IS and Comm B - Systems Design and Other Elements Flashcards Preview

JA BEC Flashcards > IS and Comm B - Systems Design and Other Elements > Flashcards

Flashcards in IS and Comm B - Systems Design and Other Elements Deck (228)

An employee mistaken enters 4/31 in the date field. The best programmed edit check to detect this error is



Expert systems have ______ that represent the facts and inferences it knows

knowledge bases


Features in Traditional programs that are not in an Expert system include

- sequential control structures
- distinct input/output variables
- passive data elements


In a large database system maintained on a mainframe computer, the most common medium for data files for the database is

hard disk


When implemented, the control ______ would best assist in meeting the control objective that a system have the capability to hold users accountable for functions performed

activity logging


The following task would be included in a document flowchart for processing cash receipts:

compare control and remittance totals


Routines that utilize the computer to check the validity and accuracy of transaction data during input are called

edit programs


Operating system is

a software program that controls the overall operation of a computer system


A compiler is

a computer program that converts a source program into an object program


Compatibility check/test is

a procedure for checking a password to determine if its user is authorized to initiate the type of transaction or inquiry he or she is attempting to initiate


A checkpoint/restart procedure is primarily designed to recover from

hardware failure


Internal checks are

- limit check
- identification
- sequence check
- error log
- transaction log
- arithmetic proof


Limit check is

a check to identify if data have a value higher or lower than a predetermined amount


Identification is

a check to determine if data is valid


Sequence check is

a check on the sequencing of info


Error log is

an up-to-date log of all identified errors


Transaction log is

a detailed record of every transaction entered in a system through data entry and provides the basic audit trail


Arithmetic proof is

a check to compute the calculation and validate the result


Characteristics of computer machine language include

- internal binary code
- hexadecimal code
- on/off electrical switches


Assembly language is

a programming language in which each machine language instruction is represented by mnemonic characters (symbolic language)


Many companies and government organizations would like to convert to open systems in order to

use less expensive computing equipment


In general, running open systems:

- increases # of available vendors
- decreases the average purchase from one vendor
- decreases volume discounts
- reduce economies of scale
- reduce reliance on proprietary components


The purpose of a software monitor is to

collect data on the use of various hardware components during a computer run


Specialized programs that are made available to users of computer system to perform routine and repetitive functions are referred to as

service "canned" programs


Relationship between source, object, and compiler programs

A source program "source code" is a computer program written in a source language which is translated into the object program by using a translation program like a compiler


A decision table indicates the

alternative logic conditions and actions to be taken in a program


Example of a decision table is

a chart that indicates shipping costs based on total purchase price

Purch. Ship
$ 1-$50 $4
$50-$100 $5
$101-$250 $7


An ERP system has the following advantages over multiple independent functional systems:

increased responsiveness and flexibility while aiding in the decision making process


The _______ transaction processing mode provides the most accurate and complete information for decision making



An application is

a computer program for performing a specific function ex. payroll program


Batch processing is

a method where items to be processed are collected in groups to permit fast and convenient processing


Distributed data processing is

a network or interdependent computers where certain functions are centralized, other functions are decentralized, and processing is shared among two or more computers


_______ could be used to reduce the cost of preparing and updating flowcharts

Flowcharting software


The batch processing of business transactions can be the appropriate mode when

economy of scale can be gained because of high volumes of transactions


A disk storage unit is preferred over a magnetic tape drive because the disk storage unit

offers random access to data files


Real time system is characterized by

- online files
- prompt input from users
- an extensive communication network
- random access
- immediate update
- low level language


Decision tables differ from program flowcharts in that decision tables emphasize

logical relationships among conditions and actions


A flowchart is

a graphic depiction using symbols to show the control flow, primary actions, and interrelationships of a task or a set of tasks


Compared to online, real-time processing, batch processing has the disadvantage of

stored data only being current after the update process


The implementation phase of an accounting software application would include

- obtaining and installing hardware
- documenting user procedures
- training users
- entering and verifying test data


Identifying inputs and outputs would occur in the ________ phase which _______ implementation

systems design and development phase; precedes


The best depiction of the path of data as it moves through an IS is

system flowcharts


A data dictionary is

an organized description of the data items stored in a database and their meaning


Source code application is

a description of record layouts used by application programs


Data control language is

a way to describe the privileges and security rules governing database users


Database recovery log file is

a record of the before and after images of updated records in a database


A characteristic common to companies that have converted to a database system is that before conversion the companies had

redundant data fields


A tool useful in conducting a preliminary analysis of internal controls in an organization or organizational unit is



CCI developed a mgmt reporting software package that enables members interactively to query a data warehouse and drill down into transaction and trend information via various network set-ups. This is known as

an online analytical processing system


A key difference in controls when changing from a manual system to a computer system is

the methodology for implementing controls change


A primary function of a database mgmt system (DBMS) is

the capability to create and modify the database


A fundamental purpose of a DBMS is to

reduce data redundancy


Master file is

where cumulative info about an organization is stored and is similar to a ledger in a manual system


Transaction file is

where data about transaction that occur during a specific period of time is contained and similar to a journal in a manual system


A new policy on e-mail would not include

erasing EE email immediately upon terminiation


Prompting is

an online data entry control that uses the computer to control the data entry process


An online data entry technique that can be employed when inexperienced personnel input data is the use of



An advantage of a computer-based system for transaction processing over a manual system is that

the computer-based system will be more efficient at producing F/S


A type of flowchart representing areas of responsibility (such as depts.) as columns is called horizontal or _______ flowcharts



A control designed to catch errors at the point of data entry is

a self-checking digit


If a database has integrity, this means that the

database has only consistent data


A modem is a device that

allows computer signals to be sent over a telephone line


Devices that used only to perform sequential file processing will not permit

data to be edited on a real-time basis


Sequential file processing is

a system where files are arranged serially, one after another, and the program must start at the first record and read all succeeding records until the required record is found or until the end of the file reached


A systems program

manipulates application programs


An AP clerk is accused of making unauthorized changes to previous payments to a vendor. Proof could be uncovered in

transaction logs


ROM (read only memory) is

a memory component for the storage of elementary software info that cannot be modified by the user of the system or program


RAM (random access memory) is

a temporary read-write memory component of a computer that can be accessed at any point in time without accessing other info


In a microcomputer system, the place where parts of the operating system program and language translator program are permanently stored is



A central element of mgmt IS is

the processing of data items is based on decision models


Phases of System Development Life Cycle (SDLC) are


1 system Planning
2 system Analysis
3 system Design
4 Implementation and Deployment
5 Testing and Integration
6 system Maintenance


The type of control plan particular to a specific process or subsystem, rather than related to timing of occurrence is

application controls


Operational Risk controls can be broken down into the 3 types:



A value added network (VAN) is a privately owned network that performs the function of

routing data transactions between trading partners


An input validation routine not appropriate in a real-time operation is

sequence check


Input validation checks and controls that should be performed in a real-time operation include

field check, sign check, and redundant data check


Check digit is

an input control consisting of a single digit at the end of an id code that is computed from the other digits in a field. If the id code is mis-keyed, a formula will reveal that the check digit is not correct and the field will not accept the entry


Field check is

an edit check in which the characters in a field are examined to ensure they are of the correct field type

ex. # in # field


Redundant data check is

an edit check that requires the inclusion of 2 identifiers in each input record and if these values do not match those on record, the record will not be updated


Sign check is

an edit check that verifies that the data in a field has the appropriate arithmetic sign


During the ______ phase of the SDLC is when training would occur



The greatest financial threat to an organization that implemented the financial accounting module of an ERP system from a major vendor exists from errors detected during



In the systems development cycle, coding is

part of the detailed design phase


An integrated group of programs that supervises and supports the operations of a computer system as it executes user's application programs is

an operating system


The data processing cycle (DPC) includes

collection (input), refinement, processing, maintenance, and output


Multiprocessing is

the simultaneous execution of 2 or more tasks usually by using 2 or more processing units that are part of the same system


Multiprogramming is

the appearance of simultaneous execution of 2 programs as a single processing unit switches back and forth between the programs

*it does not allow multiple programs to be executed at exactly the same time


In the business information systems, the term "stakeholder" refers to

anyone in the organization who has a role in creating or using the documents and data stored on the computers or networks


Change control is

the process of modifying application software, including requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change


Mgmt of company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in

change control


In a continuous improvement environment, automated monitoring of controls is


*helpful but not necessary


Manual monitoring of controls can also help in a

continuous improvement environment


The strategy a CPA would most likely consider in auditing an entity that processes most of its financial data only in electronic form is

continuous monitoring and analysis of transaction processing with an embedded audit module


An advantage of having a computer maintain an automated error log in conjunction with computer edit programs is that

reports can be developed that summarize the errors by type, cause, and person responsible


Change mgmt control policies

put into place the proper processes and approval channels to make changes to an organization's systems


At a minimum, change mgmt control policies should include

- formal channels for requesting and approving changes
- preventing unauthorized changes
- ensuring that any changes made do not impair or negatively impact the other system functions
- ensuring that viability of the whole system is not impaired
- requiring appropriate testing of all changes before implementation to production environments occur


Six Sigma, TQM, and other process improvement methodologies all follow the same basic steps which are:

- identify what the issue is
- understand more about the issue
- determine what is causing the issue
- remediate the issue
- implement monitoring and control capabilities


Record count is

a total of the # of input documents to a process or the # of records processed in a run


The procedure managers use to identify whether the company has info that unauthorized individuals want, how they could obtain the info, the value of the info, and the probability of unauthorized access occurring is

Risk Assessment


Disaster recovery plan is

the process, policies, and procedures of restoring operations critical to the resumption of business


An AP clerk is accused of making unauthorized changes to previous payments to a vendor. Proof could be uncovered in

the transaction logs


A risk of using test library programs in emergency situations is that

the programs may not be further tested before being placed in production permanently


In a large organization, the biggest risk in not having an adequately staffed information center help desk is

persistent errors in user interaction with systems


In traditional IS, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of

user management


Embedded audit modules enable

continuous monitoring of transaction processing


An edit of individual transactions in a direct access file processing system usually

takes place in an online mode as transactions are entered


General controls are

applied to all applications processed by the computerized system


An example of a general control for a computerized system is

restricting access to the computer center by use of biometric devices


Application controls are

specific to an application and ensure the completeness and accuracy of the records and the validity of the entries made


Application controls consist of 3 types:

- input controls
- processing controls
- output controls


Examples of application controls are

- limiting entry of sales transactions to only valid credit customers
- creating hash totals from SSN for the weekly payroll
- restricting entry of AP transaction to only authorized users


A national retailer required more detailed data to help stock its stores with the right products and to increase its turnover. Such data amounted to several gigabytes per data from each store. A new high-speed company-wide network was needed to transmit and analyze the data. Management recognized the need to prepare the company for changes resulting from the enhanced network services. For this purpose, the appropriate management action would be to

optimize in-house networks to avoid bottlenecks that would limit the benefits offered by the telecommunications provider


To mitigate the risk of system development personnel being tempted to make unauthorized changes to the software or system to meet user needs, mgmt should implement

change mgmt controls


One purpose of an embedded audit module is

to enable continuous monitoring of transaction processing


Some of the more important controls that relate to automated AIS are validity checks, limit checks, field checks, and sign tests. These are classified as

input validation routines


A preventive control is one that is designed to discover and eliminate problems before they occur. Examples of preventive controls include:

- access control software
- hiring well-qualified personnel and training them well
- segregating EE duties
- controlling physical access to facilities and info


Image processing system have the potential to reduce the volume of paper circulated throughout an organization. To reduce the likelihood of users relying on the wrong images, mgmt should ensure that appropriate controls exist to maintain the

integrity of index data


The identification of users who have permission to access data elements in a database is found in the

database schema


Schema is

a description of the types of data elements that are in the DB, the relationship among the data elements, and the structure or overall logical model used to organize and describe the data


The ________ computer assisted auditing technique allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process

integrated test facility


Both _____ and _____ are processing controls designed to ensure the reliability and accuracy of data processing

validity checks and limit tests


______ authorize and record transaction and correct errors



Data control group is

responsible for logging data inputs, processing, and outputs and makes sure that transactions have been authorized


Computer operator is

responsible for maintaining and running daily computer operations


Security mgmt is

responsible for preventing unauthorized physical and logical access to the system


The internal control procedures that would prevent an EE from being paid an inappropriate hourly wage is

limiting access to EE master files to authorized EEs in the personnel dept


When a company authorizes EE access only to data required for accomplishing their jobs, the approach is known as

access on a need-to-know basis


Individual accountability is

individuals with access to data are responsible for the use and security of data obtained via their access privileges


Mgmt-by-exception is

spending mgmt time on exception conditions vs spending time of things operating as normal


To maintain effective segregation of duties within the IT function, an application programmer should have the responsibility of

coding approved changes to a payroll system



- use the design developed by the analysts to develop an IS
- write computer programs


Users should have update access for

production data


Application programmers should not have

update or change access for production data or production programs


Examples of good internal control in an IT system include

- design and implementation is performed in accordance with mgmt specific authorization
- provisions exist to ensure the accuracy and integrity of computer processing of all files and reports
- provisions exist to protect data files from unauthorized access, modification, or destruction


In a large firm, custody of an entity's data is most appropriately maintained by

data librarians


System analysts

design the system


Application programmers

code the specific application programs


Computer operators

ensure data is entered and processed and proper output is produced


Data librarians

control actual data


The functions of a database administrator are

database design, database operation, and database security


An organization's computer help-desk function is usually a responsibility of the

computer operations unit


Certain utility software may have privileged access to software and data. Tom compensate for the risk of unauthorized use of privileged software IS mgmt can

limit the use of privileged software


System analysts

analyze info needs and design systems that meet those needs


The role of the systems analyst in an IT environment is

designing systems, preparing specs for programmers, and serving as an intermediary between users and programmers


Long range plans and the direction of app development and computer ops are performed by

system administrators


The completeness, accuracy, and distribution of input and output is performed by the

data control group


The selection and maintenance of system software, including operating systems, network software, and the DB mgmt system is performed by

database and network managers


In the organization of the IS function, the most important segregation of duties is

assuring that those responsible for programming the system do not have access to data processing operations


Your firm recently converted its purchasing cycle from a manual process to an online computer system. A probably result associated with conversion to the new automated system is

that traditional duties are less segregated


Conversion to an automated data processing system usually

- reduces processing errors
- has little to no effect on risk exposure
- reduces processing time


Systems analysts are the personnel within an organization who are responsible for the development of the company's IS. The least likely function they are to perform is

developing, coding, and testing computer programs


Systems analysts typically perform the

- design of computer applications
- prep of specs for computer programming
- examining user info requirements


The system librarian maintains segregation of duties by

only accepting properly tested and approved programs into the production library


For sound controls over computer program libraries

only the program librarian should be allowed to make changes to the production library ----this appropriately restricts access to the program modules that are running


Programmers should be restricted from

accessing the production library


Programmers should be responsible for update access for

making program changes


Users should be responsible for

testing the changes


If a computer operator had access to both the production library and source code library then

the operator would be in a position to make unauthorized and undetected changes to the computer programs


The IT dept responsibilities of ______ and ______ should be delegated to separate individuals

data entry and application programming


System programmers are normally assigned

operating systems and compilers


Ryan Company has an AIS that operates in a client/server environment. The least likely situation to provide an appropriate security environment is

placing complete systems application controls under one individual


In a client/server environment, useful security procedures include

- use of application passwords
- power-on passwords for personal computers
- installation of anti-virus programs


A systems analyst is least like to perform the function

develop and code computer programs


A systems analyst would

- analyze the present system
- prepare computer program specs
- design computer apps


The following is an example of proper segregation of duties within the IT function:

a computer operator must request needed files and programs from the data librarian to process transactions


Violation of segregation of duties? A programmer is allowed to make minor changes in the current production version of the program that updates customer accounts

Yes, violoation


Violation of segregation of duties? The IS librarian also fills in as a programmer when projects must be completed quickly

Yes, violation


Violation of segregation of duties? Systems analysts also work as computer operators when needed

Yes, violation


A control to incorporate to prevent an EE from making an unauthorized change to computer records unrelated to that EE's job would be to

apply a compatibility test to transactions or inquiries entered by the user


At a remote computer center, mgmt installed an automated scheduling system to load data files and execute programs at specific times during the day. The best approach for verifying that the scheduling system performs as intended is to

audit job accounting data for file accesses and job initiation/termination messages


A problem related to computer-based IS in organizations is that end-users require technical support and assistance in the development of their own computer apps. The best solution to this problem would be

information center and help desk


The _______ is responsible for making sure that the IS operates efficiently and effectively

Systems administrator


An Information Security officer should not

maintain and update a list of user passwords


Appropriate duties of the Information Security Officer include

- developing an info security policy
- commenting on security controls in new apps
- monitoring and investigating unsuccessful access attempts


The following function should prevent a programmer from altering a program and then using that program in a production run

the IS librarian secures production programs and data


When a business implements an online gift registry system for customers such as those about to be married, the system should have the following restrictions on access:

customers have read privileges and salespeople have update privileges


In a large multinational organization, the network administrator should have the responsibility of

managing remote access


A company planned a major change to its accounting system. The system analyst interviewed users and managers and designed the new system to meet their needs. The analyst then wrote the computer programs to implement the needed modifications. The programs were thoroughly tested by change mgmt based on the criteria of the revised system design. The action that violated segregation of duties was

Systems analyst acted as a programmer


Fact or Fiction? The system librarian accepting a program into the production library after it had been tested by the programmer is a violation of segregation of duties?

Yes, fact

*someone independent should have tested it


Managing the IS function is likely to involve

- a system for charging user dept for computer services
- project development plans
- responsibility accounting principles


The ______ is responsible for ensuring that transactions are processed correctly and that input and output are reconciled

data control group


The data control group makes sure that:

- a log is kept of all inputs, data processing ops, stored data, and system output
- source data have been properly approved
- transactions are processed correctly
- input and output are reconciled
- records of input errors are maintained so they can be corrected and resubmitted
- data-related errors are sent to the users who originated the transaction for correction
- system output is distributed to the intended and proper user
- there is adequate rotation of operator duties


The database control that would be most effective in maintaining a segregation of duties appropriate to the users' reporting structure within an org is

access security features


An EDP control used to assure that paychecks were written for all EE for a pay period would be the use of

hash totals on EE SSN


Adle Supply Company recently installed an integrated order-entry and invoicing system. The basic inputs to the system consist of one record for each line on the customers' orders, the inventory master file, and the customer master file. Individual items ordered by the customer may be rejected at the computer entry audit or when the items are validated by comparing them with data in the inventory master file. Complete orders may be rejected when data from the orders are compared with data in the customer master file. All orders that are found to be valid are posted to the inventory and customer files. For data control personnel to account for all inventory items and customer orders processed, the system should include:

run-to-run control totals and error lists


A control procedure that could be used in an online system to provide an immediate check on whether an account number has been entered on a terminal accurately is

self-checking digit


When evaluating internal control of an entity that processes sales transactions on the internet, an auditor would be most concerned about the

potential for computer disruptions in recording sales


Compared to batch processing, real-time processing has the advantage of

timeliness of info


An input clerk enters an EE number and the computer responds with the message "EE # is not assigned to an active EE. Please reenter." The technique being used is

existence check


Range checking

reduces the risk of reprocessing ledger transactions of an earlier month by checking a number in a transaction (such as a date) to determine whether that number falls within a specified range


In reviewing data in excel a brand manager suspected that several days of POS data from one grocery chain was missing. The best approach for detecting missing rows in the data would be to

compare product id codes by store for consecutive periods


An update program for bank account balances calculates check digits for account numbers. This is an example of

an input control


An online database mgmt system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation. To prevent unauthorized access to specific data elements, the database mgmt system should contain

password specs for each data file or element


Preventative controls generally are _____ important than detective controls in EDI systems



COBIT stands for

Control Objs for Information and Related Technology


COBIT applies to

information technology


Edit checks in a computerized accounting system

should be performed on transactions prior to updating a master file


Using standard procedures developed by information center personnel, staff members download specific subsets of financial and operating data as they need it. The staff members analyze the data on their own personal computers (PCs) and share results with each other. Over time, the staff members learn to modify the standard procedures to get subsets of financial and operating data that were not accessible through the original procedures. The greatest risk associated with this situation is that:

the data obtained might be incomplete or lack currency


A customer order was never filled due to transposition error. The _______ control would most likely have detected the transposition

validity check


The linked list form of file organization is characterized by

pointer field


Examine ________ to determine if an IS is operating according to prescribed procedures

system control


Online access controls are critical for the successful operation of today's computer systems. To assist in maintaining control over such access, many systems use tests that are maintained through an internet access control matrix which consists of:

authorized user code #, passwords, lists of all files and programs, and a record of the type of access each user is entitled to have for each file and program


The situation that would most likely provide the best way to secure data integrity for a personal computer environment is

all computers linked to a LAN


An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of

preventive controls


The input control to prevent an incorrect state abbreviation from being accepted as legitimate data is

validity check


A digital signature is used primarily to determine that a message is

unaltered in transmission


A validation check used to determine if a quantity ordered field contains only numbers is an example of

an input control


In order to assure the accuracy of computerized output, it is necessary to have controls related to

input, processing/storage, and output


EDP accounting control procedures are referred to as general controls or application controls. The primary objective of application controls in a computer environment is to

maintain the accuracy of the input, files, and outputs for specific applications


A company's labor distribution report requires extensive corrections each month because of labor hours charged to inactive jobs. The data processing input control that appears to be missing is

a validity test


To ensure the completeness of update in an online system, separate totals are accumulated for all transactions processed throughout the day. The computer then agrees these totals to the total of items accepted for processing. This is an example of

run-to-run controls


The most important control objective in the audit of an online order entry system that maintains information critical to mgmt decisions is

data integrity


The EDP control used to assure that hours an individual worked in one week do not exceed a designated maximum is

a limit check


EE numbers have all numeric characters. To prevent the input of alphabetic characters, the technique to use is

a field check


Erroneous mgmt decisions might be the result of incomplete information. The best control to detect a failure to process all valid transactions is

user review of selected output and transactions rejected by edit checks


To avoid invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This techniques is known as

a check digit


An example of how specific internal controls in a database environment may differ from controls in a nondatabase environment is

controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access


Data input validation routines include

hash totals


To ensure the completeness of a file update, the user department retains copies of all unnumbered documents submitted for processing and checks these off individually against a report of transactions processed. This is an example of the use of

one-for-one checking


In an automated payroll processing environment, a department manager substituted the time card for a terminated EE with a time card for a fictitious EE. The fictitious EE had the same pay rate and hours worked as the terminated EE. The best control technique to detect this action using EE id number would be

hash total


A retail entity uses EDI in executing and recording most of its purchase transactions. The entity's auditor recognizes that the documentation of the transactions will be retained for only a short period of time. To compensate for this limitation, the auditor most likely would

perform tests several times during the year, rather than only at year end


In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system should have adequate controls. The best set of controls for a payroll system includes

batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup of activity and master files


A new AR clerk, working for a wholesaler, noticed that a customer had apparently changed addresses. The clerk had accessed the customer's computer file and revised all addresses. One week later the customer complained that goods were being sent to the wrong address. The primary control to prevent this occurrence is

database security


An access control matrix consists of

- a list of all authorized user code numbers and passwords
- a list of all files and programs maintained on the system
- a record of the type of access to which each user is entitled


The most effective computerized control procedure to ensure data uploaded from a PC to a mainframe are complete and that no additional data are added is

batch control totals, including control totals and hash totals


Program documentation is a control designed primarily to ensure that

programs are kept up to data and perform as intended


A control activity to take to reduce the risk of incorrect processing in a newly installed computerized accounting system is to

independently verify the transactions


A bank wants to reject erroneous checking account numbers to avoid invalid input. The auditors recommended adding another number at the end of the account numbers. The computer would subject the other numbers to an algorithm and compare it to the extra number. This technique recommended by the auditors is

check digit