accounting system. Debits do not equal credits.

Establishment and Assessment of Internal Controls

• Management has the primary responsibility to establish and maintain an adequate system of internal controls.
• Internal auditors are independent of management and are tasked with assessing the effectiveness and efficiency of controls.
• Internal control frameworks are essential as internal control framework is a set of concepts and questions that can be used by management to establish and maintain the internal control system.
• The COSO framework is one of the most widely adopted.
• The COSO Cube displays the three dimensions of the framework: control objectives, control components, and organizational structure.