of the entity, at various stages within business processes, and over the technology

environment. They may be preventive or detective in nature and may encompass a

range of manual and automated activities such as authorizations and approvals,
verifications, reconciliations, and business performance reviews. Segregation of duties is
typically built into the selection and development of control activities. Where
segregation of duties is not practical, management selects and develops alternative
control activities.

Control environment —sets the tone at the top and forms culture regarding IT service
and management.

Types of application controls- input, processing, output

4. Information and communication —supports all other control components by

communicating effectively to ensure information flows down, across, and up the firm, as
well as interacting with external parties such as customers, suppliers, regulators, and
shareholders and informing them about related policy positions. Relevant information
should be identified, captured, and communicated in a form and timeframe that enable
employees to carry out their duties

5. Monitoring —the design and effectiveness of internal controls should be monitored

by management and other parties outside the process on a continuous basis. Findings
should be evaluated, and deficiencies must be communicated in a timely manner.
Necessary modifications should be made to improve the business process and the
internal control system.

COBIT (control objectives for information and related technology) was originated by the
IT audit community, and has developed into a broad and comprehensive IT governance
and management framework. COBIT provides a supporting tool set that bridges the gap
among IT control requirements, technical issues, and business risks. The COBIT
framework 18 Provides a business focus to align business and IT objectives. Defines
the scope and ownership of IT process and control.

COBIT 2019 has five domains: EDM (Evaluate, Direct, and Monitor), APO (Align, Plan,
and Organize), BAI (Build, Acquire, and Implement), DSS (Deliver, Service, and Support),
and MEA (Monitor, Evaluate, and Access). The first domain is about IT governance, and
the other four domains are for IT management. COBIT supports IT governance and
management by providing a framework to ensure that IT is aligned with the business.

Security week 8

According to the fraud triangle: (Incentive, Opportunity, Rationalization)

First, there is an incentive or pressure that provides a reason to commit fraud.
Second, there is an opportunity for fraud to be perpetrated (e.g., absence of controls,
ineffective controls, or the ability of management to override controls.)
Third, the individuals committing the fraud possess an attitude that enables them to
rationalize the fraud.
3 main Vulnerabilities: Physical IT, IT Information Systems, IT Operations,
VM: Determine main objectives for vulnerability management and assign roles and
responsibilities for management(Identification, Risk Assessment, Remediation,
Maintenance)