Mansi Paun

Rightly said Annamarie & Yu Ming. In addition to the measures suggested by Yu Ming, we can also deploy other layered controls as a risk mitigation strategy like database encryption and log-monitoring which would greatly reduce the probability of a security incident occurring .

Prof Yao,
The relationship between tables could be any of the following 3 types –

1) One-to-One : In such a relationship, a row in table A can have can only have one matching row in table B, and vice versa. This type of relationship is not common as most data related this way could very well be in one table itself. A one-to-one relationship…[Read more]

Good examples, Abhay. I’d like to cite an example of Many-to-Many relationship here – that of our assignments – each one of us has written multiple answers to different questions and each different question has many different answers by different students.

A3 The most common risks associated with database management systems can be listed as :
• Abuse of excessive privileges
• Database injection attacks
• Malware
• Storage media exposure
• Vulnerability due to delayed patching
• Unmanaged sensitive data
• Security incidents due to human negligence

Source : https://www.s…[Read more]

What are key characters of relational database management systems?
Below are some of the key characteristics of RDBMS :
• Data must be organized in a table format. Even relations between tables are stored in the form of a table.
• Data in a column must be accessible by specifying the the table and column name along with the value of the pri…[Read more]

Some of the key benefits of relational databases vs traditional flat file system are as below :

• Traditional file systems are more prone to data corruption as its storage is unstructured. Relational databases on the other hand have data stored in tables which makes the data less prone to corruption
• Traditional file systems are not suf…[Read more]

2 As per ISACA’s Risk IT Framework, the Risk profile of the enterprise is the overall portfolio of identified risks to which the enterprise is exposed. The Risk profile is gives a picture of
• the key business processes, associated data and capabilities and the type of risk the process is exposed to
• accurate identification and evalu…[Read more]

That’s interesting, Paul. When I first started reading your post, I was expecting the practitioner to wrongfully treat patients longer than necessary, thereby eventually charging higher fees and making the “business” more profitable. However this seems to be a complete opposite- the patients were being treated for free after getting discharged .…[Read more]

Well put, Daniel – I agree with your view that processes which require human involvement, are more vulnerable to fraud, theft or failure as humans can purposely act against laid processes for a variety of reasons such as personal gain, partiality, favoritism etc. Apart from this, as you pointed out, humans are also prone to making wrong judgement…[Read more]

You’re right Annamarie. The steps where humans are involved are the most vulnerable to theft, fraud or error as humans have motives to perform fraud and theft. Even when there is no motive and no deliberate false information entered, humans are more prone to making mistakes – stayed up late the night before, missed having coffee, looming…[Read more]

Sean, you’ve rightly said that besides Accountants, assertions are important to business creditors and investors. I’d like to add that assertions would be important to even government bodies like the IRS. I’m not sure how common or feasible it is to evade paying tax, by reporting lower sales or huge business losses to IRS. If there is a…[Read more]

Q2 In class we discussed several dimensions of Management Assertions. Which do you believe is the most important? Why?
A2 Different dimensions of Management Assertions can be listed as below :
1) Occurrence
2) Existence
3) Timing (cutoff)
4) Completeness
5) Accuracy
6) Valuation
7) Rights (Ownership)
8) Summarization /…[Read more]

Well-put Yu Ming.
Layered controls implemented as a combination of preventive, detective and corrective controls, decrease the probability of failure exponentially. Systems that house sensitive information or are critical to business usually have layered controls for the same reason.

Q4 Why do we need control framework to guide IT auditing?
A4 Control framework is needed to guide IT Auditing as they provide
• Established best practices and control standards as a benchmark
• Clear guidelines about managing IT services, and
• Well defined guidelines for Risk Assessment, Issue and Risk tracking

Against which the Audit…[Read more]

Annamarie & Professor Yao,
I was curious to know if in your experience, you have encountered any Organization which has both COBIT and ITIL frameworks implemented as so far, I have only worked with clients that were following ITIL methodology. Would you be able share any insights from cost perspective in implementing both frameworks ?

Great read, Annamarie ! I’d like to grab this chance to ask you (since you have Audit Analyst experience) if you saw any major differences between the Theoretical Audit process flow and workings and real Audits at the ground level.

Deepali, I’d like to add here that besides negotiating SLAs, even measurement, reporting and analysis are an integral part of IT Service level Management.

Great comparison of ITIL & COBIT, Yu Ming. I really liked that you have summarized the key points of both the frameworks besides listing their similarities and differences.