Information Technology (17%) Flashcards Preview

CPA - BEC > Information Technology (17%) > Flashcards

Flashcards in Information Technology (17%) Deck (102)
Loading flashcards...

Cloud Based Systems Applications

  1. IaaS
  2. PaaS
  3. SaaS

  1. Infrastructure as a service - use cloud to access virtual hardware such as computers and storage.
  2. Platform as a service - creating cloud-based software and programs.
  3. Software as a service - remote access to software.  Office 365 is an example of SaaS.  


An Enterprise Resource Planning (ERP) system's main purpose is to?

Integrate data from all aspects of an organization's activities.  An ERP system is a comprehensive system that integrates all business processes.


Organizational Structure of a Segregated IT Department (ASC)

ASC functions must be strictly segregated!

  • Applications Development
  • Systems Administration and Programming
  • Computer Operations



Functions in these three areas should be strictly segregated. (This is a bit like the "cannibals and missionaries" problem from computer science and artificial intelligence.) In particular:

  1. Computer operators and data entry personnel  --  Should never be allowed to?
  2. Systems programmers  --  Should never have?
  3. Data administrators  --  Should never have?
  4. Application programmers and systems analysts  --  Should not?
  5. Application programmers and systems analysts  --  Should not?

  1. Computer operators and data entry personnel  --  Should never be allowed to act as programmers.
  2. Systems programmers  --  Should never have access to application program documentation.
  3. Data administrators  --  Should never have access to computer operations ("live" data).
  4. Application programmers and systems analysts  --  Should not have access to computer operations ("live" data).
  5. Application programmers and systems analysts  --  Should not control access to data, programs, or computer resources.


Data Conversion occurs at this stage:

Implementation - The process of moving from the old to the new system occurs at this stage.


At this stage, we purchase hardware:

Design and Development - Technical architecture specification and a systems model occur at the design stage. During development, programmers use the design specifications to develop the program and data files.


The requirements definition document is signed at this stage:

Analysis - Systems analysts work with end users to understand and document business processes and system requirements at this stage. All parties sign off on the requirements definition to signify their agreement with the projects goals and processes at this stage.


General Controls in an IT Environment

  • Personnel Policies: provides for proper SOD and use of computerized accounts that provide users with passwords, etc. to prevent unauthorized access.
  • File Security Policies: safeguard files from accidental or intentional errors or abuse. 
    • External/Internal file labels
    • Backups of critical files
    • Lockout procedures
    • File Protection
  • Hardware Controls: built into computer equipment to ensure proper functioning.
    • Parity Checks - verifies all bytes of data are stored as an even number of bits
    • Echo Checks - data that is transmitted is then sent back to verify that it was received correctly.  


The following controls are what type of controls?

  1. Missing Data Check
  2. Field Check
  3. Limit Test (Range and Sign)
  4. Valid Code Test
  5. Check Digit
  6. Reasonableness Check
  7. Sequence Check
  8. Key Verification
  9. Closed Loop Verification
  10. Batch Control Totals (See card)
  11. Default Values
  12. Automated Data Capture

Input Controls -  control over data entry and data origination process


Input Controls - Batch Control Totals

  1. Record Count - total number of entries made (i.e. total number of employees entered into a payroll program)
  2. Financial Totals -  sum of a column of numbers expressed in dollar form (such as total value of all of the checks)
  3. Non-Financial totals - meaningful sum of a column of numbers expressed in some type of unit other than dollars.  
  4. Hash Totals - meaningless sum of a column of numbers (such as the sum of employee ID numbers) 


File Types

  • Master File - updated by postings to transaction files
    • Standing Data - part of Master file, consists of infrequently changing master files (fixed assets, supplier names, etc.)
  • Detail File - a file listing a group of transactions that can be used to update the master file.    


File Controls

  • Parity Check - A zero or one included in a byte of information that makes the sum of bits either odd or even.  A parity check is designed to detect errors in data transmission.
  • Read after write check
  • Echo check - verifies transmission between devices by echoing back.
  • Error reporting and resolution
  • Boundary protection - computer "traffic cop." 
  • Internal labels (header and trailer)
  • External labels
  • Version control
  • File access and updating controls


Output Controls

Ensure that computer reports are accurate and are distributed only as authorized.

  • Spooling - docs sent to printer that cannot be immediately printed are stored to a disk.  
  • Disposal of aborted print jobs
  • Disruption of reports
  • End user (one-to-one checking)
  • Logging and archiving of forms
  • Record retention and disposal


E-Business vs. E-Commerce

E-Business is a generic name for any business process that relies on electronic dissemination of information or on automated transaction processing. 

E-Commerce is a narrower term used to refer to transactions between the organization and its trading partners.


Types of E-Commerce

(remember that a requisite for EC is the trust between two parties conducting the transaction(s))

Business-to-business (B2B) - Involves electronic processing of transactions between businesses and includes electronic data interchange (EDI), supply chain management (SCM) and electronic funds transfer (EFT).

Business-to-consumer (B2C) - Involves selling goods and services directly to consumers, almost always using the Internet and web-based technology. B2C e-commerce relies heavily on intermediaries or brokers to facilitate the sales transaction.

Business-to-employee (B2E) - Involves the use of web-based technology to share information with, and interact, with an organization's employees, e.g., through portals and intranets.

Business-to-government (B2G) - Involves the growing use of web-based technologies to provide, and support, governmental units, e.g., providing property tax data online, paying parking tickets online, online contract bidding.



E-Commerce Risks

Using EC Risks

  • System Availibility / Security / Confidentiality
  • Authentication
  • Nonrepudiation
  • Integrity

Not Using EC Risks

  • Customers find online prices are cheaper
  • Limited Growth
  • Limited markets exposure


E-Commerce Applications

  • Customer Relationship Management (CRM) - used to manage relationships with clients, store information about existing and potential customers, etc.
  • Electronic Data Interchange (EDI) - computer to computer exchange of business data (purchase orders, confirmations, invoices, etc.).  EDI reduces handling costs and speeds transaction processing vs. traditional paper processing.  
  • Electronic Funds Transfer (EFT)
  • Supply Chain Management (SCM) - Supply chain management incorporates all activities from the purchase and storage of raw materials, through the production process into finished goods through to the point-of-consumption.
  • Computer Networks - essencial to e-business, e-commerce and social computing.  


Electronic Data Interchange (EDI)

  • EDI requires that all transactions be submitted in a specified format.  
    • Translation software is required to convert data between transactions and EDI formats.
    • The most common specification in the United States is the American National Standards Institute format ANSI X.12; internationally, the United Nations EDI for Administration, Commerce and Transport (UN/EDIFACT) format is the dominant standard.  
  • EDI can be implemented using direct links between the trading partners, through communication intermediaries (called "service bureaus"), through value-added networks (VANs), or over the Internet.
    • The well-established audit trails, controls, and security provided for EDI transactions by VAN are the principal reasons for their continued popularity.


EDI Costs

  • Costs of Change - Costs associated with locating new business partners who support EDI processing; legal costs associated with modifying and negotiating trading contracts with new and existing business partners and with the communications provider; costs of changing internal policies and procedures to support the new processing model (process reengineering) and employee training.
  • Hardware costs
  • Costs of translation software
  • Costs of data transmission
  • Costs of security, audit and control procedures


What below is not an EFT?

  • Direct deposit of payroll payments into the employee's bank account
  • Cash Cards
  • Automated teller machine (ATM) transactions
  • Credit card payment initiated from Point-of-Sale (POS) terminal

Cash Cards

Cash cards do not involve bank clearing processes and are not considered to be EFT transactions.


System Types by Activity

  • Operational Systems - supports day-to-day activities of business operations
    • Transaction processing systems (TPS)
    • Process financial and non-financial transactions
    • Generate debit and credit entries
  • Management Information Systems (MIS) - see card
  • Decision Support Systems (DSS) - see card
  • Knowledge Work Systems
  • ERP Systems - entire lesson on this one


MIS (Internal Data)

Management Information Systems - systems designed to support routine management problems based primarily on data from transaction processing systems.

  • MISs take planning information (budgets, forecasts, etc.) data and compare it to actual results in periodic management reports (summary reports, variance reports, and exception reports).
  • Accounting information systems (AISs)  --  AISs take the financial data from transaction processing systems and use it to produce financial statements and control reports for management (e.g., accounts receivable aging analysis, product cost reports, etc.); AISs are a subset of MISs.


DSS (External Data)

Decision Support Systems

  • Unlike MISs, DSSs frequently include external data in addition to summarized information from the TPS and include significant analytical and statistical capabilities.
  • Data driven DSSs such as Data Warehousing and Data Mining systems are common examples of data-driven DSSs.
  • Model-driven DSS - used to predict outcomes for management.  
  • Executive support systems (ESSs) or strategic support systems (SSSs) - especially designed for forecasting and LRP's.



Executive Support Systems are:

  • are a subset of DSS that are especially designed for forecasting and making long-range, strategic decisions, and they place greater emphasis on external data.


A specialized version of a data warehouse that contains data that is pre-configured to meet the needs of specific departments is known as:

Data Mart - focused on a particular market or purpose and contains only information specific to that objective. (TI's Finance Data Mart)


Which of the following is true in regard to data warehouses?

I. The bulk of the data found in a data warehouse comprises historical operational data.

II. Pattern recognition is one of the principal functionalities offered by data mining software.

Both are TRUE


What is a useful control (i.e., restriction) on the ability of mobile devices to make changes in data?

View Only Access


Which of the following statements is true regarding small business computing?

A.  Independent third-party review is especially important.
B.  Backup procedures are important.
C.  Additional supervision of computing may be necessary.
D.  All of the above.

All of the above


Data Structure Hierarchy 

  • Database is composed of many = 
    • Files are composed of many = 
      • Records are composed of multiple = 
        • Fields are composed of = 
          • Characters are made of = 
            • Bytes (8 bits) are composed of = 
              • Bits = an individual 0 or 1


Programming Languages

All software is created using programming languages.  

  • High level general purpose = C programming language
  • Object oriented language used to design software = C++
  • Integrated development environments = Java, templates that automatically generate code.
  • Tagging language typically used for the internet = HTLM (Hypertext Markup Language)
  • Script languages that add funtionality to web pages = PERL or Python
  • Low level languages = assembler or machine (computer instructions)


DBMS Languages

  • Data Definition Language (DDL) = allows the definition of tables and fields and relationships among tables.  Uses meta-data.  
  • Data Manipulation Language (DML) = allows the user to add new records, delete old records and udpate existing records.  
  • Data Query Language (DQL) = allows user to extract information from the database:
    • Structured Query Language (SQL) = most relational databases use SQBL to extract data. (text approach)
    • Query-By-Example (QBE) = drag and drop fields (graphic approach) 


Field (Attribute) Definition

A logical group of bytes.  Identifies a characteristic or attribute of an entity.

  • Customer name
  • Customer address
  • Customer number


Record Definition

Group of related fields (or attributes).  Describes a:

  • Specific invoice
  • particular customer
  • individual product


File Definition

Collection of related records for multiple entities.  

  • Invoice file
  • Customer file
  • Product file


Types of Software

System Software or Application Software

  • Systems Software - programs that run computer and support system management (operating system is most important, i.e. Windows, Mac OS X)
  • Application Software - end-user programs


Database Management System (DBMS)

"Middle-ware" Program that functions between the application software and the operating system.  DBMS manages the database.  


Central Processing System (CPU)

Control center of the computer system.  3 Principal Components:

  1. Control Unit
  2. Arithmetic Logic Unit (ALU)
  3. Primary Storage (memory)
    1. Random Access Memory (RAM) - temporarily stores data while it is in process.  
    2. Read Only Memory (ROM) - semi-permanent data store for instructions that are closely linked to hardware.  Hard to change.  


Peripheral Devices: Input vs. Ouput

  • Input - instruct the CPU and supply data to be processed.
    • keyboard, mouse, trackball
    • touch-screen technology
    • Point of sale (POS) scanners
  • Output - transfer data from processing unit to other formats
    • Printers
    • Plotters
    • Monitors
    • Flat-panel displays
    • Cathode Ray Tube (CRT) displays


Manual Transaction Processing Steps

  1. Enter Transaction on Source Document
  2. Record SD chronoligically in a Journal
  3. Copy to ledger(s) = Master Files
  4. Prepare reports


Automated Transaction Processing Methodologies

Batch vs. OLRT


  • Groups new transactions by type and processes periodically in sequential order.  
  • transaction and master files are sorted on a common key called sequential access files.  

Disadvantages of Batch - not real time, systems is out of date, delays error detection.  

Online Real Time Processing  

  • Continuous and immediate processing
  • Simultaneous transaction entry and master file updating
  • Requires random access storage devices (i.e. magnetic disk)
  • Requires networked computer system

Disadvantages of OLRT - higher costs


POS Technology

Point of Sale

  • Scanners capure data from product bar codes
  • Computer system is integrated with electronic cash register
  • POS systems or terminals networked to central computer


A XXXX holds account and account balance information and is roughly equivalent to a ledger (or subsidiary ledger) in a manual system.

Master File


The potential for systemic errors is increased in what type of processing environment?



note that clerical errors increase in a manual environment.  


Node Defined

Any device connected to the network is a node:

  • Client - a node, typically a microcomputer used by end-users.  The client uses network resources but does NOT supply resources to the network.  
  • Server - a node dedicated to provided resources to the rest of the network.  Servers are indirectly used by end-users.  
  • Transmissions Media - communication link between nodes and the network.  Can be wired or wireless media.   


The multi-location system structure that is sometimes called the "Goldilocks" solution because it seeks to balance design trade offs is:

Distributed - a solution that is neither too centralized, nor too decentralized 


Wired Communications Media

Copper or Twisted Pair

  • Used for phone connections
  • slowest, least secure and most subject to interference
  • least expensive

Coaxial Cable

  • similar to cable used for television.  faster, more secure and less subject to interference than twisted pair.  

Fiber Optics

  • Extremely fast and secure
  • based on light pulses instead of electrical impulses.  
  • more expensive to purchase and install


Wireless Transmission Media

  • Microwave (Satellite) transmission - WAN's primarily
  • Wi-Fi (spread spectrum radio) - both LAN's and WAN's
  • Bluetooth - same signal as Wi-Fi but consumes less power
  • Digital cellular - transmits data via cell network - WAN's primarily


Types of Networks

  • Local Area Networks (LAN's) = Smaller local area scope, i.e. schools in a school district.  Uses dedicated (typically fiber optic) lines
  • Wide Area Networks (WAN's) = National or International Scope, does not use dedicated lines.  
  • Storage Area Networks (SAN's) = variation of LAN's that connects storage devices to servers.
  • Personal Area Networks (PAN's) = home network


The Internet Defined

A global "network of networks." The internet is a worldwide network that allows for virtually any computer system to link to it by way of an electronic gateway.  

  • end-users are connected via ISP's (internet service providers)
  • a markup or tagging language specifies how data will be processed
  • Protocols (see card)
  • Intranet (closed network) and Extranets (connects suppliers/customers to a business)


Internet Protocols

  • TCP/IP (Transmission Control Protocol / Internet Protocol)
    • these are the two core network protocols that underlie the internet.  
    • HTTP (Hypertext Transfer Protocol) - a part of TCP/IP, the foundation protocol for data transmission on the internet.  
    • SMTP (Simple Mail Transfer Protocol) and IMAP (Internet Message Access Protocol), both of these protocols are for email services and are part of TCP/IP.


Packet-Switched Network

information is grouped into "packets" for transmission.  TCP/IP is a packet-switched network protocol.  The Internet is the world's largest packet-switched network.  


Intranet vs. Extranet

Intranet - available to only members of the organization and not the general public.  

Extranet - an intranet that is opened up to permitted associates (typically company suppliers, customers, business partners, etc.)

For both, a user-name and password are required.  These are not available to the general public.  


Other Protocols

  • XML (Extensible Markup Language) - protocol for encoding documents for use on the internet.  
    • XBRL (Extensible Business Reporting Language) -  XML based protocol for encoding and tagging business information. XBRL is specifically designed to exchange financial information over the World Wide Web.
  • HTML (Hypertext Markup Language) - core language for web pages.
  • FTP - file transfer applications
  • IM - instant messaging applications


Controls relating to program and data backup files and disaster recovery plans are:

Corrective controls: i.e., controls designed to help correct and recover from previously detected problems.


In general with regard to Backup and Restoration, are the below considered good or bad?

  • system backup
  • data redundancy

system backup is good; data redundancy is bad


Backup and Recovery Procedures:  "Grandfather, Father, Son" System

  • A traditional term used to refer to a three-generation backup procedure: the "son" is the newest version of the file; the "father" is one generation back in time, the "grandfather" is two generations back in time;
  • Associated with batch processing in a magnetic tape environment where a new master file (the "son") was created when the old master file (the "father") was updated.


Backup and Recovery Procedures:  Checkpoint and Restart

Common in batch processing systems, a checkpoint is a point in data processing where processing accuracy is verified; if a problem occurs, one returns to the previous checkpoint instead of returning to the beginning of transaction processing. This saves time and money.


Backup and Recovery Procedures:  Rollback and Recovery

Common to online, real-time processing; all transactions are written to a transaction log when they are processed; periodic "snapshots" are taken of the master file; when a problem is detected the recovery manager program, starts with the snapshot of the master file and reprocesses all transactions that have occurred since the snapshot was taken.


Backup and Recovery Procedures:  Network-based

  • Remote backup (online) - provided by outsourced service
  • RAID - redundant array of independent disks = multiple hard disks
  • Storage Area Networks (SANs)
  • Mirroring - maintaining an exact copy of a dataset
    • mirroring is expensive but a highly reliable approach


What system enables a computer system to continue its intended operation, possibly at a reduced level, rather than failing completely, when some part of the system fails.



Most large organizations use what to manage access control?

Most large organizations use logical access control software to manage access control. Functions of such systems include managing user profiles, assigning identifications and authentication procedures, logging system and user activities, establishing tables to set access privileges to match users to system resources and applications, and, log and event reporting. Hence, many of the functions and procedures described in this lesson are managed through logical access control software.


User Authorization:  Security Token

Include devices that provide "one-time" passwords that must be input by the user and as well as "smart cards" that contain additional user identification information and must be read by an input device.

i.e. TI's entrust app for iphones


Firewall Definition and Types

Electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks?

  • Network
    • Filters data packets based on header information (source and destination IP addresses and communication port)

    • Network firewalls perform relatively low-level filtering capabilities

  • Application
    • Inspects packet contents
    • Can perform deep packet inspection
    • application firewalls have the ability to do much more sophisticated checks and provide much better control.
  • Personal


Physical Location Controls

- remember these are mostly General and Preventative controls

  • Climate Control
  • Environment threat detectors (smoke, fire, water, etc.)
  • Fire suppression systems
  • Backup power systems should be adequate


Define social engineering and piggybacking

Social engineering - Methods used by attackers to fool employees into giving the attackers access to information resources. One form of social engineering concerns physical system access:

  • In piggybacking an unauthorized user slips into a restricted area with an authorized user, following the authorized user's entry.


Fire suppression systems in a computer facility should not use what?

Halon, because it is an environmental hazard.


Encryption (public/private key)

Two types: (exam will use both terms)

  • Single key encryption (symmetric)
  • Public/Private encryption (asymmetric) - public key (maintained by the CA (Certificate Authority) is available to general public , the individual user maintains the private key.
    • If you want to send an encrypted message, you encrypt your message with the recipients public key.  Only the intended user, the recipient, has the private key that is necessary to decrypt the information.   
    • Both public/private can encrypt and decrypt, but you need one of each to encrypt and decrypt each time.  


Key Elements of Encryption


  1. The encryption algorithm is the function or formula that encrypts and decrypts (by reversal) the data.
  2. The encryption key is the parameter or input into the encryption algorithm that makes the encryption unique. The reader must have the key to decrypt the ciphertext.
  3. Key length is a determinant of strength. Longer keys are harder to decrypt.


Encryption Types

Symmetric Encryption

  • Fast, simple, easy and less secure than asymmetric encryption.
  • More often used in data stores (i.e., data at rest) since only one party then needs the single algorithm and key.
  • Also called single-key encryption, symmetric encryption uses a single algorithm to encrypt and decrypt.

Asymmetric Encryption

  • Safer but more complicated than symmetric encryption.
  • More often used with data-in-motion.
  • Also called public/private-key encryption.
  • Uses two paired encryption algorithms to encrypt and decrypt.
  • If the public key is used to encrypt, the private key must be used to decrypt; conversely, if the private key is used to encrypt, the public key must be used to decrypt.
  • To acquire a public/private key pair, the user applies to a certificate authority (CA)

Quantum Encryption

  • Quantum mechanics from physics is emerging as a technology that may revolutionize computing encryption. It uses the physical properties of light (photons) to generate seemingly uncrackable codes.


E-commerce should occur only with?

High certainty regarding the identity of the trading partners and the reliability of the transaction data. Electronic identification methodologies and secure transmission technology are designed to provide such an environment.


Electronic identification methodologies

  • Digital Signatures
    • An electronic means of identifying a person or entity.

    • Use public/private key pair technology to provide authentication of the sender and verification of the content of the message.

    • Vulnerable to man-in-the-middle attacks in which the sender's private and public key are faked.

  • Digital Certificates (more secure than DS's)
    • ​For transactions requiring a high degree of assurance, a digital certificate provides legally recognized electronic identification of the sender, and, verifies the integrity of the message content.
    • Based on a public key infrastructure (PKI)


Certificate of Authority (CA) - related to Digital Certificates

Manages and issues digital certificates and public keys. The digital certificate certifies the ownership of a public key by the named subject (user) of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the certified public key.


Secure Internet transmission protocols: 

  • Sensitive data sent via the Internet is usually secured by one of two encryption protocols:

  • Secure Sockets Layer (SSL) uses a combination of encryption schemes based on a PKI;
  • Secure Hypertext Transfer Protocol (S-HTTP) directs messages to secure ports using SSL-like cryptography.


Secure Electronic Transactions (SET) 

Virtual Private Networks (VPN)

SET = developed by VISA and MasterCard. A protocol often used for consumer purchases made via the Internet. Uses multiple encryption schemes based on a PKI.

VPN = A secure way to connect to a private local area network (LAN) from a remote location, usually through an Internet connection. VPN creates an encrypted communication tunnel across the Internet for the purpose of allowing a remote user secure access to the network.


A digital signature is used primarily to determine that a message is?

Unaltered in transmission.  A digital signature consists of a digest of the original message that is encrypted with the sender's private key. The use of the private key provides the sender's authentication, and the transmission of the encrypted digest (which is later decrypted and compared to a digest of the message received) permits the detection of any alterations during transmission.

A digital signature uses public/private key encryption technology to provide a means of authenticating messages delivered in a networked environment.


What is a major disadvantage of using a private key to encrypt data?

Both the sender and receiver must have the private key before this encryption method will work.  In order to decrypt a message encrypted via private key encryption (also known as single key encryption), both the sender and the receiver must have access to the key, as a single key is used both to encrypt (run the encryption algorithm "forward") and decrypt (run the encryption algorithm "backward"). This is a disadvantage because the transmission of the key is inherently insecure.

Both the public and private keys can be used to encrypt and decrypt messages, although the public key can only decrypt messages encrypted using the private key and vice versa.


Application programmers controls

Application programmer writes the programs that we actually use, NOT the programs that run the system.  

AP's should never have access to any type of system software or operation of the sytem such as correcting data entry errors.    


Encryption (single key)

Two types: (exam will use both terms)

Single key encryption (symmetric)

  • sender shares private key that must be used by recipient to decrypt the message.  

Public/Private encryption (asymmetric)

  • Remember that neither method is stronger or weaker than the other.  Public/Private is more secure in that it used two keys.  
  • If you encrypt with a private key, remember that ANYONE can decrypt the message because the decrypt key is a public key.  


The program flowcharting symbol representing a decision is a?



More than one file may be stored on a single magnetic disc.  Several programs may be in the core storage unit simultaneously. In both cases it is important to prevent the mixing of data.  One way to do this is to use?

Boundary Protection.  The primary purpose of boundary protection is to prevent the mixing of data on a magnetic memory disc and a core storage unit.


Value-Added Network (VAN)

A value-added network is a system that routes data transactions between trading partners. A VAN connects customers and suppliers.  


  • Reduces communication and data protocol problems since VANs can deal with differing protocols (eliminating need for trading partners to agree on them).
  • Partners do not have to establish the numerous point-to-point connections.
  • Reduces scheduling problems since receiver can request delivery of transactions when it wishes.
  • In some cases, VAN translates application to a standard format the partner does not have to reformat.
  • VAN can provide increased security.


  • Cost of VAN.
  • Dependence upon VAN’s systems and controls.
  • Possible loss of data confidentiality.


Most client/server applications operate on a three-tiered architecture consisting of which layers?

  1. Desktop client
  2. Application
  3. Database


Maturity Models

Maturity models evaluate the sophistication of IT processes rated from a maturity level of nonexistent (0) to optimized (5).


Control Group

Responsible for providing a continuous review function by supervising and monitoring input, operations, and the distribution of output (i.e., a continuous internal audit function).


Data control language used in a relational database is most likely to include commands used to control?

Which users have various privileges relating to a database.

  • Data definition language (DDL)—Used to define a database, including creating, altering, and deleting tables and establishing various constraints.
  • Data manipulation language (DML)—Commands used to maintain and query a database, including updating, inserting in, modifying, and querying (asking for data).
  • Data control language (DCL)—Commands used to control a database, including controlling which users have various privileges (e.g., who is able to read from and write to various portions of the database).


Control Objectives for Information and Related Technology (COBIT 5) provides a framework for

IT governance and management of enterprise IT (5 Principals below)

do not get this confused with COSO (Internal Audit)

  1. Meeting stakeholder needs
  2. Covering the enterprise end-to-end
  3. Applying a single integrated framework
  4. Enabling a holistic approach
  5. Separating governance from management


When considering disaster recovery, what type of backup facility involves an agreement between two organizations to aid each other in the event of disaster?

  • Cold site
  • Hot site
  • Reciprocal agreement
  • Rollback

Reciprocal agreement - an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster. This is sometimes referred to as a mutual aid pact.


  1. Cause and Effect Diagram
  2. Pareto Diagram

  1. Cause-and-effect (fishbone or Ishikawa) diagrams identify the potential causes of defects. Four categories of potential causes of failure are: human factors, methods and design factors, machine-related factors, and materials and components factors. Cause-and-effect diagrams are used to systematically list the different causes that can be attributed to a problem (or an effect).
  2. Pareto chart (or diagram) is a bar graph that ranks causes of process variations by the degree of impact on quality. The Pareto chart is a specialized version of a histogram that ranks the categories in the chart from most frequent to least frequent. A related concept, the “Pareto Principle” states that 80% of the problems come from 20% of the causes. The Pareto Principle states that: “Not all of the causes of a particular phenomenon occur with the same frequency or with the same impact.”


World Wide Web

Framework developed to make the internet more user-friendly for accessing documents.

  • Hypertext Transfer Protocol (HTTP) - the language of the internet
  • Document - a single file accessible through the internet
  • Page - display that results from connection to a particular document on the internet
  • Uniform Resource Locator (URL) - the address of a particular page on the internet
  • Web browser - program that allows a computer with software to access internet and translate documents for proper display.
  • Server - the computer that is sending pages for display on another computer
  • Client - the computer receiving the pages and seeing the display
  • Upload - sending information from a client to a server
  • Download - sending information from a server to a client


Virus and Worm

  • A Virus is a program that requests a computer to perform an activity that is not authorized by the user.
  • A Worm is a program that duplicates itself over a network so as to infect many computers with viruses.    


Programming Languages

What is a compiler?

  • Source Program - language written by the programmer (high-level languages resemble english while assembly languages resemble machine instructions)
  • Object program - language in the form the machine understands (on-off, or 1-0)
  • Compiler - a program that converts source programs into machine language.  


7 Step Process to System Design and Process Improvement


  1. Planning: define system, scop
  2. Analysis: meet with users and ITS staff, needs assessments, gap analysis
  3. Design: technical blueprint of new system
  4. Development - Build: platform and software
  5. Testing: code, system, integration and user acceptance
  6. Implementation: parallel (run old and new), plunge (stop old and use new), pilot and phased
  7. Maintenance: monitor and support, training, help desk, process and policies for authorizing changes.  


Segregated Structure in IT Department:

  • Systems Development and Maintenance

  • Systems Analyst - designs the IS using systems flowcharts and other tools and prepares specifications for application programmers.
  • Application Programmer - writes, tests and debugs programs that will be used by the system.  The Programmer also develops instructions for operators to follow when using the programs.  
  • Database Administrator - plans and administers the database to make certain only appropriate individuals have access to the information in it.     


Segregated Structure in IT Department:

  • Operations in an IT Function

  • Data Entry Clerk - converts data into a computer readable form.  
  • Computer Operator - runs the program on the computer.
  • Program and File Librarians - responsible for custody of the computer programs, master files, transaction files and other records.  
  • Data Control - responsible for reviewing and testing input procedures, monitoring processing and reviewing and distributing outputs.  


Segregated Structure in IT Department:

  • Other Technical Services

  • Telecommunications: maintains and enhances computer networks and network communications
  • Systems Programmer or Technical Support: updates and maintains the operating systems
  • Security Administration: responsible for security of hte system including control of access and user passwords


Flowchart Symbols


Which of the following procedures would enhance the control of a computer operations department?

  • Periodic rotation of operators.
  • Mandatory vacations.
  • Controlled access to the facility.
  • Segregation of personnel who are responsible for controlling input and output.

ALL OF THEM.  All of the above practices are effective control measures. Periodic rotation and mandatory vacations provide other personnel with the ability to detect operator problems. Controlled access and segregation of duties allow for the separation of incompatible functions.


Closed Loop Verification

Note - not available for batch

Helps ensure that a valid and correct account code has been entered; after the code is entered, this system looks up and displays additional information about the selected code. For example, the operator enters a customer code, and the system displays the customer's name and address. Available only in online real-time systems.


Database Structures

  1. Hierarchical—The data elements at one level "own" the data elements at the next lower level (think of an organization chart in which one manager supervises several assistants, who in turn each supervise several lower level employees).
  2. Networked—Each data element can have several owners and can own several other elements (think of a matrix-type structure in which various relationships can be supported).
  3. Relational—A database with the logical structure of a group of related spreadsheets.  Each row represents a record, which is an accumulation of all the fields related to the same identifier or key; each column represents a field common to all of the records. Relational databases have in many situations largely replaced the earlier developed hierarchical and networked databases.
  4. Object-oriented—Information (attributes and methods) are included in structures called object classes. This is the newest database management system technology.
  5. Object-relational—Includes both relational and object-oriented features.
  6. Distributed—A single database that is spread physically across computers in multiple locations that are connected by a data communications link.  (The structure of the database is most frequently relational, object-oriented, or object-relational.)


Client Server Architecture


Electronic Data Interchange (EDI) Benefits and Exposures


  1. Quick response and access to information
  2. Cost efficiency
  3. Reduced paperwork
  4. Accuracy and reduced errors and error-correction costs
  5. Better communications and customer service
  6. Necessary to remain competitive


  1. Total dependence upon computer system for operation
  2. Possible loss of confidentiality of sensitive information
  3. Increased opportunity for unauthorized transactions and fraud
  4. Concentration of control among a few people involved in EDI
  5. Reliance on third parties (trading partners, VAN)
  6. Data processing, application and communications errors
  7. Potential legal liability due to errors
  8. Potential loss of audit trails and information needed by management due to limited retention policies
  9. Reliance on trading partner's system


Denial of Service Attack

Takes advantage of a network communications protocol to tie up the server's communication ports so that legitimate users cannot gain access to the server.  It also blocks access to anyone else = nobody can access the server, even the perpetrators!