data

facts that are collected, recorded, stored, and processed by an information system

information

data that have been organized and processed to provide meaning and improve the decision-making
process

system

a set of two or more interrelated components that interact to achieve a goal

transaction

an agreement between two entities to exchange goods or services or any other event that can be
measured in economic terms by an organization

business process

a set of related, coordinated, and structured activities and tasks that are performed by a person or by a
computer or a machine, and that help accomplish a specific organizational goal

revenue cycle

where goods and services are sold for cash or a future promise to receive cash

expenditure cycle

where companies purchase inventory for resale or raw materials to use in producing products in
exchange for cash or a future promise to pay cash

production cycle

where raw materials are transformed into finished goods

human resources/payroll cycle

where employees are hired, trained, compensated, evaluated, promoted, and terminated

financing cycle

where companies sell shares in the company to investors and borrow money and where investors are
paid dividends and interest is paid on loans

data processing cycle

the operations performed on data to generate meaningful and relevant information

source documents

paper that is used to collect data about business activities

turnaround documents

company output sent to an external party, who often adds data to the document, and then are returned
to the company as an input document

source data automation

capture transaction data in machine-readable form at the time and place of their origin

audit trail

a traceable path of a transaction through a data processing system from point of origin to final output

entity

something about which information is stored

attributes

characteristics of interest that are stored

field

what computers store data in

file

a group of related records

master file

stores cumulative information about an organization

transaction file

contains records of individual business transactions that occur during a specific time

database

a set of interrelated, centrally coordinated files

batch processing

updating done periodically

real time processing

updating each transaction as it occurs

threat

any potential adverse occurrence

exposure or impact

the potential dollar loss from a threat (2 terms)

internal control

the process implemented to provide reasonable assurance that the control objectives are achieved

Foreign Corrupt Practices Act (FCPA)

passed to prevent companies from bribing foreign officials to obtain business

Sarbanes-Oxley Act (SOX)

designed to prevent financial statement fraud, make financial reports more transparent, protect
investors, strengthen internal controls, and punish executives who perpetrate fraud

preventive controls

deter problems before they arise

detective controls

discover problems that are not prevented

corrective controls

identify and fix problems as well as fix and recover from the resulting errors

general controls

make sure an organization's control environment is stable and well managed

application controls

make sure transactions are processed correctly

authorization

approving transactions and decisions

recording
preparing source documents; entering data into online systems; maintaining journals, ledgers, files or
databases; and preparing reconciliations and performance reports

custody

handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; and writing checks

authentication

the process of verifying the identity of the person or device attempting to access the system

authorization

the process of restricting access of authenticated users to specific portions of the system and limiting
what actions they are permitted to perform

biometric identifier

physical characteristics such as fingerprints or a voice

computer incident response team (CIRT)

a team that leads an organization through recognition of a problem, containment of that problem,
recovery, and follow-up

defense-in-deph

to employ multiple layers of controls in order to avoid having a single point of failure

firewall

either a special-purpose hardware device or software running on a general-purpose computer

hardening

process of modifying the default configuration of endpoints to eliminate unnecessary settings and
services

intrusion detection system

consists of a set of sensors and a central monitoring unit that create logs of network traffic that was
permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions

intrusion prevention system

monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and
automatically block attacks

multifactor authentication
the use of two or all three types of conjunction

multimodal authentication

using multiple credentials of the same type

penetration test

an authorized attempt by either an internal audit team or an external security consulting firm to break
into the organization's information system

router

connects an organization's information system to the Internet

Transmission Control Protocol (TCP)

specifies the procedures for dividing files and documents into packets to be sent over the Internet and
the methods for reassembly of the original document or file at the destination

Internet Protocol (IP)

specifies the structure of those packets and how to route them to the proper destination

asymmetric encryption

system that uses two keys to encrypt and decrypt

symmetric encryption

system that uses the same key to encrypt and decrypt

ciphertext

unreadable gibberish

plaintext

normal content

encryption

the process of transforming normal content into unreadable gibberish

decryption

transforms ciphertext back to plaintext

hashing
a process that takes plaintext of any length and transforms it into a short code

virtual private network

provides the functionality of a privately owned secure network without the associated costs of leased
telephone lines, satellites, and other communication equipment

backup

an exact copy of the most current version of a database, file, or software program that can be used in the
event that the original is no longer available

disaster recovery plan (DRP)

outlines the procedures to restore an organization's IT function in the event that its data center is
destroyed by a natural disaster or act of terrorism

business continuity plan

specifies how to resume not only IT operations, but all business processes, including relocating to new
offices and hiring temporary replacements, in the event that a major calamity destroys not only an
organization's data center but also its main headquarters

change control

the formal process used to ensure that modifications to hardware, software, or processes do not reduce
system reliability

hot site

a facility that is not only prewired for telephone and Internet access but also contains all the computing
and office equipment the organization needs to perform essential business activities

cold site

an empty building that is prewired for necessary equipment within a specified period of time

incremental backup

involves copying only the data items that have changed since the last partial backup

redundant arrays of independent drives (RAID)

data is written to multiple disk drives simultaneously

uninterruptible power supply

provides protection in the event of a prolonged power outage, using battery power to enable the system
to operate long enough to back up critical data and safely shut down
field check

determines whether the characters in a field are of the proper type

sign check

determines whether the data in a field have the appropriate arithmetic signals

limit check

tests a numerical amount against a fixed value

range check

tests whether a numerical amount falls between predetermined lower and upper limits

size check

ensures that the input data will fit into the assigned field

completeness check

determines whether all required data items have been entered

validity check

compares the ID code or account number in transaction data with similar data in the master file to verify
the account exists

reasonable test

determines the correctness of the logical relationship between two data items

sequence check

tests whether a batch of input data is in the proper numerical or alphabetical sequence

batch totals

summarize important values for a batch of input records

auditing

the systematic process of obtaining and evaluating evidence regarding assertions about economic
actions and events in order to determine how well they correspond with established criteria

computer-assisted audit techniques

refer to audit software that uses auditor-supplied specifications to generate a program that performs
audit functions, thereby automating or simplifying the audit process
control risk

the risk that a material misstatement will get through the internal control structure and into the financial
statements

detection risk

the risk that auditors and their audit procedures will fail to detect a material error or misstatement

inherent risk

the susceptibility to material risk in the absence of controls

integrated test facility

inserts fictitious records that represent a fictitious division department, customer, or supplier in
company master files

materiality

what is and is not important in an audit

reasonable assurance

that no material error exists in the information or process audited

financial audit

examines the reliability and integrity of financial transactions, accounting records, and financial
statements

information systems audit

reviews the controls of an AIS to asses its compliance with internal control policies and procedures and
its effectiveness in safeguarding assets

operational audit

concerned with the economical and efficient use of resources and the accomplishment of established
goals and objectives

compliance audit

determines whether entities are complying with applicable laws, regulations, policies, and procedures

investigative audit

examines incidents of possible fraud, misappropriation of assets, waste and abuse, or improper
governmental activities