BEC NINJA I Flashcards Preview

BEC NINJA > BEC NINJA I > Flashcards

Flashcards in BEC NINJA I Deck (100):
1

According to the COSO Report, the control environment in a business entity:

A. makes integrity a basic operating principle.

B. is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.

C. indicates goals for both operational and financial activities.

D. is the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

A. makes integrity a basic operating principle.

The control environment in a business entity sets the tone of an organization (often called "tone at the top"), influencing the control consciousness, attitude, and awareness of management and its employees.

The identification and exchange of information is "information and communication"; identification and analysis of risks falls under "risk assessment"; and policies and procedures are the "control activities" component.

2

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

A. Control baseline

B. Change identification

C. Change management

D. Control revalidation/update

B. Change identification

The baseline understanding of internal control effectiveness is the starting point. Monitoring identifies changes in the environment or internal control system and the entity's ability to manage those changes. To “identify and address changes” is part of change identification.

The control baseline is limited to the controls in effect before the change is identified. Change management is the process of implementing needed changes, not identifying them. Control revalidation is a later part of the process after the need for control changes has been identified.

3

If controls add to the efficiency of operations, management must:

A. implement the controls immediately.

B. ask the internal auditor for recommendations.

C. weigh the benefit of reducing loss or inefficiency against the cost of the control.

D. consider only the cost of the control.

C. weigh the benefit of reducing loss or inefficiency against the cost of the control.

Managers must weigh the benefit of reducing loss or inefficiency against the cost of the controls. They should not implement controls without first understanding whether any benefits of implementing these controls outweigh the costs. Although management can solicit recommendations from the internal auditor, it is not a requirement.

4

Which of the following actions is required to ensure the validity of a contract between a corporation and a director of the corporation?

A. An independent appraiser must render to the board of directors a fairness opinion on the contract.

B. The director must disclose the interest to the independent members of the board and refrain from voting.

C. The shareholders must review and ratify the contract.

D. The director must resign from the board of directors.

B. The director must disclose the interest to the independent members of the board and refrain from voting.

A corporation is permitted to enter into a contract for services or goods with a board member (director). This type of a transaction is called a “related-party transaction.” This action could be seen by shareholders as preferential treatment to the director who receives the contract, and it could be interpreted as a lack of due care on the part of the directors in carrying out the corporation's business.

In order to invoke the business judgment rule, where the directors are protected from shareholder lawsuits alleging a lack of due care, the board must:

make an informed decision,
eliminate conflict of interest, and
have a rational basis for the decision.
A rational basis for the decision could be that these services or products are not available elsewhere, or the director is offering the best quality for the lowest price (which would be in the shareholders' favor). In order to make an informed decision, the board must review all of its options and then come to the conclusion that the best decision is to contract with the director. Finally, to eliminate conflict of interest, the director must disclose his or her interest in the contract to the board and refrain from voting.

It is not necessary that the contract be reviewed by an independent appraiser, that the shareholders approve the contract, or that the director resign.

5

Company management completes event identification and analyzes the risks. The company wishes to assess its risk after management's response to the risk. According to COSO, which of the following types of risk does this situation represent?

A. Inherent risk
B. Residual risk
C. Event risk
D. Detection risk

B. Residual risk

Answer A is incorrect because inherent risk is the risk that exists before management takes any steps to control the likelihood or impact of a risk.

Answer B is correct because residual risk is the risk that remains after management reacts to the risk, such as by instituting appropriate internal controls.

Answer C is incorrect because event risk is the risk of unforeseen events associated with a particular entity, not after management responds to the risk.

Answer D is incorrect because detection risk is the risk that auditors fail to detect a material misstatement in the financial statements.

6

A member of the board of directors of Central Communications Co. is offered a license by a third party to operate a cellular phone system. The director does not present this offer to the board of directors for approval but informally mentions it to a fellow board member, who does not think it will be a problem. The director buys the license. Which of the following statements is correct regarding the director's actions?

A. The director breached a duty of care by failing to use prudent business judgment.

B. The director breached the duty of due diligence.

C. The director breached a duty of loyalty by usurping a corporate opportunity.

D. The director acted properly in purchasing the license.

C. The director breached a duty of loyalty by usurping a corporate opportunity.

Answer A is incorrect because a failure of business judgment relates to making a bad decision.

Answer B is incorrect because a lack of due diligence refers to making a decision without seeking appropriate information.

Answer C is correct because the director put personal interests ahead of corporate interest.

Answer D is incorrect because the director should have presented the opportunity to the corporation instead of acting on it personally.

7

What does enterprise risk management do for an organization?

A. It manages risks and seizes opportunities to achieve the goals of the organization.

B. It creates policies and procedures.

C. It creates risks to achieve the goals of the organization.

D. It creates progress.

A. It manages risks and seizes opportunities to achieve the goals of the organization.

Enterprise risk management (ERM) is the process used by organizations to manage risk and seize opportunities to achieve the goals of the organization. It provides a framework for risk management, determines response strategy, and monitors the progress.

There are eight components of COSO's ERM framework:

1. Internal environment. The people in a business and the environment in which they operate are the foundation for all other ERM components.
2. Objective setting. Management must put into place a process to formulate objectives in order to help the company assess and respond to risks.
3. Event identification. Certain events can affect the company's ability to implement its strategy and achieve its objectives. Management must identify these events and determine whether they represent risks or opportunities.
4. Risk assessment. Identified risks are evaluated to determine how they affect the company's ability to achieve its objectives and how to manage them. Both qualitative and quantitative methods are used to assess risks.
5. Risk response. Management can choose to avoid, reduce, share, or accept risks after careful analysis.
6. Control activities. To ensure that management's risk responses are effectively carried out, policies and procedures should be implemented.
7. Information and communication. Information about ERM components needs to be communicated through all levels of the company and with external parties.
8. Monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.


8

The one component of internal control that sets the tone of an organization, influencing the control consciousness of its people and serving as the foundation for all other components of internal control is:

A. the control environment.

B. risk assessment.

C. control activities.

D. information and communication.

A. the control environment.

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

Risk assessment is the entity's identification and analysis of relevant risks and the determination of how these risks should be managed. Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication systems support the identification, capture, and exchange of information.

In evaluating the design of the entity's control environment, the auditor should consider the following elements and how they have been incorporated into the entity's processes:

a. Communication and enforcement of integrity and ethical values
b. Commitment to competence
c. Participation by those charged with governance
d. Management's philosophy and operating style
e. Organizational structure
f. Assignment of authority and responsibility
g. Human resource policies and practices

9

According to COSO, which of the following is a compliance objective?

A. To maintain adequate staffing to keep overtime expense within budget

B. To maintain a safe level of carbon dioxide emissions during production

C. To maintain material price variances within published guidelines

D. To maintain accounting principles that conform to GAAP

B. To maintain a safe level of carbon dioxide emissions during production

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the internal control structure provides reasonable assurance that business objectives are achieved in three areas: operations, financial reporting, and compliance with applicable laws and regulations, which fits the answer choice “to maintain a safe level of carbon dioxide emissions during production.” OSHA regulations requiring a safe workplace cover the maintenance of a safe level of emissions to protect workers. The other answer choices refer to the COSO objectives of operating effectiveness/efficiency and financial statement reliability.

10

The Sarbanes-Oxley Act requires financial issuers to publish what kind of information?

A. The immaterial condition of the company

B. Internal control performance relative to industry best practice benchmarks

C. Only positive impacts on internal controls

D. The scope and capabilities of the internal control structure

D. The scope and capabilities of the internal control structure

Section 404 of the Sarbanes-Oxley Act requires issuers of annual reports to use an internal control framework that meets all of the SEC’s requirements (such as COSO). This section was created to provide investors with reasonable assurance that material unauthorized transactions or the improper use of assets will be prevented or detected in a timely manner. Issuers must include the scope and capabilities of the internal control system and include procedures for financial reporting in their annual reports.

11

Which of the following is the primary reason that many auditors hesitate to use embedded audit modules?

A. Embedded audit modules cannot be protected from computer viruses.

B. Auditors are required to monitor embedded audit modules continuously to obtain valid results.

C. Embedded audit modules can easily be modified through management tampering.

D. Auditors are required to be involved in the system design of the application to be monitored.

D. Auditors are required to be involved in the system design of the application to be monitored.


An embedded audit module is coded into the information processing software, allowing the auditor to access real data. Often the routines search for unusual items as transactions are processed and report those items to the auditor. There is some danger of data contamination since the routines are working with real data. Also, the auditors must work closely with management in the design of the embedded audit module, which may affect their independence.

"Embedded audit modules cannot be protected from computer viruses" is incorrect because embedded audit modules can be protected from viruses in the same ways as other software, such as with effective firewalls. "Auditors are required to monitor embedded audit modules continuously to obtain valid results" is incorrect because embedded audit modules can accumulate information to be reviewed by the auditor periodically. "Embedded audit modules can easily be modified through management tampering" is incorrect because embedded audit modules can be protected with passwords and biometric controls in the same manner as other software components.

12

Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively?

A. Control environment

B. Risk assessment

C. Information and communication

D. Monitoring activities

D. Monitoring activities

Monitoring of controls assesses the quality of internal control performance over time, including assessing the design and operation of controls on a timely basis and taking necessary corrective actions.

The control environment includes items such as a corporate code of conduct and ethical attitude of those charged with governance. Risk assessment refers to the identification, analysis, and management of risks relevant to the preparation of financial statements. The information and communication system refers to processing the data, including the source documents through the final reports.

13

What does the audit committee of the board of directors oversee?

A. Formal job descriptions for employees in an organization

B. The financial reporting process in an organization

C. The responsibilities assigned to employees

D. The creation of standards

B. The financial reporting process in an organization

The audit committee of the board of directors oversees the following:

Financial reporting
Financial disclosure
Compliance with standards

14

Under human resources policies and procedures, what is an appropriate policy or procedure for managing employees?

A. Hire employees based only on the cover page of their resume.

B. Do not promote employees on merit.

C. Train top management to enforce sanctions against employees violating policies.

D. Hire employees based on passing only the background check.

C. Train top management to enforce sanctions against employees violating policies.


Human resources policies and procedures should include the following:

-Hire employees based on the written job requirements
-Verify resumes and perform background checks
-Promote on both merit and performance
-Train members of the organization on many aspects

15

According to COSO, which of the following components of enterprise risk management addresses an entity’s integrity and ethical values?

A. Information and communication
B. Internal environment
C. Risk assessment
D. Control activities

B. Internal environment

The internal environment encompasses the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of enterprise risk management, providing discipline and structure.

Internal environment factors include an entity’s risk management philosophy; its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entity’s people; and the way management assigns authority and responsibility, and organizes and develops its people.

The answer choice "information and communication" refers to the control activities that capture, record, and communicate information to the users. "Risk assessment" refers to management’s responsibility to assess both internal and external risk to determine when control systems should be modified. "Control activities" are implemented to insure that the information and communication activities function properly.

16

All of the following are procedures of a change control process, except:

A. the change control board approves the change.

B. once the work is done, the process is released without testing.

C. schedules are set up.

D. the project manager keeps things running smoothly.

B. once the work is done, the process is released without testing.

The change control process should never be released without testing. The procedures for a well-defined change control process would include the following:

The change control board approves the change and assigns a project manager.
The project manager makes sure all paperwork has been received and approved.
The project manager sets up schedules for all personnel involved.
The projects are completed.
Changes are tested and approved before release.

17

The control environment in a business entity:

A. is the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

B. sets the tone of an organization, influencing the control consciousness of its people.

C. is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.

D. refers to the policies and procedures that help ensure that management directives are carried out.

B. sets the tone of an organization, influencing the control consciousness of its people.

According to the COSO Report, the control environment in a business entity sets the tone of an organization, influencing the control consciousness of its people.

18

The Sarbanes-Oxley Act requires financial issuers to publish what kind of information?

A. The immaterial condition of the company

B. Internal control performance relative to industry best practice benchmarks

C. Only positive impacts on internal controls

D. The scope and capabilities of the internal control structure

D. The scope and capabilities of the internal control structure

Section 404 of the Sarbanes-Oxley Act requires issuers of annual reports to use an internal control framework that meets all of the SEC’s requirements (such as COSO). This section was created to provide investors with reasonable assurance that material unauthorized transactions or the improper use of assets will be prevented or detected in a timely manner. Issuers must include the scope and capabilities of the internal control system and include procedures for financial reporting in their annual reports.

19

An online database management system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation.

If certain data elements were not defined in the expansion, the following problem could result:

A. Unlimited access to data and transactions

B. Incomplete transaction processing

C. Unauthorized program execution

D. Manipulation of the database contents by an application program

B. Incomplete transaction processing

Failure to completely define the program specification blocks (PSB) prevents the application program from accessing or changing data, resulting in incomplete processing.

Data element definition allows application programs to access or change data; therefore, if they are not defined, no access takes place.
Without the program specification blocks, the application program cannot access data and cannot execute.
The desired manipulation of the database contents by an application program cannot take place if program specification blocks are not defined.

20

Which of the following is most useful when risk is being prioritized?

A. Low- and high-probability exposures

B. Low- and high-degree loss exposures

C. Expected value

D. Uncontrollable risks

C. Expected value

Expected value is the sum of the outcomes (payoff) of each event multiplied by the probability of each event occurring. It combines the likelihood of each outcome with the payoff of that outcome, and so is a way of prioritizing alternatives while considering risk. None of the other answer choices consider both the likelihood and payoff of each alternative course of action.

21

Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment?

A. Systems analysis and applications programming

B. Data communications hardware and software

C. Operating systems and compilers

D. Computer operations

C. Operating systems and compilers

Systems programmers use the design developed by the analysts to develop an information system and write the computer programs. It follows, therefore, that the programmers would be concerned with the operating system and how it will handle various applications, as well as with compilers (computer programs that convert a source program into an object program, reducing the programming effort).

Systems analysis is assigned to systems analysts, who help users analyze their information needs and design information systems that meet those needs.
Data communications hardware and software would be outside the duties of the programmer, since these items control how the system transmits data and communicates with other systems.
Computer operations are assigned to computer operators. Programmers should never have access to computer operations so that a proper segregation of duties for internal control can be maintained.

22

Which of the following cycles does not have accounting information that is recorded into the general ledger system?

A. Expenditure

B. Production

C. Planning

D. Revenue

C. Planning

Planning is the selection of goals or objectives and the means of obtaining them. While management may use financial data from the general ledger to create a budget, planning does not involve entries in the general ledger.

The revenue cycle is where goods or services are sold in exchange for payment. A sample entry into the general ledger would be a credit to sales and a debit to cash.
The expenditure cycle is where goods or services are purchased in exchange for payment. An example of this activity would be an entry into the general ledger as a debit to office supplies expense and a credit to cash.
The production cycle is where raw materials are turned into products that can be sold. As part of the production cycle, a company may make an entry into the general ledger that records a credit to materials and a debit to work-in-process.

23

A bank implemented an expert system to help account representatives consolidate the bank's relationships with each customer. The expert system has:

A. a sequential control structure.

B. distinct input/output variables.

C. a knowledge base.

D. passive data elements.

C. a knowledge base.

Expert systems have knowledge bases that represent the facts and inferences it knows, which were “taught” to it by human experts.

Traditional programs (e.g., COBOL) have sequential control structures, distinct input/output variables, and passive data elements; expert systems do not.

24

Credit Card International developed a management reporting software package that enables members interactively to query a data warehouse and drill down into transaction and trend information via various network set-ups. What type of management reporting system has Credit Card International developed?

A. Online analytical processing system

B. Online transaction-processing system

C. Online executive information system

D. Online information storage system

A. Online analytical processing system

This system is intended to allow users to analyze stored data, so it is an analytical system.

An online transaction-processing system does not process transactions. An online executive information system does not provide high-level (summary) information. An online information storage system does not store data; instead, it accesses data already stored.

25

All the staff of a merger and acquisitions department in an investment banking firm use spreadsheet programs on personal computers (PCs) to analyze potential client matches. The data is highly confidential. An appropriate control over the department's use of PCs is:

A. prohibit departmental staff from programming their own applications.

B. keep the program and data diskettes in a secure location when they are not in use by departmental staff.

C. require departmental staff to use the spreadsheet applications only through custom-designed menus.

D. divide duties among the departmental staff so that some only prepare the application templates and others only run the applications.

B. keep the program and data diskettes in a secure location when they are not in use by departmental staff.

The greatest threat to the department is that an unauthorized person might obtain the application templates and data and make unauthorized use of them.

Prohibiting department staff from programming their spreadsheet applications defeats the purpose of using PCs, namely, to make it possible for users to be more productive with their own computers.
Custom-designed menus are unnecessary for skilled users nor do they impose control for skilled users.
Dividing the duties of application preparation and execution impedes the intended use of the application models. It is ineffective as a control measure since all the department's staff are skilled spreadsheet users.

26

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

A. Control baseline

B. Change identification

C. Change management

D. Control revalidation/update


B. Change identification

The baseline understanding of internal control effectiveness is the starting point. Monitoring identifies changes in the environment or internal control system and the entity's ability to manage those changes. To “identify and address changes” is part of change identification.

The control baseline is limited to the controls in effect before the change is identified. Change management is the process of implementing needed changes, not identifying them. Control revalidation is a later part of the process after the need for control changes has been identified.

27

A validation check used to determine if a quantity ordered field contains only numbers is an example of:

A. an input control.

B. an audit trail control.

C. a processing control.

D. a data security control.

A. an input control.

A validation used to assure that a quantity ordered field allows input of only numerical data is an example of an input control.

Audit trail controls seek to make sure that a record of all relevant events and transactions has been recorded chronologically.
Processing controls relate to completeness and accuracy of data during processing (i.e., updating).
Data security controls restrict unauthorized individuals from access to and use of systems.

28

Which of the following is a key difference in controls when changing from a manual system to a computer system?

A. Internal control principles change.

B. Internal control objectives differ.

C. Control objectives are more difficult to achieve.

D. Methodologies for implementing controls change.

D. Methodologies for implementing controls change.

According to COSO in the research study Internal Control—Integrated Framework:



Quote


Internal control is a process, effected by an entity's board of directors, management and other personnel, which is designed to provide reasonable assurance regarding the achievement of objectives in one or more categories:

Effectiveness and efficiency of operations
Reliability of financial information
Compliance with applicable laws and regulations
Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated into the management process. The components are:

Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities




Done

29

Processing data through the use of simulated files provides an auditor with information about the operat­ing effectiveness of control policies and procedures. One of the techniques involved in this approach makes use of:

A. controlled reprocessing.

B. an integrated test facility.

C. input validation.

D. program code checking.

B. an integrated test facility.

An integrated test facility allows an auditor to introduce test data (simulated files) into an actual processing run to test the processing of that data. This provides evidence about operating effectiveness of the software.

"Controlled reprocessing" is incorrect because reprocessing the same data again with the same software provides no new information. "Input validation" is incorrect because input validation is a control that improves the accuracy of data entry, but does not provide information about control effectiveness. "Program code checking" is incorrect because manual program code checking in a complex system is a difficult task, sometimes impossible, which is more efficiently done by using test data in an integrated test facility.

A company may process most of its business transactions through an electronic data processing (EDP) system. In such case, the controls over the processing must be adequate to safeguard assets and provide reliability in the output produced. One of the methods of testing the controls over the processing is with an integrated test facility.

In an integrated test facility, test data is developed and integrated into the live processing of actual data resulting from business transactions. By assessing the results of the test data at the same time this data is processed with actual data, the auditor can help ensure that the data processed was reliable.

30

Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment?

A. Systems analysis and applications programming

B. Data communications hardware and software

C. Operating systems and compilers

D. Computer operations

C. Operating systems and compilers

Systems programmers use the design developed by the analysts to develop an information system and write the computer programs. It follows, therefore, that the programmers would be concerned with the operating system and how it will handle various applications, as well as with compilers (computer programs that convert a source program into an object program, reducing the programming effort).

Systems analysis is assigned to systems analysts, who help users analyze their information needs and design information systems that meet those needs.
Data communications hardware and software would be outside the duties of the programmer, since these items control how the system transmits data and communicates with other systems.
Computer operations are assigned to computer operators. Programmers should never have access to computer operations so that a proper segregation of duties for internal control can be maintained.

31

Which of the following lists comprise all of the components of the data processing cycle?

A. Batching, processing, output

B. Collection, refinement, processing, maintenance, output

C. Input, classifying, batching, verification, transmission

D. Collection, refinement, storing, output

C. Input, classifying, batching, verification, transmission

The usual definition of the data processing cycle (DPC) is “input-processing-output.” A listing of components of the DPC should include, as a minimum, these three components. The correct answer substitutes the term “collection” for “input.” Refinement refers to classifying and/or batching. Maintenance refers to processing-related operations such as calculation and storage.

The data processing cycle describes the operations performed on data in computer-based systems to generate meaningful and relevant information. The data processing cycle has four stages: data input, data processing, data storage, and information output.

32

Which of the following items is one of the eight components of COSO's enterprise risk management framework?

A. Operations

B. Reporting

C. Monitoring

D. Compliance

C. Monitoring

The eight components of COSO's ERM framework are internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.

33

Access time in relation to computer processing is the amount of time it takes to:

A. transmit data from a remote terminal to a central computer.

B. complete a transaction from initial input to output.

C. perform a computer instruction.

D. retrieve data from memory.

D. retrieve data from memory.
Access time in relation to computer processing specifically refers to the amount of time it takes for a computer to seek out and find data or, as stated in the problem, “to retrieve data from memory.” The speed of transmission of data from a remote terminal to a central computer is transmission rate and is often measured in baud. Completing a transaction from initial input to output and performing computer instructions are processing operations and the time it takes to perform them is called processing time.

Relational Databases

a. Most new database systems are relational databases that store data as tables. Each row in a relational table contains data about a separate entity. For example:
(1) Each inventory table row contains data about a particular inventory item.
(2) Each customer table row contains data about a specific customer.


Each column in a table contains information about entity attributes. For example, in a sales table, the columns represent specific sales transaction characteristics (date, amount, customer number).
b. Relational database tables have three types of attributes:
(1) A primary key uniquely identifies a specific row in a table. For example, the primary key in an inventory table is item number. In some tables, the primary key is two or more attributes.
(2) A foreign key is an attribute in one table that is a primary key in another table. A foreign key is used to link tables.

Customer number can be a foreign key in a sales table that links a particular sales transaction with information about the customer who participated in the transaction.
(3) Other non-key attributes in each table store important information about that entity.

An inventory table contains information about the description, quantity on hand, and list price of each inventory item the company sells.
c. Normalization is the process of following the guidelines for properly designing a relational database that is free from delete, insert, and update anomalies. It involves breaking the database into logical tables that can then be joined to create new tables with the information of interest. Properly designed relational databases are flexible and useful for unplanned, ad hoc queries due to their reduced access time (time to retrieve data from memory).

34

Client/server architecture may potentially involve a variety of hardware, systems software, and application software from many vendors. The best way to protect a client/server system from unauthorized access is through:

A. a combination of application and general access control techniques.

B. use of a commercially available authentication system.

C. encryption of all network traffic.

D. thorough testing and evaluation of remote procedure calls.

A. a combination of application and general access control techniques.

Since there is no “perfect solution,” a combination of application and general access control techniques is the best way to protect a client/server system from unauthorized access.

Authentication systems, such as Kerberos, are only a part of the solution.
Encryption of all network traffic only affects general access control techniques.
Testing and evaluation of remote procedure calls (RPCs) may be a small part of an overall security review.

Application controls:

a. are designed to prevent, detect, and correct transaction errors;
b. ensure the integrity of a specific application's inputs, stored data, programs, data transmissions, and outputs; and
c. are much more effective when there are good general controls.

When application controls are weak, the information system is more likely to produce information that contains errors and leads to poor management decisions. This can negatively affect relationships with customers, suppliers, and other external parties.

The following six categories of controls can improve system integrity:

1. Source data controls
2. Input validation routines
3. Online data entry controls
4. Data processing and storage controls
5. Output controls
6. Data transmission controls

35

Which of the following controls is least likely to be closely associated with assuring the accuracy and completeness of data in computer-processed master files?

A. Source data controls

B. File maintenance controls

C. Online data entry controls

D. Logical access controls

D. Logical access controls

Access controls such as passwords and access logs serve to prevent improper access to and use of programs and files. They do not relate specifically to accuracy and completeness of data.

36

A company's labor distribution report requires extensive corrections each month because of labor hours charged to inactive jobs. Which of the following data processing input controls appears to be missing?

A. Completeness test

B. Validity test

C. Limit test

D. Control total

B. Validity test

Validity tests are used to ensure that recorded transactions contain valid transaction codes, valid characters, and valid field size. Inactive jobs should have transaction codes that register as invalid.

Completeness tests are used to ensure that the input has the prescribed amount of data in all data fields.
Limit tests are used to determine whether the data exceed certain predetermined limits.
Control totals are used to reconcile EDP input to the source document totals.

Input Validation Routines

Input validation routines, called edit programs, test input data as it is entered into a system to make sure it is accurate and valid. These tests are called edit checks. In online processing, edit checks are performed during the source data entry process, and incorrect data is not accepted until corrected. In batch processing, a separate program performs the edit checks on the input data before it is processed.

a. The following edit checks are used in input validation routines.
(1) Capacity checks, to test whether data will fit into a field.
(2) Field checks, to test whether characters are the proper type. A field check on a numerical field would indicate an error if it contains blanks or alphabetic characters.
(3) Limit checks, to make sure a numerical amount does not exceed an upper or lower limit.
(4) Range checks, to test for both an upper and a lower limit.
(5) Reasonableness test, to make sure data makes sense when compared to other data.
(6) Redundant data checks, to determine whether two identifiers in a transaction record match.
(7) Sequence checks, to test whether input data is in the proper numerical or alphabetical sequence.
(8) Sign checks, to test data for the appropriate arithmetic sign. (An inventory balance should never possess a negative sign.)
(9) Validity checks, or existence checks, to compare ID numbers or transaction codes to those stored in the system. When vendor 12612 is entered, the computer locates that vendor in its database to confirm that vendor is valid.
(10) Hash total: a set of nonfinancial numbers not normally totaled (e.g., invoice numbers) are totaled by the system after input and are compared to the total generated by the documents themselves.
b. Companies also need to establish procedures to record, correct, and report all input validation errors.
(1) Enter all error data (date occurred, cause, date corrected, date resubmitted) in an error log.
(2) Investigate, correct, and resubmit errors on a timely basis.
(3) Use the normal input validation routine to reedit the corrected transactions.
(4) Review the log periodically to make sure all errors were corrected.
(5) Summarize errors by record type, error type, cause, date, and disposition in an error report sent to management.

37

To ensure the completeness of update in an online system, separate totals are accumulated for all transactions processed throughout the day. The computer then agrees these totals to the total of items accepted for processing. This is an example of:

A. run-to-run controls.

B. computer matching.

C. computer sequence check.

D. one-for-one checking.

A. run-to-run controls.

Run-to-run controls for an online system are able to accumulate separate totals for all transactions processed during the day and then agree the totals to the total of items accepted for processing.

Computer matching compares transaction data to referenced fields or records.
Computer sequence checks identify changes or breaks in a numerical sequence.
One-for-one checking generally requires manual comparisons of input data elements to processing results.

Threats and Controls in General Ledger and Reporting System, Part 1

1. Threat: An error in updating the General Ledger produces incorrect information, which can result in:
a. misleading reports and
b. poor decisions.
2. Controls
a. Input controls, such as:
(1) Making sure summary journal entries represent actual reporting period activity
(2) Validity checks to make sure a general ledger account exists for each journal entry account number
(3) Field checks to make sure amount fields in a journal entry contain only numeric data
(4) Zero-balance checks in journal entries to make sure total debits journal entries equal total credits
(5) Completeness tests to make sure all pertinent journal entry data is entered
(6) Closed-loop verification tests to make sure account numbers match account descriptions, so that the correct general ledger account is accessed
(7) Adjusting entry files for standard recurring adjusting entries, such as depreciation expense
(a) Because the entries are not keyed in each time, this improves input accuracy.
(b) Because the entries are not forgotten, this improves input completeness.
(8) Signing checks on general ledger account balances to make sure the balance is of the appropriate nature (debit or credit)
(9) Run-to-run totals to verify batch processing accuracy
(a) Calculate new general ledger account balances, based on beginning balances and total debits and credits applied to the account.
(b) Compare that total with the actual account balance in the updated general ledger.
(c) Investigate any discrepancies, as they indicate a processing error that must be corrected.
b. Reconciliations and controls that help detect general ledger updating errors.
(1) Compare total debit balances to total credit balances in a trial balance to determine if a posting error has occurred.
(2) Determine if clearing and suspense accounts have end-of-period zero balances.
(3) Determine if general ledger control account balances agree to corresponding subsidiary ledger totals.
(4) Examine end-of-period transactions to make sure they are recorded in the proper time period.
c. An audit trail provides the information needed to:
(1) trace transactions from source documents to the general ledger and any report or document using that data,
(2) trace items on reports back through the general ledger to the original source document, and
(3) trace general ledger account changes from their beginning to their ending balance.

38

A systems program:

A. manipulates application programs.

B. employs complex mathematical algorithms.

C. is used in systems analysis and design activities.

D. manipulates transaction data in one of many applications.

A. manipulates application programs.

By definition, systems software consists of programs that act on the instructions provided in application programs. Stated another way, a systems program manipulates application programs.

39

Which of the following is the primary advantage of using a value-added network (VAN)?

A. It provides confidentiality for data transmitted over the Internet.

B. It provides increased security for data transmissions.

C. It is more cost effective for the company than transmitting data over the Internet.

D. It enables the company to obtain trend information on data transmissions.

B. It provides increased security for data transmissions.

Value-added networks (VANs) are telecommunication networks providing communication facilities, enhancing basic telecommunication services by passing, storing, and converting messages using enhanced security techniques.

"It provides confidentiality for data transmitted over the Internet" is incorrect because many VANs use private networks instead of the public Internet. "It is more cost effective for the company than transmitting data over the Internet" is false because the use of a VAN comes at additional cost above that for using the Internet. "It enables the company to obtain trend information on data transmissions" is false because, although a VAN may supply trend information on data transmissions, that is not a primary advantage of using a VAN.

A financial value-added network (FVAN) is an independent organization that provides hardware and software that allow the various EDI networks to communicate with the ACH network.

a. The buyer's IS sends the remittance data and funds transfer instructions together to the FVAN.
b. The FVAN translates the payment instructions from EDI format into ACH format and sends that information to the buyer's bank.
c. The buyer's bank makes a traditional EFT payment to the seller's bank, and the FVAN sends the remittance data to the seller in EDI format.
d. As the seller receives the EFT and EDI portions separately, both must contain a common reference number to facilitate proper matching.
e. Although the buyer realizes the full advantage of FEDI, the seller does not.

40

Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control?

A. Contingency planning

B. Hash total

C. Echo check

D. Access control software

D. Access control software

A preventive control is one that is designed to discover and eliminate problems before they occur. Examples of preventive controls include:

hiring well-qualified personnel and training them well,
segregating employee duties, and
controlling physical access to facilities and information.

Hash totals are an input control. They are a nonsense total; for example, the sum of the digits of an invoice number. A hash total is similar to a control total and is used to verify processing (or output) compared to input.
An echo check is a control feature that calculates a summary statistic, such as the number of bits in the message, before sending data. The receiving unit calculates the same summary statistic and sends it to the sending device (hence the name “echo check”). If the counts do not agree, an error has occurred.
detective control is a control that provides an alert after an unwanted event. A detective control is designed to catch an error and provide the feedback necessary so corrective action may be taken.

41

Employee numbers have all numeric characters. To prevent the input of alphabetic characters, what technique should be used?

A. Check digit

B. Existence check

C. Dependency check

D. Field check

D. Field check

With a field check, the computer checks that the characters entered are the proper type (e.g., alpha or numeric).

42

Data input validation routines include:

A. terminal logs.

B. hash totals.

C. backup controls.

D. access logs.

B. hash totals.

Data input validation is the verification of accurate input of data which is an input control (a type of application control). A hash total is a kind of input control where some set nonfinancial numbers not normally totaled (such as invoice numbers or employee identification numbers) are totaled by the system after input and are compared to the total generated by the documents themselves. Terminal logs and access logs are all examples of access controls. A backup control is a kind of corrective control.

Input Validation Routines

Input validation routines, called edit programs, test input data as it is entered into a system to make sure it is accurate and valid. These tests are called edit checks. In online processing, edit checks are performed during the source data entry process, and incorrect data is not accepted until corrected. In batch processing, a separate program performs the edit checks on the input data before it is processed.

a. The following edit checks are used in input validation routines.
(1) Capacity checks, to test whether data will fit into a field.
(2) Field checks, to test whether characters are the proper type. A field check on a numerical field would indicate an error if it contains blanks or alphabetic characters.
(3) Limit checks, to make sure a numerical amount does not exceed an upper or lower limit.
(4) Range checks, to test for both an upper and a lower limit.
(5) Reasonableness test, to make sure data makes sense when compared to other data.
(6) Redundant data checks, to determine whether two identifiers in a transaction record match.
(7) Sequence checks, to test whether input data is in the proper numerical or alphabetical sequence.
(8) Sign checks, to test data for the appropriate arithmetic sign. (An inventory balance should never possess a negative sign.)
(9) Validity checks, or existence checks, to compare ID numbers or transaction codes to those stored in the system. When vendor 12612 is entered, the computer locates that vendor in its database to confirm that vendor is valid.
(10) Hash total: a set of nonfinancial numbers not normally totaled (e.g., invoice numbers) are totaled by the system after input and are compared to the total generated by the documents themselves.
b. Companies also need to establish procedures to record, correct, and report all input validation errors.
(1) Enter all error data (date occurred, cause, date corrected, date resubmitted) in an error log.
(2) Investigate, correct, and resubmit errors on a timely basis.
(3) Use the normal input validation routine to reedit the corrected transactions.
(4) Review the log periodically to make sure all errors were corrected.
(5) Summarize errors by record type, error type, cause, date, and disposition in an error report sent to management.

43

A digital signature is used primarily to determine that a message is:

A. unaltered in transmission.

B. not intercepted en route.

C. received by the intended recipient.

D. sent to the correct address.

A. unaltered in transmission.

A digital signature allows the creator of a message to digitally “sign” the data and provides proof of authorization. Because a digital signature cannot be altered, it allows the recipient to determine that a message has been unaltered in transmission.

A digital signature uniquely identifies the sender of an electronic message, similar to how a handwritten signature identifies the signer of a paper document.

a. In a PKI system, a digital signature is created when the sender's private key encrypts the sender's message. The message can only be decoded by using the corresponding public key.
b. A valid digital signature does not verify the identity of the private key's owner. It only proves that the message was sent by the owner of the private key that corresponds to the public key used to decode the message.

44

A department store company with stores in 11 cities is planning to install a network so that stores can transmit daily sales by item to headquarters and store salespeople can fill customer orders from merchandise held at the nearest store. Management believes that having daily sales statistics will permit better inventory management than is the case now with weekly deliveries of sales reports on paper. Salespeople have been asking about online inventory availability as a way to retain the customers that now go to another company's stores when merchandise is not available. The planning committee anticipates many more applications so that in a short time the network would be used at or near its capacity.

The planning committee was concerned that unauthorized people might attempt to gain access to the network. If the company installs a network using leased lines, then it should ensure that:

A. phone numbers for the network are kept confidential.

B. tone suppression devices are installed on all ports.

C. transmission facilities on its premises are secure.

D. network availability is limited to certain times of the day.

C. transmission facilities on its premises are secure.

If the company installs a leased-line network, it should ensure that transmission facilities on its premises are secure.

In a leased-line network, there are no phone numbers and hence no ports with tone devices for incoming calls. Limiting network availability to certain times of the day is often associated with public switched lines, not leased lines, to reduce the time during which unauthorized people could potentially gain access to the system.

45

A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk?

A. Risk reduction

B. Prospect theory

C. Risk sharing

D. Risk acceptance

A. Risk reduction

Risk reduction helps to lower costs and correct issues within a corporation. If the manufacturing firm relocates to an area closer to a firm that can provide the raw materials, the firm will reduce the risk of higher costs. Risk sharing involves working with another organization to spread the risk between the two entities. Risk acceptance is the assumption of all risk because it is determined to be acceptable. Prospect theory is a behavioral economic theory that describes the way people choose between alternatives that involve risk and where the probabilities of the outcomes are known.

Management should always be in the process of identifying risks in order to assess and respond accordingly.

There are eight components of COSO's ERM framework:

1. Internal environment. The people in a business and the environment in which they operate are the foundation for all other ERM components.
2. Objective setting. Management must put into place a process to formulate objectives in order to help the company assess and respond to risks.
3. Event identification. Certain events can affect the company's ability to implement its strategy and achieve its objectives. Management must identify these events and determine whether they represent risks or opportunities.
4. Risk assessment. Identified risks are evaluated to determine how they affect the company's ability to achieve its objectives and how to manage them. Both qualitative and quantitative methods are used to assess risks.
5. Risk response. Management can choose to avoid, reduce, share, or accept risks after careful analysis.
6. Control activities. To ensure that management's risk responses are effectively carried out, policies and procedures should be implemented.
7. Information and communication. Information about ERM components needs to be communicated through all levels of the company and with external parties.
8. Monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.


Nine years after COSO released the internal control framework, it began investigating how organizations could improve the risk management process by effectively identifying, assessing, and managing risk. The result was an enhanced corporate governance document, called Enterprise Risk Management—Integrated Framework (ERM).

The ERM framework takes a risk-based, rather than a controls-based, approach. It expands on the elements of the internal control integrated framework and is much more comprehensive. The objective is to achieve all the goals of the control framework and help the organization to:

a. attain reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized,
b. continuously assess risks and identify the appropriate action to take and the resources to allocate to overcome or mitigate risk,
c. achieve its financial and performance targets, and
d. avoid adverse publicity and damage to the entity's reputation.

46

Which of the following configurations of elements represents the most complete disaster recovery plan?

A. Vendor contract for alternate processing site, backup procedures, and names of persons on the disaster recovery team

B. Alternate processing site, backup and off-site storage procedures, identification of critical applications, and test of the plan

C. Off-site storage procedures, identification of critical applications, and test of the plan

D. Vendor contract for alternate processing site, names of persons on the disaster recovery team, and off-site storage procedures

B. Alternate processing site, backup and off-site storage procedures, identification of critical applications, and test of the plan

Disaster plans must include all of the following factors:

A backup for programs and data
An alternative processing site
Off-site storage of backup
Identification of critical applications
A method for testing the plan

47

Which of the following is a primary function of a database management system?

A. Report customization

B. Capability to create and modify the database

C. Financial transactions input

D. Database access authorizations

B. Capability to create and modify the database

A database management system (DBMS) is a specialized computer program that manages and controls data and the interface between data and the application programs. Such a system is designed to make it easier to develop new applications and allows users to change the way they view data without changing how the data are stored physically.

The other answer choices (report customization, financial transactions input, and database access authorizations) are all performed by the system user rather than the DBMS.

Historically, new files and programs were created each time an information need arose. This resulted in a proliferation of master files and the same data stored in two or more separate master files. When data was updated on one file and not on the other, data inconsistencies arose. This led to the creation of databases that are an organizational resource managed for the entire organization, not just a department or function.

A database is a set of interrelated, centrally coordinated files.

a. Their use minimizes or eliminates the proliferation of master files and data redundancies.
b. Data integration and data sharing is accomplished by combining master files into larger databases accessed by many application programs.
c. A database management system (DBMS) is a complex software package that permits users to access information from the database. In addition to basic data movement (utility) services, the DBMS provides for access and identification security, concurrent use of data, and backup and recovery. The DBMS is “application independent” and does not actually run application programs.
d. A database system consists of the database, the DBMS, and application programs that access the database through the DBMS.
e. The data dictionary contains a description of all data elements, stores, and flows in a system. Typically, a master copy of the data dictionary is maintained to ensure consistency and accuracy throughout the development process. The data dictionary is created using a data definition language (DDL).
f. The data query language (DQL) is used to interrogate the database.
g. The data manipulation language (DML) provides programmers with a facility to update the database.
h. Data control language (DCL) is used to specify privileges and security rules.

48

Data input validation routines include:

A. terminal logs.

B. hash totals.

C. backup controls.

D. access logs.

B. hash totals.

Data input validation is the verification of accurate input of data which is an input control (a type of application control). A hash total is a kind of input control where some set nonfinancial numbers not normally totaled (such as invoice numbers or employee identification numbers) are totaled by the system after input and are compared to the total generated by the documents themselves. Terminal logs and access logs are all examples of access controls. A backup control is a kind of corrective control.

49

A system where several minicomputers are connected for communication and data transmission purposes, but where each computer can also process its own data, is known as a:

A. distributed data processing network.

B. centralized network.

C. decentralized network.

D. multidrop network.

A. distributed data processing network.

Distributed data processing is a network of interdependent computers where certain functions are centralized and other functions are decentralized and processing is shared among two or more computers. In a distributed data processing network, each computer can also process its own data. Distributed data processing is an alternative to both centralization and decentralization.

A wide area network (WAN) covers a wide geographic area. There are three ways to configure a WAN:

a. Centralized, where all devices are linked to a mainframe.
(1) Advantages: better control, more experienced IT staff, economies of scale.
(2) Disadvantages: greater complexity, higher communications costs, less flexibility in meeting department and user needs.
b. Decentralized, where each department has its own computer and LAN.
(1) Advantages: meets department and user needs better, lower communication costs, and locally stored data.
(2) Disadvantages: coordinating data stored at many locations, higher hardware costs, implementing effective controls.
c. Distributed data processing (DDP) system, where computers at each location handle local processing and are also linked to the corporate mainframe.
(1) Advantages: local computers back each other up, risk of catastrophic loss is reduced, there is quick local access to large amounts of processed data, and local systems can easily be added, upgraded, or deleted.
(2) Disadvantages: coordinating the system, maintaining hardware and software, difficulty standardizing documentation and control, more difficult to achieve adequate security controls and separation of duties, data duplication and inconsistencies.
d. Downsizing is a procedure of shifting data processing and problem solving from mainframes to smaller computer systems. Downsizing saves money and allows the end user to be more involved in the processing of the data.
e. A metro-area network (MAN) connects multiple sites with multiple workstations for shared use of common resources.


50

At a remote computer center, management installed an automated scheduling system to load data files and execute programs at specific times during the day. The best approach for verifying that the scheduling system performs as intended is to:

A. analyze job activity with a queuing model to determine workload characteristics.

B. simulate the resource usage and compare the results with actual results of operations.

C. use library management software to track changes to successive versions of application programs.

D. audit job accounting data for file accesses and job initiation/termination messages.

D. audit job accounting data for file accesses and job initiation/termination messages.

Auditing job accounting data for file accesses and job initiation/termination messages will reveal whether the right data files were loaded/dismounted at the right times and the right programs were initiated/terminated at the right times, and thus verify whether the scheduling system performs as intended.

Analyzing job activity with a queuing model to determine workload characteristics gives information about resource usage but does not verify whether the right data files were loaded/dismounted at the right times and the right programs were initiated/terminated at the right times.
Simulating the resource usage and comparing the results with actual results of operating helps management characterize the workload but does not verify whether the right data files were loaded/dismounted at the right times and the right programs were initiated/terminated at the right times.
Using library management software to track changes to successive versions of application programs permits control of production and test versions but does not verify whether the scheduling system performs as intended.

51

Which of the following is not true? Relational databases:
A. are flexible and useful for unplanned, ad hoc queries.

B. store data in table form.

C. use trees to store data in a hierarchical structure.

D. are maintained on direct access devices.

C. use trees to store data in a hierarchical structure.

Hierarchical databases use tree structures to organize data; relational databases use tables.

Relational databases are flexible and useful for unplanned, ad hoc queries, do store data in table form, and are maintained on direct access devices.

Relational Databases

a. Most new database systems are relational databases that store data as tables. Each row in a relational table contains data about a separate entity. For example:
(1) Each inventory table row contains data about a particular inventory item.
(2) Each customer table row contains data about a specific customer.


Each column in a table contains information about entity attributes. For example, in a sales table, the columns represent specific sales transaction characteristics (date, amount, customer number).
b. Relational database tables have three types of attributes:
(1) A primary key uniquely identifies a specific row in a table. For example, the primary key in an inventory table is item number. In some tables, the primary key is two or more attributes.
(2) A foreign key is an attribute in one table that is a primary key in another table. A foreign key is used to link tables.

Customer number can be a foreign key in a sales table that links a particular sales transaction with information about the customer who participated in the transaction.
(3) Other non-key attributes in each table store important information about that entity.

An inventory table contains information about the description, quantity on hand, and list price of each inventory item the company sells.
c. Normalization is the process of following the guidelines for properly designing a relational database that is free from delete, insert, and update anomalies. It involves breaking the database into logical tables that can then be joined to create new tables with the information of interest. Properly designed relational databases are flexible and useful for unplanned, ad hoc queries due to their reduced access time (time to retrieve data from memory).

52

Which of the following is one purpose of an embedded audit module?

A. Enable continuous monitoring of transaction processing.

B. Identify program code that may have been inserted for unauthorized purposes.

C. Verify the correctness of account balances on a master file.

D. Review the contents of a specific portion of computer memory.

A. Enable continuous monitoring of transaction processing.

An embedded audit module enables continuous monitoring and analysis of transaction processing, including the functioning of processing controls.

Mapping is a technique for determining whether a computer program contains any unexecuted code that should be examined.
Retrieval and analysis programs such as generalized audit software offer the features and flexibility suitable for verifying the correctness of information on a computer file.
The snapshot method is a technique utilized to capture and print all data pertinent to the analysis of a specific moment in the processing cycle.

53

According to COSO, which of the following components of enterprise risk management addresses an entity’s integrity and ethical values?

A. Information and communication

B. Internal environment

C. Risk assessment

D. Control activities

B. Internal environment

The internal environment encompasses the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of enterprise risk management, providing discipline and structure.

Internal environment factors include an entity’s risk management philosophy; its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entity’s people; and the way management assigns authority and responsibility, and organizes and develops its people.

The answer choice "information and communication" refers to the control activities that capture, record, and communicate information to the users. "Risk assessment" refers to management’s responsibility to assess both internal and external risk to determine when control systems should be modified. "Control activities" are implemented to insure that the information and communication activities function properly.

There are eight components of COSO's ERM framework:

1. Internal environment. The people in a business and the environment in which they operate are the foundation for all other ERM components.
2. Objective setting. Management must put into place a process to formulate objectives in order to help the company assess and respond to risks.
3. Event identification. Certain events can affect the company's ability to implement its strategy and achieve its objectives. Management must identify these events and determine whether they represent risks or opportunities.
4. Risk assessment. Identified risks are evaluated to determine how they affect the company's ability to achieve its objectives and how to manage them. Both qualitative and quantitative methods are used to assess risks.
5. Risk response. Management can choose to avoid, reduce, share, or accept risks after careful analysis.
6. Control activities. To ensure that management's risk responses are effectively carried out, policies and procedures should be implemented.
7. Information and communication. Information about ERM components needs to be communicated through all levels of the company and with external parties.
8. Monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.

54

Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?

A. Segregation of duties

B. Ensure proper authorization of transactions

C. Adequately safeguard assets

D. Independently verify the transactions

D. Independently verify the transactions

Key verification is having another employee independently re-enter transactions, then programming the software to compare the inputs, looking for errors. Check digit verification uses an extra character in numbers such as account numbers and part numbers. The software recomputes the extra character and flags incorrect numbers. Either type of verification will reduce the risk of incorrect processing.

The other answer choices are incorrect because they are general controls that regulate the computer activity rather than the application processing. Segregation of duties, proper authorization of transactions, and safeguarding assets will not prevent errors in processing by the software.

55

A data and program backup procedure in which files are electronically transferred to a remote location is called:

A. grandfather-father-son.

B. a remote backup facility.

C. an off-site backup and recovery procedure.

D. electronic vaulting.

D. electronic vaulting.

Electronic vaulting is the process of electronically transmitting and storing backups of programs and data at a remote data storage facility.

Data and Program File Backups

a. All program and data files should be backed up regularly and frequently.
b. A copy should be stored on-site and another at a secure site some distance away.
c. Backup files can be transported to the remote site in two ways:
(1) Physically, by mailing, shipping, or delivering them
(2) Electronically, by way of electronic vaulting. There are two main electronic vaulting approaches: (1) the push approach, where a company electronically sends the items to be backed up, and (2) the pull approach, where the electronic vaulting service installs its software on company computers and uses Internet connections to periodically contact company computers and automatically back up data. If data is lost or needs to be accessed, the Internet connection provides prompt online access to the backup data.
d. To protect data privacy, all data should be encrypted before being transmitted.

56

A type of flowchart representing areas of responsibility (such as departments) as columns is called horizontal or ________ flowcharts.

A. data flow

B. level

C. program

D. document

D. document

Document flowcharts, also called horizontal flowcharts, depict areas of responsibility such as departments arranged horizontally across the chart. For example, purchasing, receiving, and storage might be used in a flowchart representing materials acquisition.

formation systems are documented using the following methods:

a. Narrative documentation is a written, step-by-step explanation of system components and interactions.
b. A flowchart graphically describes an information system in a clear, concise, and logical manner. Flowcharts use a standard set of input/output, processing, storage, and data flow symbols to pictorially describe the system.
(1) A document flowchart graphically describes the flow of documents and information among areas of responsibility (or departments) within an organization. Document flowcharts trace a document from its cradle to its grave. They show where each document originates, its distribution, the purposes for which it is used, its ultimate disposition, and everything that happens as it flows through the system.
(2) An internal control flowchart is particularly useful in analyzing the adequacy of control procedures in a system, such as internal checks and segregation of duties. It can reveal weaknesses or inefficiencies in a system, such as inadequate communication flows, unnecessary complexity in document flows, or procedures responsible for causing wasteful delays.
(3) A system flowchart graphically describes the relationship among the input, processing, and output functions of an AIS. A system flowchart begins by identifying both the inputs that enter the system and their origins. The input is followed by the processing portion of the flowchart; that is, the steps performed on the data. The logic the computer uses to perform the processing task is shown on a program flowchart. The resulting new information is the output component, which can be stored for later use, displayed on a screen, or printed on paper. In many instances, the output from one process is an input to another.
c. Diagrams. A data flow diagram (DFD) graphically describes the source of data, the flow of data in an organization, the processes performed on the data, where data is stored in the organization, and the destination of data. It is used to document existing systems and to plan and design new ones.
d. Dictionaries. A data dictionary contains a description of all data elements, stores, and flows in a system. Typically, a master copy of the data dictionary is maintained to ensure consistency and accuracy throughout the development process.
e. Other written material that explains how a system works
f. Operating documentation is all information required by a computer operator to run a program, including the equipment configuration used, variable data to be entered on the computer console, and descriptions of conditions leading to program halts and related corrective actions.


57

Using standard procedures developed by information center personnel, staff members download specific subsets of financial and operating data as they need it. The staff members analyze the data on their own personal computers (PCs) and share results with each other. Over time, the staff members learn to modify the standard procedures to get subsets of financial and operating data that were not accessible through the original procedures. The greatest risk associated with this situation is that:

A. the data obtained might be incomplete or lack currency.

B. the data definition might become outdated.

C. the mainframe data might be corrected by staff members' updates.

D. repeated downloading might fill up staff members' PCs.

A. the data obtained might be incomplete or lack currency.

Information output is presented in three forms:

1. Documents are records of transactions or other company data.
a. They can be printed out or stored as electronic images in a computer.
b. Some are meant for external parties, such as checks and invoices. Others are used internally, such as receiving reports and purchase requisitions.
c. Source documents are used at the beginning of a process.
d. Operational documents are generated at the end of a transaction processing activity.
2. Reports are prepared for both internal and external users.
a. Many different people use reports. For example:
(1) Employees use reports to control operational activities.
(2) Managers use reports to make decisions and develop business strategies.
(3) External parties use reports to comply with regulatory requirements, make decisions (such as judging creditworthiness), and evaluate company operations (profitability, etc.).
b. Reports are produced on a regular basis, on an exception basis to call attention to unusual conditions, and on demand.
c. Companies should periodically reassess the need for each report produced. All too often, reports are prepared long after their need disappears, wasting time, money, and computer resources.
3. Queries are requests for a specific piece of information.
a. Queries arise from problems and questions that need rapid action or answers and information needs that are not satisfied by documents or periodic reports.
b. When a query is made, the system finds the information, retrieves it, and displays or analyzes it as requested.
c. Since many queries are repetitive, users can have a predetermined set of queries available to them that are developed by information system (IS) specialists. Unusual or one-time ad hoc queries are usually developed by the users themselves using a query utility program.

Some companies allow suppliers to query their databases so the suppliers can better meet their needs. This allows the supplier to gauge how well a product is selling and maximize sales by stocking and promoting the items that are selling well.

58

A software tool used to infrequently select or access items in the database would most likely be:

A. a report generator.

B. a program generator.

C. an application generator.

D. a query utility program.

D. a query utility program.

Report, program, and applications generators are fourth-generation languages that are used to create reports, programs, and applications on a routine basis.

Query utility programs enable a user to query or interrogate a database. Typically this is done on an as-needed basis.

59

Which of the following best defines electronic data interchange (EDI) transactions?

A. Electronic business information is exchanged between two or more businesses.

B. Customers' funds-related transactions are electronically transmitted and processed.

C. Entered sales data are electronically transmitted via a centralized network to a central processor.

D. Products sold on central web servers can be accessed by users at any time.

A. Electronic business information is exchanged between two or more businesses.

Languages and Technologies Used for Information Exchange

a. eXtensible Markup Language (XML) is a set of standards for defining the content of data on web pages.
b. ebXML is a variation of XML that sets standards for coding common business documents. Because it eliminates the need for proprietary software to translate documents created by different companies, it is easier to use and less expensive than EDI.
c. Electronic funds transfer (EFT) is disbursing cash electronically, rather than by check. EFT is made possible by the Automated Clearing House (ACH) network created by the banking system.
d. Electronic data interchange (EDI) is used to electronically transfer information between and within organization computers.
(1) This eliminates the need to manually reenter data, improves accuracy, and cuts costs associated with mailing, processing, and storing paper documents.
(2) With the advent of the Internet, third-party networks are no longer needed to transmit EDI messages.
e. Financial electronic data interchange (FEDI) integrates EFT with EDI.
(1) The buyer's IS sends orders and delivery instructions to the seller's IS.
(2) The seller delivers the goods.
(3) The buyer's IS sends a message, containing both the remittance data and EFT instructions, to its bank.
(4) The buyer's bank forwards that message to the seller's bank.
(5) The seller's bank deposits money electronically into the seller's account.
(6) The seller's bank sends the remittance data and the notification of the funds transfer to the seller.

60

In which of the following locations should a copy of the accounting system data backup of year-end information be stored?

A. Secure off-site location

B. Data backup server in the network room

C. Fireproof cabinet in the data network room

D. Locked file cabinet in the accounting department

A. Secure off-site location

A backup, or duplicate copy, of the accounting system data is a control used to help safeguard the data. While considerations for the backup should include physical security (locking up), protection from conditions that could harm it (such as storing it in a fireproof cabinet), and storage at a different location from the server (data backup server), the key to a backup is storage off-site. A disaster that strikes the main processing location may also affect the backup if it is not stored at another location.

Data and Program File Backups

a. All program and data files should be backed up regularly and frequently.
b. A copy should be stored on-site and another at a secure site some distance away.
c. Backup files can be transported to the remote site in two ways:
(1) Physically, by mailing, shipping, or delivering them
(2) Electronically, by way of electronic vaulting. There are two main electronic vaulting approaches: (1) the push approach, where a company electronically sends the items to be backed up, and (2) the pull approach, where the electronic vaulting service installs its software on company computers and uses Internet connections to periodically contact company computers and automatically back up data. If data is lost or needs to be accessed, the Internet connection provides prompt online access to the backup data.
d. To protect data privacy, all data should be encrypted before being transmitted.

61

An integrated group of programs that supervises and supports the operations of a computer system as it executes users' application programs is called:

A. an operating system.

B. a database management system.

C. a utility program.

D. an object program.

A. an operating system.

62

A total interruption of processing throughout a distributed information technology system can be minimized through the use of:

A. exception reporting.

B. fail-soft protection.

C. backup and recovery.

D. data file security.

B. fail-soft protection.

The capability to continue processing at all sites except a non functioning one is called fail-soft protection, an advantage of distributed systems.

Exception reporting can be used to control correctness and timeliness of updates but cannot minimize the impact of an interruption.
Backup procedures are intended to prevent the recovery process from introducing any erroneous changes into the system after computer failure.
Data file security is intended to prevent unauthorized changes to data files.

63

Because an organization makes heavy use of client/server architecture, end users have much of its critical and sensitive information on their personal computers (PCs) and departmental file servers. The chief financial officer has asked the auditors for input for developing an end-user computing policy. The policy requires a long-range, end-user computing plan. Which of the following documents should most strongly influence the development of this plan?

A. The multi-year audit plan

B. The information security policy

C. The systems development methodology

D. The organization's strategic operational plan

D. The organization's strategic operational plan

Strategic goals outline how the organization will use information systems to create a competitive advantage, and the strategic operational plan is, therefore, one of the most important influences on the development of the end-user computing strategic plan.

The audit plan flows from the strategic plan, not vice versa.
Changing technology could influence the organization's approach to security, so the security policy also flows from the strategic plan.
Changing technology could influence the organization's approach to systems development, so the systems development methodology also flows from the strategic plan.

64

The processing in knowledge-based systems is characterized by:

A. algorithms.

B. deterministic procedures.

C. heuristics.

D. simulations.

C. heuristics.

Knowledge-based systems use symbolic processing based on heuristics, rules-of-thumb.

Algorithms are defined procedures, characteristic of typical computer programs.
Deterministic procedures are procedures, implemented in computer programs, that permit no uncertainty in outcomes.
Simulations are computer programs that prepare results as if a set of assumptions were true.

65

To properly control access to accounting database files, the database administrator should ensure that database system features are in place to permit:

A. access only to authorized users.

B. read-only access to the database files.

C. user updates of their access profiles.

D. updating from privileged utilities.

A. access only to authorized users.
A database is a structured set of interrelated files combined to eliminate redundancy of data items within the files and to establish logical connections between data items. Many of these files contain sensitive data. Proper control requires that the database administrator permit access only to authorized users of this data.

Permitting read-only access to accounting database files would, unfortunately, preclude any updating of those files. Updating from privileged utilities would produce a security breach. User updates of their access profiles is a security issue.

66

Decision tables differ from program flowcharts in that decision tables emphasize:

A. ease of manageability for complex programs.

B. logical relationships among conditions and actions.

C. cost benefit factors justifying the program.

D. the sequence in which operations are performed.

B. logical relationships among conditions and actions.

A decision table is a chart used to document actions in response to specific conditions. A flowchart is a graphic depiction, using uniform symbols to show the control flow, primary actions, and interrelationships of a task or a set of tasks. A decision table shows the logic between conditions and resulting actions.

"Ease of manageability for complex programs" is incorrect because flowcharts make it easier to visualize complex systems. "Cost benefit factors justifying the program" is incorrect because the decision table shows the relationship between the condition and the action, not the cost or benefit justifying a program. "The sequence in which operations are performed" is incorrect because the flowchart, not the decision table, shows the sequence in which operations occur.

67

A company with several hundred stores has a network for the stores to transmit sales data to headquarters. The network is also used for:

-vendors to submit reorders,
-stores to transmit special orders to headquarters,
-regional distribution centers to communicate delivery and out-of-stock information to the stores,
-the national office to distribute training materials, and
store, regional, and national personnel to share any information they think helpful.
-In order to accommodate the large volume of transmissions, large stores have their own satellite receiving/transmitting stations. Small stores use leased lines.

The information systems director is concerned that someone might be able to enter fictitious orders from store terminals. Of the following, the best control for minimizing the likelihood of such an occurrence is to:

A. encrypt outward bound transmissions from the stores.

B. require change control procedures for programs.

C. enforce password control procedures for users.

D. encourage employees to report suspicious activity.

C. enforce password control procedures for users.

Enforcing password control procedures would make it more difficult for an unauthorized person, such as a competitor intending to disrupt the distribution patterns, to gain prolonged entry.

-Encrypting transmissions from the stores would increase the difficulty of eavesdropping on the transmissions but would not deter someone from entering bogus transactions.
-Requiring change control for programs ensures that program changes are authorized, tested, and documented.
-Encouraging store employees to report suspicious activity is a good practice, but such activity might go undetected.

68

Which of the following would an auditor ordinarily consider the greatest risk regarding an entity’s use of electronic data interchange (EDI)?

A. Authorization of EDI transactions

B. Duplication of EDI transmissions

C. Improper distribution of EDI transactions

D. Elimination of paper documents

C. Improper distribution of EDI transactions

Electronic data interchange (EDI) transmits confidential information to business partners. There is always a risk in data transmission of it being received by unintended recipients, and this would concern an auditor.

"Authorization of EDI transactions" is incorrect because proper authorization is required for transactions whether or not EDI is involved. "Duplication of EDI transmissions" is incorrect because duplication of transmissions to insure receipt is not a risk. The risks associated with these answer choices are controlled at the originating entity and do not result from improper transmission of the data.

"Elimination of paper documents" is incorrect because elimination of paper documents reduces the chance that the information will be acquired by unintended recipients.

69

An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls?

A. Preventive

B. Detective

C. Corrective

D. Compliance

A. Preventive

Preventive controls aim to eliminate problems before they occur. A security awareness manual would show that management has thought about and planned for security risks before those risks were encountered.

Detective controls occur after the fact. The goal of a detective control is to catch problems that cannot be eliminated by preventive controls.
Corrective controls help identify why a problem occurred and then help fix it or make sure that it does not happen again.
Compliance is not a type of control.

Corrective controls remedy problems discovered through detective controls. They include procedures to identify the cause of a problem, correct errors arising from the problem, and modify the system so that future errors may be minimized or eliminated. One such procedure is the maintenance of backup copies of key transaction and master files, so that damaged or destroyed files can be restored. Also included are procedures for correcting any errors found during the data verification process and resubmitting the related transactions for subsequent processing. In addition, a log of such errors may be maintained to facilitate follow-up procedures and ensure that proper corrective action is taken.

A detective control is a control that provides an alert after an unwanted event. A detective control is designed to catch an error and provide the feedback necessary so corrective action may be taken.

Preventive controls are internal controls designed to prevent or minimize the chance of errors and fraud.

70

Which of the following statements is true regarding Transmission Control Protocol and Internet Protocol (TCP/IP)?

A. Every TCP/IP-supported transmission is an exchange of funds.

B. TCP/IP networks are limited to large mainframe computers.

C. Every site connected to a TCP/IP network has a unique address.

D. The actual physical connections among the various networks are limited to TCP/IP ports.

C. Every site connected to a TCP/IP network has a unique address.

Transmission Control Protocol/Internet Protocol (TCP/IP) is the basic communication language or protocol of the Internet that may also be used as a communications protocol in private networks such as intranets. The messages of a file are assembled into smaller packets that are sent over the Internet and received by the TCP layer that reassembles the packets into the original message.

"Every TCP/IP-supported transmission is an exchange of funds" is incorrect; every web page access uses TCP/IP and most do not involve the exchange of funds. "TCP/IP networks are limited to large mainframe computers" is incorrect because personal computers (PCs) and smart phones use the Internet, a TCP/IP network. "The actual physical connections among the various networks are limited to TCP/IP ports" is incorrect because there are usually no physical connections with Internet communications. Transmissions can use radio waves or light transmission with no physical connection.

Routers control the flow of information sent over the Internet or an internal local network.

a. Data to be sent is divided into packets and transmitted, and the device receiving the packets reassembles the packets to recreate the original message or data.
b. Two important protocols, referred to as TCP/IP, govern the process for transmitting information over the Internet.
(1) The Transmission Control Protocol (TCP) specifies the procedures for dividing data into packets and reassembling them.
(2) The Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination.
c. Every IP packet consists of two parts: a header and a body.

The header contains the packet's origin and destination addresses, as well as information about the type of data contained in the body of the packet.
d. A router reads the destination address field in an IP packet header to determine where it is to be sent.

Rules, referred to as an access control list (ACL), determine which packets are allowed into a system.
e. A border router connects an organization's information system to the Internet.
(1) It checks the contents of the destination address field of every packet it receives. If the address is not that of the organization, the packet is forwarded on to another router on the Internet.
(2) If the destination address matches that of the organization, the source and destination fields in the IP packet header undergo a number of tests before being allowed in.
(3) Packets that fail a test are not allowed into the system. Those that do not fail the tests are passed on to the firewall, where they will be subjected to more detailed testing before being allowed to enter the organization's internal network.

71

Your firm has recently converted its purchasing cycle from a manual process to an online computer system. Which of the following is a probable result associated with conversion to the new automated system?

A. Processing errors are increased.
B. The nature of the firm's risk exposure is reduced.
C. Processing time is increased.
D. Traditional duties are less segregated.

D. Traditional duties are less segregated.

Conversion to automated data processing usually reduces the existing segregation of duties because the computer combines many functions which previously could have been performed by separate persons. Thus, an individual with access to the various computer functions could perform incompatible duties.

Conversion to automated data processing usually reduces processing errors, has little or no effect on the types of risk to which the firm is exposed, and usually reduces processing time.

Relative to electronic data processing (EDP), conversion is the phase in the system development life cycle (SDLC) where old or manual files are transferred to the new system.

The term may also be used to refer to the change from one processor or processing environment to another, as when the entity buys new computer equipment.

This phase is particularly important to the internal auditor because care must be taken to ensure the integrity of the transferred information.

72

If the Federal Reserve Board wanted to implement an expansionary monetary policy, which one of the following set of actions would the Federal Reserve Board take?

A. Raise the reserve requirement and the discount rate.

B. Purchase additional U.S. government securities and lower the discount rate.

C. Reduce the reserve requirement and raise the discount rate.

D. Lower the discount rate and raise the reserve requirement.

B. Purchase additional U.S. government securities and lower the discount rate.

The money supply (MI) consists of all coin and currency in the hands of the public and all checkable deposits. The Federal Reserve has the responsibility of controlling the money supply. They have three basic tools they use to achieve their goals, including open market operations (purchase and sale of government securities), the discount rate (the rate the Fed charges when it makes loans to member institutions), and the reserve requirement (the percentage that member institutions must hold on deposit with the Fed or as vault cash). An expansionary monetary policy is one where the Fed desires to increase the money supply. Purchasing government securities would provide additional reserves to member institutions that they could then lend to customers. Reducing the discount rate would make borrowing from the Fed to lend to customers more attractive.

73

A key rationale or cause for the changing pattern of investment in agriculture by sovereign wealth funds would be:

A. to create markets for the output of their farmers in the countries where they are investing by attaching conditions to the loans that require those nations to make specific commodity purchases.

B. to ensure food security in the event that crop shortages would cause export bans that might curtail their ability to import crops.

C. to ensure getting the products at lower prices in the event that crop shortages caused price spikes in commodity markets.

D. to support the countries in which they are investing to produce cash crops that can be used for domestic consumption to provide for a better level of food security for the emerging market economy in which the investment took place as part of United Nations efforts to improve world food security.

B. to ensure food security in the event that crop shortages would cause export bans that might curtail their ability to import crops.

A key driver of SWF (sovereign wealth fund) investment in agriculture is to ensure food security for their country in the event worldwide food shortages would curtail the availability of foodstuffs in traditional agricultural markets. Also, many emerging market economies are not well-suited for adequate agricultural production as they lack sufficient arable land and have an inadequate water supply. Thus, they outsource food production by purchasing and/or leasing land and growing the crops elsewhere in the world and having the output exported to the homeland.

Traditional investment in agriculture involved investment to support shifting production from staple crops to those that could be exported to world agricultural markets to earn a profit for the investing coun

74

Which of the following is not a primary use to which of funds invested by sovereign wealth funds (SWFs) would be put?

A. Investing in land in another country to produce staple crops for export to their country in a way designed to circumvent the workings of world commodity markets

B. Diversifying the use of foreign exchange reserves and attempting to improve food and energy security

C. Attempting to make investments that would allow their citizens to increase their savings rate to ensure that the citizens provide their own social safety net

D. Acquiring technologies, brands, and resources designed to improve productivity and improve management techniques

C. Attempting to make investments that would allow their citizens to increase their savings rate to ensure that the citizens provide their own social safety net

A key agricultural goal would be to invest in staple crops with a protectionist impulse designed to circumvent world commodity markets. Many emerging market economies find investing in their own domestic agriculture to be problematic due to a scarcity of arable land and, more importantly, a shortage of water. They outsource food production, growing crops abroad and shipping them back to the home country.

Other investments by SWFs are designed to acquire technologies, brands, resources, and better access to international markets and to use technology to enhance productivity. A country like China is taking advantage of the low valuations of increasingly desperate foreign operations (particularly in strategically important sectors such as energy and raw materials) and is making investments in an attempt to achieve energy security and access to strategic materials at a known contract price.

Many SWFs are attempting to learn how U.S. companies operate and transfer those skills to improve the operation of their domestic firms.

75

Mutual interdependence means that:

A. each firm is an oligopolistic industry produces a product that is a close substitute for those produced by rival firms.

B. when a monopolist chooses a price for its product, the quantity it will produce is dependent on the demand curve the firm faces.

C. each firm in an oligopolistic industry must consider the reactions of its rivals when it makes decision concerning how to price its product.

D. when a monopolistic competitive firm chooses the type of product differentiation to pursue, it is dependent on the desires and whims of the consumer.

C. each firm in an oligopolistic industry must consider the reactions of its rivals when it makes decision concerning how to price its product.

76

Information related to the financial transactions for a country is given as follows with values stated in billions of dollars.


-- Gross domestic product (GDP) $4,000
-- Transfer payments 500
-- Corporate income taxes 50
-- Social Security contributions 200
-- Indirect business taxes 210
-- Personal income taxes 250
-- Undistributed corporate profits 25
-- Depreciation 500
-- Net income earned abroad for the country 0
Disposable income is:

A. $3,500.

B. $3,290.

C. $4,500.

D. $3,265.

D. $3,265.

Disposable income is that income received by individuals which is available for consumption and saving (i.e., personal income minus personal income taxes). The example below demonstrates the calculation of disposable income:


Gross domestic product (GDP) $4,000
- Depreciation (500)
-------
= Net domestic product (NDP)(at mkt cost) $3,500
- Indirect business taxes (210)
-------
= Net national income (NNI) (at factor cost) $3,290
- Corporate income taxes ( 50)
- Undistributed corporate profits ( 25)
- Social Security contributions (200)
+ Transfer payments 500
-------
= PERSONAL INCOME $3,515
- Personal income taxes (250)
-------
= DISPOSABLE INCOME $3,265
=======

77

A company has a policy of frequently cutting prices to increase sales. Product demand is significantly elastic. What impact would this have on the company's situation?

A. Quantity increases proportionally more than the price declines.

B. Quantity increases proportionally less than the price declines.

C. Price increases proportionally more than the quantity declines.

D. Price increases proportionally less than the quantity declines.

A. Quantity increases proportionally more than the price declines.

Elasticity of demand is calculated as the percentage change in quantity divided by the percentage change in price. If the fraction is greater than 1.0, the demand is elastic.

If demand is elastic, then reducing the price will increase the total revenue because the quantity sold increases proportionally more than the price decreases (the percentage increase in quantity exceeds the percentage decrease in unit price).

78

A banking system with a reserve ratio of 20% and a change in reserves of $1 million can increase its total demand deposits by:

A. $200,000.

B. $5 million.

C. $1 million.

D. $800,000.

B. $5 million.

The banking system can increase its total demand deposits by $5 million, computed as follows:

If reserves increase by $1 million and the reserve ratio is 20%, and
Reserve ratio = Reserves / Total Demand Deposits, then
0.20 = 1,000,000 / increase in deposits.
Thus, the increase in deposits = $1,000,000 / 0.20, or $5,000,000.

The Money Multiplier

a. Using the money multiplier, we can determine the degree to which the banking system can expand the money supply when new deposits or an infusion of reserves are received.
b. Illustration: There are the limits to money supply growth when a bank gets a new deposit. Assume that ABC Bank is loaned up; that is, has no excess reserves and receives a deposit of $100,000. Also, assume that the reserve requirement is 10% (0.10). The bank must hold $10,000 in required reserves and would have $90,000 in excess reserves ($100,000 - 10,000 = $90,000). Thus, the bank can lend up to $90,000.
c. Illustration: Assume that the proceeds of this new loan ($90,000) are deposited in XYZ Bank. XYZ Bank must hold $9,000 in required reserves and would have $81,000 in excess reserves, which it can lend. The maximum amount the money supply can be expanded can be determined by the following formulas:

Money multiplier = 1 ÷ Required reserve ratio

Potential money creation = Excess reserves × Money multiplier

In our example, the money multiplier = 1 ÷ 0.10 = 10. Thus, since the original increase in the banking system's excess reserves increase was $90,000, as a result of the deposit the potential growth in the money supply would equal $900,000 (10 × $90,000).
d. Illustration: Assume that the Federal Reserve wishes to expand the money supply and purchases $10 million in government securities from Bank XYZ. These funds are deposited in Bank XYZ's reserve account.

Bank XYZ now has $10 million in excess reserves with the potential to increase loans by $10, and if the reserve requirement is 8%, then the potential increase in the money supply for the banking system is:
Potential money creation = Excess reserves x Money multiplier
= $10M x (1 / 0.08)
= $10M x 12.5
= $125M

79

Which of the following is not part of the control cycle approach to risk management?

A. Doing a profit test to determine whether a product provides a positive contribution margin

B. Developing the hedges necessary to mitigate interest rate risk

C. Determining, in both quantitative and qualitative terms, an understandable explanation of the differences between expected and actual results

D. Using the feedback loops in the modeling of expected results to update the assumptions and determine what adjustments in reserves might be necessary

B. Developing the hedges necessary to mitigate interest rate risk


Key elements of the control cycle approach to risk management include the following:

Modeling the expected results using a set of initial assumptions
Doing a profit test to determine if the product provides a contribution margin
Measuring the actual results
Determining, both in quantitative and qualitative terms, an understandable explanation of the differences between expected and actual results
Determining what actions need to be taken with respect to the product, including possible adjustments to reserves
Using the findings to strengthen the model and update the assumptions as needed with feedback from the process

80

Which of the following is correct in stating a similarity between firms in a perfectly competitive industry and a monopolistically competitive industry?

A. Firms in either industry structure produce standardized products.

B. Firms operating in either industry structure engage in non-price competition

C. There are no significant barriers to entry in either market structure.

D. Firms in either market structure face a perfectly elastic demand curve.

C. There are no significant barriers to entry in either market structure.

Firms in a monopolistically competitive industry produce differentiated products, engage in non-price competition, and face a downward sloping demand curve. Firms in a perfectly competitive industry produce a standardized product, find non-price competition ineffective, and face a perfectly elastic demand curve. There are no significant barriers to entry in either market structure.

81

Which of the following describes the hedging approach to financing?

A. Maturity dates of financing instruments are staggered so that they mature in a steady, predictable fashion when it is expected that funds will be needed.

B. The firm takes out insurance to protect itself against uneven cash flows.

C. Each asset is offset with a financing instrument of the same approximate maturity or duration.

D. Each asset is offset with either a put or a call.

C. Each asset is offset with a financing instrument of the same approximate maturity or duration.

Under the hedging approach the length of the financing term is matched to the maturity or duration of assets financed. Long-term debt is used to finance long-term assets and short-term debt is used to finance short-term assets.

Thus, each asset is offset with a financing instrument of the same approximate maturity.

Hedge
close
A hedge is a transaction that reduces the risk in an investment. It insulates a coporation from exposure to foreign exchange or interest rate fluctuations. Another way to think of the definition of a hedge is an investment used in an attempt to reduce the risk of adverse price fluctuations in an asset.

82

If an institution is developing a capital position that is designed to cover risk beyond what is considered necessary for its best estimate reserves, the institution would be creating what would be called:

A. value at risk.

B. covered interest arbitrage.

C. interest rate parity.

D. risk margin.

D. risk margin.

Risk margin is generally defined as the level of reserves established in addition to the best estimate level of reserves. These additional reserves tend to create a cushion to cover unexpected fluctuations and/or errors in estimations. Required capital is designed to cover the risk of fluctuation under normal situations. Risk margin covers modeling uncertainty, parameter risk (a quantity numerically characteristic of the entire model), and structural uncertainty, as well as providing a buffer for unanticipated events.

83

Which of the following characteristics would indicate that an item sold would have a high price elasticity of demand?


A. The item has many similar substitutes.

B. The cost of the item is low compared to the total budget of the purchasers.

C. The item is considered a necessity.

D. Changes in the price of the item are regulated by governmental agency.

A. The item has many similar substitutes.

The price elasticity of demand is the absolute value of the percentage change in quantity demanded divided by the percentage change in price. If the elasticity is greater than 1.0, the elasticity is elastic.

Price Elasticity of Demand

a. The Price Elasticity of Demand is a measure of the responsiveness of consumers to a change in a product's price.
b. The law of demand states that there is an inverse relationship between the price and quantity demanded of a product. However, it does not provide the information about the two variables.
c. The law of demand states that price and quantity move in opposite directions. In other words, as price increases, quantity demanded falls. By convention, economists use the absolute value of the measure rather than using the minus sign when stating price elasticity of demand.
d. A problem arises depending upon which value is used as the base value when performing the calculation. The following situation could arise. If the base price is $10 and the price increases to $12, the price has increased by 20%. If the base were $12 and the price fell to $10, then the percentage change would be 16.67%.

If there are many similar substitutes available, many fewer units of this product will be demanded as the price increases, so the change in quantity purchased will be greater than the change in price, giving an elasticity greater than 1.0, a high price elasticity of demand.

The other answer choices all represent situations where a purchaser would react to a price change, but not to the same percentage extent as the percentage price change. "The cost of the item is low compared to the total budget of the purchasers" is incorrect because a change in price of an inexpensive product would not be significant to buyers. "The item is considered a necessity" is incorrect because many buyers will continue to purchase necessities even with a price increase. "Changes in the price of the item are regulated by governmental agency" is incorrect because the government regulation might change the prices, but the effect on quantities purchased could be either greater or lesser than the price change effect.

84

Given the following data, what is the marginal propensity to consume?


Level of
Disposable Level of
Income Consumption
---------- -----------
1. $40,000 $38,000
2. 48,000 44,000

A. 1.33

B. 1.16

C. 0.95

D. 0.75

D. 0.75

The marginal propensity to consume is the percentage of additional income that can be expected to be consumed. Disposable income increased ($48,000 - $40,000) or $8,000. Consumption increased ($44,000 - $38,000) or $6,000. This means that of the additional $8,000 of income, $6,000 will be consumed or 75% of the increase in income. Therefore the marginal propensity to consume equals .75.

Gross Domestic Product

a. Gross Domestic Product is a measure of the market value of all final goods and services produced in an economy during a year. It is a monetary measure to value the nation's output. It excludes intermediate goods, which are goods that are purchased for resale or for further processing or manufacturing. This is done to prevent double counting. It also excludes non-productive transactions that have nothing to do with the production of final goods and services such as:
1. Public transfer payments such as Social Security, welfare, and veteran's payments.
2. Transfers such as inter-family gifts and immigrant remittances.
3. Buying and selling of stocks and bonds and other financial assets in the financial markets.
4. Secondhand sales.
b. The Expenditure Approach for calculating GDP can be summarized as:
GDP = C + I + G + X
G n
1. Personal Consumption Expenditures (C) are the personal consumption expenditures on durable consumer goods, nondurable consumer goods, and services. Primary determinants of personal consumption are disposable income, consumer wealth, and interest rates on consumer credit. Personal consumption accounts for approximately two-thirds of GDP.
2. Gross Private Domestic Investment (Ig) are all final purchases of machinery and equipment, all construction, all changes in inventory, and purchases of new residential housing. This can be summarized as:

Net Investment = Gross Investment - Capital Consumption Allowance

Primary determinants of investment spending are interest rates, capacity utilization rates, and a firm's ability to develop projects with a positive net present value.
3. Government Purchases (G) are the spending for goods and services used in providing government services including spending on social capital such as buildings and highways.
4. Net Exports (Xn) is equal to exports minus imports or (X - M). Primary determinants for exports are similar to those for consumption, and those for exports would include similar measures for citizens of foreign nations.
c. The Income Approach for calculating GDP deals with the income derived or created to produce the output. National Income (NI) is the sum of all payments to factors of production. However, since all the expenditures noted above do not flow directly to factors of production in the form of income, it is necessary to make certain adjustments to (NI) to derive GDP. The process is as follows:
1. National Income (NI) = Compensation of employees + rental income + interest income + proprietor's income + corporate profits
2. GDP = NI + indirect business taxes + capital consumption allowance + net foreign factor income
d. There are several other national accounts that provide useful information concerning the economy's performance. Key among them are:
1. Net Domestic Product (NDP) = Gross Domestic Product - Capital Consumption Allowance
2. National Income (NI) = NDP - Net Foreign Factor Income - Indirect Business Taxes
3. Personal Income (PI) = NI - Social Security contributions - corporate income tax - undistributed corporate profits + transfer payments
4. Disposable Income (DI) = PI - personal taxes

85

A significant decline in the exchange rate of the U.S. dollar generally will have which of the following effects?

A. It will hurt all U.S. business.

B. It will benefit U.S. importers.

C. It will benefit U.S. exporters.

D. It will make foreign goods cheaper for U.S. consumers.

C. It will benefit U.S. exporters.

Exchange Rate Systems and Practices

a. The exchange rate is simply the price of one currency expressed in terms of another. For example, assume that the exchange rate between the dollar and the yen is expressed as $1 = 120 yen. This could also be expressed as 1 yen = $0.008333 ($1 ÷ 120).
b. Exchange rates are determined by the interaction of supply and demand for the various foreign currencies in foreign exchange markets. If the demand for a nation's currency increases, the price of the currency will appreciate. If a currency appreciates, it increases in value in terms of the other currencies. In this instance, if the yen were to appreciate, it would take fewer yen to buy a dollar. For example, as the yen appreciates, the exchange rate might fall to $1 = 110 yen. This would make Japanese exports more expensive for American consumers. If the supply of the nation's currency increases, the price of the currency will depreciate, or decline in value in terms of other currencies.
c. Exchange rate determinants include:
1. Changes in consumer tastes for the products of a particular country. If consumers wish to buy more products from a country, they will increase the demand for that country's currency.
2. Relative income changes. If, for example, disposable income rises more rapidly in Europe than in the United States, all other things being equal, Europeans will demand more American goods. The demand for dollars will increase, and the supply of Euros that will be required to purchase the additional dollars will increase.
3. Relative interest rates. Suppose that real interest rates rise in the United States while they stay constant in Europe. Europeans will find the U.S. a more attractive place to make financial investments in fixed-income securities and will increase the supply of Euros.
d. Over time flexible exchange rates will adjust and eliminate balance-of-payments surpluses or deficits between two nations. Disadvantages of flexible exchange rate systems include:
1. A flexible exchange rate produces uncertainty in the future price of a foreign currency and reduces the amount of trade.
2. If a country's currency strengthens, it will need to export fewer goods and services to get a specific level of imports from another country. Thus, in this instance, it would be said that the country's terms-of-trade has improved.




Answer A is incorrect because some U.S. businesses will be helped and others will be hurt. U.S. importers will have to pay more U.S. dollars for goods priced in foreign currencies, increasing costs to the U.S. importers.

Answer B is incorrect because U.S. importers will have to pay more U.S. dollars for goods priced in foreign currencies, increasing costs to the U.S. importers.

Answer C is correct because a decline in the exchange rate of the U.S. dollar will make goods produced in the U.S. less expensive in foreign currencies, improving the competitiveness of U.S. exporters.

Answer D is incorrect because U.S. consumers will have to pay more dollars for goods priced in foreign currencies, making those goods more expensive for those consumers.

86

Sovereign wealth funds (SWFs) are:

A. government investments funded by official currency reserves that are managed to make monetary policy more effective.

B. government-controlled entities that seek to attract funds from foreign countries to fund foreign direct investment in the country.

C. government investments funded by foreign currency reserves that are managed separately from official currency reserves and invested for profit.

D. entities that are an offshoot of state capitalism where the state manipulates its official currency reserves for political purposes.

C. government investments funded by foreign currency reserves that are managed separately from official currency reserves and invested for profit.

Sovereign wealth funds (SWFs) are entities established by governments to make investments with foreign exchange reserves that are managed separately for official foreign exchange reserves managed by the country's central bank within monetary policy goals. The underlying investments are made by SWFs with the goal of making a profit.

Many governments seek to attract foreign direct investment, and frequently, some governments seek to manipulate official currency reserves for political purposes

Sovereign Wealth Funds

a. Sovereign wealth funds (SWFs) are government investments funded by foreign currency reserves but managed separately from official currency reserves and invested for profit. Official reserves traditionally have been held in foreign government securities, e.g., low-risk U.S. government securities.
b. Many SWFs take the form of state-managed companies designed to invest current profits from commodity revenue flows and absorb current account surpluses and high savings inflows that are too large to be absorbed by limited domestic investment opportunities.

87

Immunizing a portfolio from interest rate risk by matching the duration of assets to the duration of liabilities might be ineffective and/or inappropriate because:

A. conventional duration strategies assume an upward-sloping yield curve.

B. immunization models are highly sensitive to adjustments for inflation.

C. duration matching is effective in immunizing portfolios from parallel shifts in the yield curve.

D. All of the answer choices are correct.

C. duration matching is effective in immunizing portfolios from parallel shifts in the yield curve.

Duration matching is effective in immunizing portfolios from parallel shifts in the yield curve.

Conventional duration strategies assume a flat yield curve.

Immunization only protects the nominal value of the terminal liabilities and does not adjust for inflation.

Mitigating Risks Related to Changing Interest Rates

a. Interest rate risk is the risk of holding fixed interest-bearing instruments such as a bond when interest rates are changing. The price of long-term securities is more sensitive to changes in interest rates than the price of short-term securities. There is an inverse relationship between the direction of the change in interest rates and the price of the fixed interest-bearing security.
b. Although a nonfinancial firm will usually report its bonds on issue in financial statements at their market value at the time of issuance less premium or discount amortization, early redemptions must be done at the market value. These amounts may be significantly different as interest rates will change the value of fixed-rate debt. This risk is not commonly considered by most nonfinancial firms.
c. This risk could be mitigated by hedging or acquiring an offsetting exposure, which could be a derivative such as an option, a futures contract, or a swap, or by acquiring an offsetting asset or liability.
d. The main reasons for hedging include reducing the volatility in cash flow, avoiding financial distress, or providing predictability. Financial distress could be as simple as a liquidity crunch with an inability to meet short-term demands on cash, which could ultimately result in bankruptcy. A hedge would reduce the probability of the outcome.
e. A firm is concerned about the uncertainty of cash flows related to asset and liability structure caused by changes in interest rates that impact the value of the assets and liabilities.
f. A firm is concerned about the changes in market value of fixed-rate assets as market interest rates change.
g. There is a flow risk that relates to the sensitivity of interest rate changes that could be hedged with fair value hedges or a risk on the ability to make interest payments that may be covered by developing a cash flow hedge (a hedge that is the result of the exposure to the variability of cash flow attributable to a particular risk associated with a recognized asset or liability (IAS 39.86)).

An example of a cash flow hedge would be to use an interest rate swap to convert variable-rate interest exposure to a fixed interest rate.

a. The swap is an instrument that, in its usual form, transforms one kind of interest stream to another, such as floating to fixed or fixed to floating. Each swap has two counterparties and, therefore, in each swap one party pays fixed and receives floating, while the other party receives fixed and pays floating.
b. There are two basic forms for a swap:
(1) First, a floating-rate borrower converts to a fixed rate. In this case, a borrower has floating-rate bank debt and carries out a pay-fixed swap, converting the debt to a fixed rate.
(2) Second, a fixed-rate borrower converts to a floating rate. In this case, a borrower has fixed-rate bond debt and undertakes a receive-fixed swap, converting the debt to a floating rate.
c. From an accounting perspective, the changes in the fair value of the interest rate swap would accumulate first in the statement of comprehensive income, and a portion of the gains or losses would be transferred from comprehensive income to the income statement whenever interest is paid on the hedged debt.

88

The cost data in the table below is for a firm that is selling in a perfectly competitive industry.


Average Average Average
Fixed Variable Total Marginal
Output Cost Cost Cost Cost
------ ------- -------- ------- --------
1 250 80 330 330
2 125 70 195 60
3 83 65 148 55
4 63 60 123 45
5 50 67 117 95
6 42 78 120 133
7 36 91 127 169
8 31 105 136 203
9 28 122 150 258
10 25 141 166 312
If the market price for the firm's product is $133, the competitive firm would produce:

A. 5 units at an economic profit of $80.

B. 6 units at an economic profit of $78.

C. 7 units at an economic profit of $83.

D. 8 units at an economic profit of $95.

B. 6 units at an economic profit of $78.

The firm will maximize profits at the point where marginal cost equals marginal revenue. For a perfectly competitive firm MR = P, therefore, MR = $133. Thus the firm would produce 6 units. Economic profit is defined as total revenue minus total cost. TR = ($133 × 6) = $798; TC = ATC × output = ($120 × 6) = $720. Therefore economic profit equals $78.

89

Which of the following types of risk can be reduced by diversification?

A. High interest rates

B. Inflation

C. Labor strikes

D. Recessions

C. Labor strikes

Company risk is risk that is specifically associated with a particular firm due to its mix of products, new products, competition, patents, lawsuits, etc. Since different industries and countries experience different risks of labor strikes, diversification between industries and countries can reduce company risk.

The other answer choices are incorrect because interest rate rises, recession, and inflation affect all industries and countries in today's interrelated world economies. These risks apply regardless of the extent that a company diversifies it operations.

90

As per FASB ASC 815, if an entity engages in a hedge against the exposure to the variable cash flow of a forecasted transaction, the entity would:

A. recognize the gain or loss as earnings in the period of loss together with the offsetting loss or gain on the hedged item attributable to the risk being hedged, in order to reflect in earnings the extent to which the hedge is not effective in achieving offsetting changes in fair value.

B. report the gain or loss in other comprehensive income as part of a cumulative translation adjustment.

C. recognize the gain or loss in earnings during the period of change.

D. recognize the effective portion of the derivative's gain or loss initially as a component of other comprehensive income, and subsequently reclassify it into earnings when the forecasted transaction affects earnings.

D. recognize the effective portion of the derivative's gain or loss initially as a component of other comprehensive income, and subsequently reclassify it into earnings when the forecasted transaction affects earnings.

FASB ASC 815 specifically indicates that for a derivative designated as hedging the exposure to variable cash flow of a forecasted transaction (i.e., a cash flow hedge), the effective portion of the derivative's gain or loss is initially reported as a component of other comprehensive income and is subsequently reclassified into earnings when the forecasted transaction affects earnings. Any ineffective portion of the gain or loss is reported in earnings immediately.

If the hedge is designated as a hedging exposure to changes in fair value of a recognized asset or liability (i.e., a fair value hedge), the gain of loss is recognized as earnings in the period of change together with an offsetting loss or gain on the hedged item attributable to the risk being hedged. The effect is to reflect in earnings the extent to which the hedge is not effective in achieving offsetting changes in fair value.

If the derivative is designated as hedging the foreign currency exposure of the firm's net investment in foreign operations, the gain or loss is reported in other income as part of the cumulative translation adjustment.

91

Income and employment tend toward an equilibrium level where:

A. inventory accumulation takes place.

B. inventory depletion takes place.

C. aggregate supply equals aggregate demand and intended savings equals intended consumption.

D. aggregate supply equals aggregate demand and intended savings equals intended investment.

D. aggregate supply equals aggregate demand and intended savings equals intended investment.

Aggregate supply equaling aggregate demand is one criterion for market equilibrium. Another criterion is that consumers and businesses agree on what they will save and invest respectively. Although actual savings will always equal actual investment, this, however, does not guarantee an equilibrium level of income and employment.

If businesses note that their intended investment levels produce too high or too low of inventory levels, the market will not be in equilibrium, since too little or too much has to be purchased. Therefore, until these imbalances are cleared up, the economy will not be in equilibrium. (Note that actual investment does not usually equal intended investment.)

92

The following transactions were noted for an economy whose currency is denominated in pesetas (Pta).


Amount in Pesetas
-----------------
Imports of goods 20,300
Exports of goods 15,760
Domestic purchases of assets in foreign
countries 6,300
Foreign purchases of assets in the country 1,400
Net investment income (3,700)
Gifts received from abroad (net transfers) 1,240
When calculating the current account balance for this economy:

A. the current account has a surplus of Pta 7,000.

B. the capital account has a surplus of Pta 4,000.

C. the capital account has a deficit of Pta 7,700.

D. the current account has a deficit of Pta 7,000.

D. the current account has a deficit of Pta 7,000.

The balance of trade is calculated by subtracting merchandise imports from merchandise exports (15,760 Ptas. - 20,300 Ptas.) which shows a balance of trade deficit of 4,540 Ptas. The negative net investment income (3,700 Ptas.) is added to this balance, and it would be reduced by the positive inflow of transfers (1,240 Ptas.) leaving a current account deficit balance of 7,000 Ptas.

The two accounts dealing with the purchase of assets are part of the capital account and therefore are not relevant for this calculation. If there were any exports or imports or services, they would have been included in the calculation.

93

Assuming that exchange rates are allowed to fluctuate freely, which one of the following factors would likely cause a nation's currency to appreciate on the foreign exchange market?

A. A relatively rapid rate of growth in income relative to other countries that stimulates imports and depresses exports

B. A high rate of inflation relative to other countries

C. A slower rate of growth in income relative to other countries, which causes imports to lag behind exports

D. Foreign real interest rates that are higher than domestic real interest rates

C. A slower rate of growth in income relative to other countries, which causes imports to lag behind exports

Exchange rates are affected by changes in consumer tastes for products produced in various countries, relative changes in income in various countries, differing inflation rates, and differences in real interest rates.

If the demand for a nation's currency increases, the currency will appreciate, and if the supply of the nation's currency decreases, it will appreciate. A slower growth rate in a country compared to that of another country would cause a decline in the country's imports. Since one key source of supply of domestic currency is that made available to purchase foreign currency needed for imports, we would now be supplying less of our currency, and this would cause the domestic currency to appreciate vis-a-vis the foreign currency.

Exchange Rate Systems and Practices

a. The exchange rate is simply the price of one currency expressed in terms of another. For example, assume that the exchange rate between the dollar and the yen is expressed as $1 = 120 yen. This could also be expressed as 1 yen = $0.008333 ($1 ÷ 120).
b. Exchange rates are determined by the interaction of supply and demand for the various foreign currencies in foreign exchange markets. If the demand for a nation's currency increases, the price of the currency will appreciate. If a currency appreciates, it increases in value in terms of the other currencies. In this instance, if the yen were to appreciate, it would take fewer yen to buy a dollar. For example, as the yen appreciates, the exchange rate might fall to $1 = 110 yen. This would make Japanese exports more expensive for American consumers. If the supply of the nation's currency increases, the price of the currency will depreciate, or decline in value in terms of other currencies.
c. Exchange rate determinants include:
1. Changes in consumer tastes for the products of a particular country. If consumers wish to buy more products from a country, they will increase the demand for that country's currency.
2. Relative income changes. If, for example, disposable income rises more rapidly in Europe than in the United States, all other things being equal, Europeans will demand more American goods. The demand for dollars will increase, and the supply of Euros that will be required to purchase the additional dollars will increase.
3. Relative interest rates. Suppose that real interest rates rise in the United States while they stay constant in Europe. Europeans will find the U.S. a more attractive place to make financial investments in fixed-income securities and will increase the supply of Euros.
d. Over time flexible exchange rates will adjust and eliminate balance-of-payments surpluses or deficits between two nations. Disadvantages of flexible exchange rate systems include:
1. A flexible exchange rate produces uncertainty in the future price of a foreign currency and reduces the amount of trade.
2. If a country's currency strengthens, it will need to export fewer goods and services to get a specific level of imports from another country. Thus, in this instance, it would be said that the country's terms-of-trade has improved.

94

Because much of the data involved in daily operations would be helpful to competitors if they had access to it, a company authorizes access for employees to only the data required for accomplishing their jobs. This approach is known as access on:

A. a need-to-know basis.

B. an individual accountability basis.

C. a just-in-time basis.

D. a management-by-exception basis.

A. a need-to-know basis.


Authorization controls are implemented using compatibility tests and access control matrices.
Access on a need-to-know basis means that access is authorized only as is required for employees to perform authorized job functions.

Individual accountability means that individuals with access to data are responsible for the use and security of data obtained via their access privileges.
Just-in-time means arranging delivery of inventory or materials as close to the time they would be incorporated into products as is possible rather than maintaining large quantities of inventory or materials.
Management-by-exception means spending managerial time on exceptional conditions on the grounds that attending to exceptions is a better approach to management than spending time on the transactions or processes that are operating in their normal ranges.
a. Compatibility tests. Companies should classify data based on how its loss or unauthorized use would impact it and determine the data and program access privileges of employees and outsiders. When users request access to data or programs or try to operate the system, a compatibility test can determine if the user is authorized to perform the desired action. This prevents unintentional errors and deliberate attempts to manipulate the system. Several confidentiality levels are defined and used:
(1) Some data does not need to be restricted and is put on a website.
(2) Some data is restricted to employees.
(3) Confidential data is restricted to owners and appropriate top management and employees.
(4) No one should be able to read, add, delete, and change data without authorization of their activities.
b. Access control matrix. Compatibility tests use an access control matrix, which is:
(1) a list of authorized user ID numbers and passwords and
(2) a list of all files, data, and programs and the access each user has to them.

95

Which control, when implemented, would best assist in meeting the control objective that a system have the capability to hold users accountable for functions performed?

A. Programmed cutoff

B. Redundant hardware

C. Activity logging

D. Transaction error logging

C. Activity logging

Activity logging provides an audit trail of user activity.

Programmed cutoff controls mitigate the risk of recording transactions in the wrong period.
Redundant hardware is a control over hardware malfunction.
Transaction error logging controls transactions rather than user terminal activity.

Many mainframe control policies and procedures apply to PCs and networks. Other important controls include:

a. Train PC users:
(1) in control concepts and their importance.
(2) to test and document the application programs they develop themselves.
(3) to protect their computers from viruses.
b. Install locks on PCs to protect against theft and unauthorized access.
c. Label PCs with nonremovable tags.
d. Establish and enforce policies and procedures to:
(1) restrict the data that is stored on or downloaded to PCs. Store sensitive data in a secure environment (on a server or mainframe) rather than on a PC, or on a diskette or disk drives that are removed and stored in a locked safe.
(2) minimize the theft of PCs and laptops. For example, do not leave or store laptops in cars, and carry laptops onto airplanes rather than checking them.
(3) prohibit putting personal software on company PCs, copying company software for personal use, and using the system in unauthorized ways.
e. Back up hard drives and other storage medium regularly.
f. Password protect or encrypt files so stolen data cannot be used.
g. Use a utility program to wipe a disk clean when confidential data is deleted.

Most PCs erase the index to the data, rather than the data itself, and utility programs can retrieve data deleted in this way.
h. Use several different levels of passwords to restrict access to incompatible data.
i. Use specialists and security programs to:
(1) mimic an intruder.
(2) provide valuable information about network security.
(3) detect network weaknesses.
(4) determine where the system can be improved.
j. Log and audit user access and actions so it is easier to trace and correct security breaches.
k. When PCs are part of a local or wide area network, many of these control procedures can be enforced and monitored at the network level.

96

Information related to the financial transactions for a country is given as follows with values stated in billions of dollars.


-- Gross domestic product (GDP) $4,000
-- Transfer payments 500
-- Corporate income taxes 50
-- Social Security contributions 200
-- Indirect business taxes 210
-- Personal income taxes 250
-- Undistributed corporate profits 25
-- Depreciation 500
-- Net income earned abroad for the country 0
Net domestic product is:

A. $3,500.

B. $3,450.

C. $3,285.

D. $3,475.

A. $3,500.

Net domestic product is a measure of the net output of the domestic economy that is sufficient to maintain the existing stock of capital. NDP is computed as the total output, at factor cost, produced within a country (i.e., gross domestic product or GDP) reduced by the capital consumption allowance or depreciation.

NDP = GDP - Depreciation = $4,000 - 500 = $3,500
Other factors—indirect business taxes, earnings retained by corporations, corporate income tax, transfer payments to households—are used to compute personal income. Personal taxes and Social Security contributions are deducted to derive disposable income.

Net national product (NNP) is the sum of the four components of factor income: wages, rent, interest, and profits plus indirect taxes less government subsidies. It is a measure of national income computed by the income approach to national income accounting. It may also be determined as a GDP-Capital Consumption Allowance. It is a macroeconomic concept.

NNP is the maximum amount that can be consumed without reducing the economy's existing capital stock.


NNP = NI + Indirect taxes - Subsidies
= Wages + Rent + Interest + Profits + Indirect taxes - Subsidies
GNP at market prices
- Capital consumption allowance (depreciation)
= NNP (at market prices)
- Indirect taxes, net of subsidies
= NI (at factor cost)
- Retained earnings and business taxes
+ Transfer payments to households
= Personal income
- Personal income taxes
= Disposable income
Indirect taxes represent taxes on the production and sale of commodities (i.e., the government's claim on the value of output).

97

Merger and acquisition strategies:

A. are best used for strengthening a firm's presence in existing industries by gaining market share through acquisition of rivals.

B. are less desirable than strategic alliances due to the financial drain involved in a merger or acquisition.

C. can provide vertical integration that is expected to result in lower costs along the value chain of activities.

D. are needed in order to strengthen and increase a firm's position in current markets.

C. can provide vertical integration that is expected to result in lower costs along the value chain of activities.

Domestic or global mergers/acquisitions allow an organization to:

lower risk by diversifying into additional industries,
enter new markets,
provide possible opportunities for quick profitability in new areas,
provide opportunities to take advantage of economies of scope,
potentially lower costs along the value chain of activities, and
broaden the strength of resources and capabilities.

98

Aggregate demand is defined as:

A. net investment in plant and equipment designed to move the economy out of a recession.

B. total expenditure on consumption, investment, government spending, and net exports during a given year.

C. a schedule or curve that shows the amount of real GDP or output that buyers collectively desire to buy at every price level.

D. the schedule or curve that shows consumers' willingness and ability to purchase a particular product at various alternative prices at a given moment in time.

C. a schedule or curve that shows the amount of real GDP or output that buyers collectively desire to buy at every price level.

Aggregate demand is the amount of goods and services—the amount of real national income—that will be purchased at each possible price level. There is an inverse relationship between the price level and real GDP (gross domestic product). There are three different price effects that explain this inverse relationship. The real balance effect reduces the purchasing power effectiveness of accumulated public savings balances. Since consumers are now poorer in real terms, they will need to reduce their spending. The interest-rate effect causes consumers to need more money for their purchases as prices increase. The increase in demand for money will drive up interest rates which would reduce business investment and interest-related consumption spending, thus reducing demand. Finally, we have the foreign purchases effect. When prices of domestic goods rise relative to foreign prices, foreign consumers would buy fewer of our goods, and our consumers would buy more foreign goods.

99

What does enterprise risk management do for an organization?

A. It manages risks and seizes opportunities to achieve the goals of the organization.

B. It creates policies and procedures.

C. It creates risks to achieve the goals of the organization.

D. It creates progress.

A. It manages risks and seizes opportunities to achieve the goals of the organization.

There are eight components of COSO's ERM framework:

1. Internal environment. The people in a business and the environment in which they operate are the foundation for all other ERM components.
2. Objective setting. Management must put into place a process to formulate objectives in order to help the company assess and respond to risks.
3. Event identification. Certain events can affect the company's ability to implement its strategy and achieve its objectives. Management must identify these events and determine whether they represent risks or opportunities.
4. Risk assessment. Identified risks are evaluated to determine how they affect the company's ability to achieve its objectives and how to manage them. Both qualitative and quantitative methods are used to assess risks.
5. Risk response. Management can choose to avoid, reduce, share, or accept risks after careful analysis.
6. Control activities. To ensure that management's risk responses are effectively carried out, policies and procedures should be implemented.
7. Information and communication. Information about ERM components needs to be communicated through all levels of the company and with external parties.
8. Monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.

100

Which of the following situations would most likely provide the best way to secure data integrity for a personal computer environment?

A. Provision of personal computers to all users

B. Trained, proficient user group

C. All computers linked to a local area network (LAN)

D. Adequate program documentation

C. All computers linked to a local area network (LAN)

Data integrity relates to using data for its intended purpose. A local area network would promote data integrity by making data available only to those users having a legitimate reason for access. Centralized access controls would help promote data integrity.

Many mainframe control policies and procedures apply to PCs and networks. Other important controls include:

a. Train PC users:
(1) in control concepts and their importance.
(2) to test and document the application programs they develop themselves.
(3) to protect their computers from viruses.
b. Install locks on PCs to protect against theft and unauthorized access.
c. Label PCs with nonremovable tags.
d. Establish and enforce policies and procedures to:
(1) restrict the data that is stored on or downloaded to PCs. Store sensitive data in a secure environment (on a server or mainframe) rather than on a PC, or on a diskette or disk drives that are removed and stored in a locked safe.
(2) minimize the theft of PCs and laptops. For example, do not leave or store laptops in cars, and carry laptops onto airplanes rather than checking them.
(3) prohibit putting personal software on company PCs, copying company software for personal use, and using the system in unauthorized ways.
e. Back up hard drives and other storage medium regularly.
f. Password protect or encrypt files so stolen data cannot be used.
g. Use a utility program to wipe a disk clean when confidential data is deleted.

Most PCs erase the index to the data, rather than the data itself, and utility programs can retrieve data deleted in this way.
h. Use several different levels of passwords to restrict access to incompatible data.
i. Use specialists and security programs to:
(1) mimic an intruder.
(2) provide valuable information about network security.
(3) detect network weaknesses.
(4) determine where the system can be improved.
j. Log and audit user access and actions so it is easier to trace and correct security breaches.
k. When PCs are part of a local or wide area network, many of these control procedures can be enforced and monitored at the network level.