Which of the following represents a lack of internal control in a computer-based system?
A. The design and implementation is performed in accordance with management’s specific authorization.
B. Provisions exist to ensure the accuracy and integrity of computer processing of all files and reports.
C. Provisions exist to protect data files from unauthorized access, modification, or destruction.
D. Programmers have access to change programs and data files when an error is detected.
D. Programmers have access to change programs and data files when an error is detected.
A situation in which programmers have access to change programs and data files when an error is detected is an example of inadequate separation of duties, which constitutes a lack of internal control. Computer programmers should write programs designed by analysts and should work in a development environment that is separate from the production system.
Which of the following is responsible for authorizing and recording transactions and for correcting errors?
A. Data control group
B. Computer operators
C. Security management
D. Users
D. Users
Users authorize and record transactions, use system output, and are responsible for correcting errors.
The data control group logs data inputs, processing, and outputs, and makes sure that transactions have been authorized. They do not authorize or record transactions themselves.
Computer operators maintain and run daily computer operations.
Security management is responsible for preventing unauthorized physical and logical access to the system.
The batch processing of business transactions can be the appropriate mode when:
A. unique hardware features are available.
B. timeliness is a major issue.
C. a single handling of the data is desired.
D. economy of scale can be gained because of high volumes of transactions.
D. economy of scale can be gained because of high volumes of transactions.
Batch processing means “that transactions are accumulated for some period of time.” Its use depends on the requirements of the users. When a high volume of transactions exists, economies of scale can be gained by utilizing batch processing since many transactions are processed in the same run.
Which of the following structures refers to the collection of data for all vendors in a relational data base?
A. Record
B. Field
C. File
D. Byte
C. File
A byte is a part of a field. A field is a part of a record. A record is a set of logically related data items that describes specific attributes of an entity, such as all payroll data relating to a single employee. Multiple records make up a file, so a collection of data from all vendors would be a file.
To obtain evidence that online access controls are properly functioning, an auditor most likely would:
A. create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system.
B. examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction.
C. enter invalid identification numbers or passwords to ascertain whether the system rejects them.
D. vouch a random sample of processed transactions to assure proper authorization.
C. enter invalid identification numbers or passwords to ascertain whether the system rejects them.
Evidence that online access controls are properly functioning can be obtained by entering a series of identification numbers and passwords, some correct and some incorrect, and determining that the system allows access to the correct data but rejects the rest.
“Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system” is incorrect because a checkpoint is a place in a computer program where its status can be recorded or its information saved (dumped) and later execution can be resumed from that point rather than from the beginning of the program. It would not detect unauthorized access to the system.
“Examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction” is incorrect because a transaction log is a detailed record of every transaction entered in a system through data entry. It would not disclose unauthorized access to the system.
“Vouch a random sample of processed transactions to assure proper authorization” is incorrect because vouching source documents for processed transactions would not indicate whether the system allows access to unauthorized users.
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
A. Segregation of duties
B. Ensure proper authorization of transactions
C. Adequately safeguard assets
D. Independently verify the transactions
D. Independently verify the transactions
Key verification is having another employee independently re-enter transactions, then programming the software to compare the inputs, looking for errors. Check digit verification uses an extra character in numbers such as account numbers and part numbers. The software recomputes the extra character and flags incorrect numbers. Either type of verification will reduce the risk of incorrect processing.
The other answer choices are incorrect because they are general controls that regulate the computer activity rather than the application processing. Segregation of duties, proper authorization of transactions, and safeguarding assets will not prevent errors in processing by the software.
A control procedure that could be used in an online system to provide an immediate check on whether an account number has been entered on a terminal accurately is a:
A. compatibility test.
B. hash total.
C. record count.
D. self-checking digit.
D. self-checking digit.
A self-checking digit is generated when the data element is inputted. A prescribed arithmetic operation is automatically done and stored on this element. This same operation is then performed later on, which would “ensure that the number has not been recorded incorrectly.”
A compatibility test validates the data within the field.
A hash total is the total of a non-quantitative field such as account number to be sure all records are processed.
A record count summarizes the number of records processed.
Which of the following best defines electronic data interchange (EDI) transactions?
A. Electronic business information is exchanged between two or more businesses.
B. Customers’ funds-related transactions are electronically transmitted and processed.
C. Entered sales data are electronically transmitted via a centralized network to a central processor.
D. Products sold on central web servers can be accessed by users at any time.
A. Electronic business information is exchanged between two or more businesses.
Electronic data interchange (EDI) is defined as the use of computerized communication to exchange data electronically in order to process transactions between and within computers and computer networks of various organizations.
A value-added network (VAN) is a privately owned network that performs which of the following functions?
A. Routes data transactions between trading partners
B. Routes data within a company’s multiple networks
C. Provides additional accuracy for data transmissions
D. Provides services to send marketing data to customers
A. Routes data transactions between trading partners
A value-added network (VAN) provides specialized hardware, software, and long-distance communications to private networks so that they can exchange data. A VAN adds value to the basic data communications process by handling the difficult task of interfacing with multiple types of hardware and software used by different parties.
A distributed processing environment would be most beneficial in which of the following situations?
A. Large volumes of data are generated at many locations and fast access is required.
B. Large volumes of data are generated centrally and fast access is not required.
C. Small volumes of data are generated at many locations, fast access is required, and summaries of the data are needed promptly at a central site.
D. Small volumes of data are generated centrally, fast access is required, and summaries are needed monthly at many locations.
A. Large volumes of data are generated at many locations and fast access is required.
A distributed/decentralized processing environment works best when significant volumes of data are generated at many remote locations and the user requires near-immediate access to the data. This type of processing environment will allow for quick access to the data as opposed to having that information generated at many locations and processed at a centralized location.
Company A has numerous personal computers (PCs) with full processing capabilities linked into an integrated local area network with a file server which in turn is fully connected to the central mainframe computer. Data entry, comprehensive processing, and inquiry routines are possible at all nodes in the network.
A control feature designed to negate the use of utility programs to read files which contain all authorized access user codes for the network is:
A. internally encrypted passwords.
B. a password hierarchy.
C. log-on passwords.
D. a peer-to-peer network.
A. internally encrypted passwords.
Internally encrypted passwords are a form of access control designed to prevent unauthorized access by use of a utility program to identify passwords.
Password hierarchy is a system of passwords designed in such a manner as to allow differing degrees of access to file manipulation activities.
Log-on passwords are the familiar passwords commonly used to gain initial access to a system or network.
A peer-to-peer network has all processing done at the same level (by PCs in this case) with no dedicated file server or mainframe.
Franklin, Inc., is a medium-size manufacturer of toys that makes 25% of its sales to Mega Company, a major national discount retailing firm. Mega will be requiring Franklin and other suppliers to use electronic data interchange (EDI) for inventory replenishment and trade payment transactions as opposed to the paper-based systems previously used. Franklin would consider all of the following to be advantages for using EDI in its dealings with Mega, except:
A. access to Mega’s inventory balances of Franklin’s products.
B. savings in the Accounts Receivable Department.
C. better status tracking of deliveries and payments.
D. compatibility with Franklin’s other procedures and systems.
D. compatibility with Franklin’s other procedures and systems.
Supplier/purchaser relationships where one firm requires another firm to use electronic data interchange (EDI) and trade payment transactions typically create benefits for the supplying firm, including access to inventory balances of their products at the purchaser, savings in Accounts Receivable, better tracking of deliveries and payments, and reduction in payment float. A result of such a required implementation of an outside system, however, may not be considered an advantage when there are compatibility issues with the supplier’s existing procedures and systems.
Which of the following activities would most likely detect computer-related fraud?
A. Using data encryption
B. Performing validity checks
C. Conducting fraud-awareness training
D. Reviewing the systems-access log
D. Reviewing the systems-access log
The question asks about fraud detection, not fraud prevention. Data encryption and fraud-awareness training are preventive measures. Validity checks ensure that data entry input is correct (for instance, that a general ledger account exists for each journal entry account number). Validity checks, while an important internal control over financial reporting, are not a method to detect fraud. Of all the answers, reviewing the systems-access log is the best choice. It would help discover if unauthorized access to the system has been allowed.
It is important to maintain proper segregation of duties in a computer environment. Which of the following access setups is appropriate?
A. Users have update access for production data
B. Users have update access for production data and application programmers have update access for production programs
C. Application programmers have update access for production data and users have update access for production programs
D. Users have update access for production data and application programmers have update access for both production data and programs
A. Users have update access for production data
Users need to update data through applications programs.
Application programmers should not be able to change production programs. They should submit changes to the change control unit.
Application programmers should never have update access to production data. Users have no need to change production programs.
An online data entry technique that can be employed when inexperienced personnel input data is the use of:
A. prompting.
B. written job descriptions.
C. compatibility tests.
D. checkpoints.
A. prompting.
Some software assists users in data entry by prompting (the use of questions and predetermined input formats). Prompting is very helpful in avoiding input errors by inexperienced personnel.
A company has an online order processing system. The company is in the process of determining the dollar amount of loss from user error. The company estimates the probability of occurrence of user error to be 90%, with evenly distributed losses ranging from $1,000 to $30,000. What is the expected annual loss from user error?
A. $13,050
B. $13,500
C. $13,950
D. $14,400
C. $13,950
Errors are be evenly distributed between $1,000 and $30,000. The average of this range is ($30,000 + $1,000) ÷ 2, or $15,500. The probability of error is 90%, so the expected value of the annual loss is 90% × $15,500, or $13,950.
Which of the following represents an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment?
A. Redundant data checks are needed to verify that individual EDI transactions are not recorded twice.
B. Internal audit work is needed because the potential for random data entry errors is increased.
C. Translation software is needed to convert transactions from the entity’s internal format to a standard EDI format.
D. More supervisory personnel are needed because the amount of data entry is greater in an EDI system.
C. Translation software is needed to convert transactions from the entity’s internal format to a standard EDI format.
Electronic data interchange is used to electronically transfer information between and within organization computers. However, it comes at a cost. The service is standardized, so translation is needed to convert data from the usual format to that acceptable to the EDI system.
“Redundant data checks are needed to verify that individual EDI transactions are not recorded twice” is incorrect because checks on the accuracy of the data are included in the EDI system, not added on.
“Internal audit work is needed because the potential for random data entry errors is increased” is incorrect because the potential for data entry errors is reduced by the EDI system.
“More supervisory personnel are needed because the amount of data entry is greater in an EDI system” is incorrect because the EDI does not change the data entry, only the further processing after data entry. These incorrect answer choices all refer to data entry rather than data transmission.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
A. Removable drives that can be locked up at night provide adequate security when the confidentiality of data is the primary risk.
B. Message authentication in EDI systems performs the same function as segregation of duties in other information systems.
C. Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
D. Security at the transaction phase in EDI systems is not necessary because problems at that level will be identified by the service provider.
C. Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
Electronic data interchange, or EDI, is the use of computerized communication to exchange business data electronically in order to process transactions. Encryption is transforming data into unreadable gibberish to be sent electronically. This data is then decrypted and read at its destination.
When data is transferred electronically, security is an issue. Software applications that encrypt data are more vulnerable to security risks than a hardware device performing the same function.
Removable drives will not prevent unauthorized access to electronic data, since the data could be intercepted en route. Message authentication, or being able to determine who sent a message, is a not a substitute for segregation of duties. Instead, authentication assists with allowing only authorized messages access to the information system. Most EDI systems now do not have a third-party provider transmitting electronic data, due to the advent of the Internet.
In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system should have adequate controls. The best set of controls for a payroll system includes:
A. batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup copies of activity and master files.
B. employee supervision, batch totals, record counts of each run, and payments by check.
C. passwords and user codes, batch totals, employee supervision, and record counts of each run.
D. sign test, limit tests, passwords, and user codes, online edit checks, and payments by check.
A. batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup copies of activity and master files.
The quality of a set of controls is best gauged by their ability to prevent unwanted actions from occurring or to cause desired actions to occur. The question offers several collections of various controls but the best set of controls includes input controls (batch and hash totals, record counts of each run), preventive controls (proper separation of duties, passwords and user codes), and recovery methods (backup copies of activity and master files).
Management reporting systems:
A. rely on internally generated data.
B. rely on both internally generated and externally generated data.
C. rely on externally generated data.
D. gather operating data but do not capture financial data.
B. rely on both internally generated and externally generated data
Management reporting systems rely on a mix of internal and external data. They also combine financial and operational data so that managers have flexibility in determining the information that they will use for decision making.
Which of the following best depicts the path of data as it moves through an information system?
A. Program flow-charts
B. System flow-charts
C. Decision table
D. HIPO chart
B. System flow-charts
A system flowchart provides the overall view of the inputs, processes, and outputs of an information system. The flowchart is designed to portray the path of data as it moves through an information system.
Which of the following is a primary function of a database management system?
A. Report customization
B. Capability to create and modify the database
C. Financial transactions input
D. Database access authorizations
B. Capability to create and modify the database
A database management system (DBMS) is a specialized computer program that manages and controls data and the interface between data and the application programs. Such a system is designed to make it easier to develop new applications and allows users to change the way they view data without changing how the data are stored physically.
The other answer choices (report customization, financial transactions input, and database access authorizations) are all performed by the system user rather than the DBMS.
A disk storage unit is preferred over a magnetic tape drive because the disk storage unit:
A. has nine tracks.
B. offers sequential access to data files.
C. offers random access to data files.
D. is a cheaper medium for data storage.
C. offers random access to data files.
Access to data takes less time with disk storage than with magnetic tape storage.
Consider how data is stored on magnetic tape. Blocks of data files are arranged linearly along the entire length of the tape. In order to move from a read location at or near the beginning of the tape to a read location near the end of the tape, it is necessary to travel over all tape between the two read locations.
On the other hand, if disk storage is used, it is possible to jump directly from one read location to another. This is possible because disk storage offers random access to data files.
Compared to online, real-time processing, batch processing has which of the following disadvantages?
A. A greater level of control is necessary.
B. Additional computing resources are required.
C. Additional personnel are required.
D. Stored data are current only after the update process.
Batch processing is updating master files periodically to reflect all transactions that occurred during a given time period. The only time the master file is current with batch processing is immediately after an update occurs. When using online, real-time processing, the computer captures data electronically, edits it for accuracy and completeness, and then updates the master file as each transaction occurs.
Which of the following audit tests should be performed by an internal auditor who is reviewing controls over user authentication procedures?
A. Verify password masking at data terminals.
B. Review how proper separation of duties is established using access control software.
C. Review procedures concerning revocation of inactive users.
D. Review password procedures.
A. Verify password masking at data terminals.
User authentication basically seeks to determine if the person seeking access is who they say they are. Password masking is a part of this process. Password masking is the technique of either hiding the password as it is typed or displaying other characters so that observers cannot see what characters the user is actually entering.
Separation of duties relates to access to certain application areas.
Reviewing procedures concerning revocation is an identification issue designed to deny access to inactive users.
Encryption protection is least likely to be used in which of the following situations?
A. When transactions are transmitted over local area networks
B. When wire transfers are made between banks
C. When confidential data are sent by satellite transmission
D. When financial data are sent over dedicated, leased lines
A. When transactions are transmitted over local area networks
Encryption protection is least likely to be used when transactions are transmitted over local area networks. Such protection makes it difficult for intercepted transmissions to be understood or modified. Encoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored. Although LANs may need encryption protection, the type of data and the described communication media make the other options appear more vulnerable.
Encryption is often used when wire transfers are made between banks, confidential data are sent by satellite transmission, and financial data are sent over dedicated leased lines.
Risk assessments, recovery plans for data systems, and implementation of safeguards are all components of:
A. a control flowchart.
B. a database.
C. a disaster recovery plan.
D. an insurance claim form.
C. a disaster recovery plan.
A disaster recovery plan should include a risk assessment, recommendation (and implementation) of safeguards, and recovery plans.
Which of the following tasks is least likely to be undertaken in the implementation phase of an accounting software application?
A. Obtain and install hardware.
B. Enter and verify test data.
C. Identify inputs and outputs.
D. Document user procedures.
C. Identify inputs and outputs.
The implementation phase of an accounting software application would include obtaining and installing hardware, documenting user procedures, training users, and entering and verifying test data.
Identifying inputs and outputs would occur in the systems design and development phase, preceding implementation.
Data access security related to applications may be enforced through all the following, except:
A. user identification and authentication functions incorporated in the application.
B. utility software functions.
C. user identification and authentication functions in access control software.
D. security functions provided by a database management system.
B. utility software functions.
Data access security related to applications cannot be enforced through utility software functions. Utility programs are one of the more serious “holes” in data access security since some of them can actually bypass normal access controls.
Data access security related to applications may be enforced through user identification and authentication functions incorporated in the application. Although there is a migration of control of this type away from applications to other software, most of these controls still reside in application software.
Data access security related to applications may be enforced through user identification and authentication functions in access control software. Access control software has as one of its primary objectives improving data access security for all data on the system.
Data access security related to applications may be enforced through security functions provided by a database management system. In fact, most database management systems provide for improved data access security while they are running.
Adle Supply Company recently installed an integrated order-entry and invoicing system. The basic inputs to the system consist of one record for each line on the customers’ orders, the inventory master file, and the customer master file. Individual items ordered by the customer may be rejected at the computer entry audit or when the items are validated by comparing them with data in the inventory master file. Complete orders may be rejected when data from the orders are compared with data in the customer master file. All orders that are found to be valid are posted to the inventory and customer files. For data control personnel to account for all inventory items and customer orders processed, the system should include:
A. echo checks.
B. run-to-run control totals and error lists.
C. manual processing of invalid transactions.
D. printing the status of the master records before and after processing the applications.
B. run-to-run control totals and error lists.
Use of control totals ensure that all transactions affecting inventories are accounted for and all valid orders processed accurately. The error lists are used to reconcile any differences in control totals.
An organization’s computer help-desk function is usually a responsibility of the:
A. applications development unit.
B. systems programming unit.
C. computer operations unit.
D. user departments.
C. computer operations unit.
Help desks are usually a responsibility of computer operations because of the operational nature of their functions, e.g., assisting users with systems problems involving prioritization and obtaining technical support/vendor assistance.
Applications development is responsible for developing systems. After formal acceptance by users, developers typically cease having day-to-day contact with a system’s users.
The responsibility of systems programming is to implement and maintain system-level software such as operating systems, access control software, and database systems software.
The responsibility of user departments is to interact with application systems as planned. User departments typically do not have the expertise necessary to solve their own systems problems.
All of the following are characteristic of computer machine language, except:
A. internal binary code.
B. hexadecimal code.
C. assembly language.
D. on/off electrical switches.
C. assembly language.
All of the answer choices except assembly language are characteristic of computer machine language.
Assembly language is a programming language in which each machine language instruction is represented by mnemonic characters; it is a symbolic language, an English-like and understandable alternative to basic machine language.
Machine language is the binary code (the on/off electrical switches: zero and one) that can be interpreted by the internal circuitry of the CPU. The binary code is usually arranged as a hexadecimal (base 16) code. It is a very time-consuming, error-prone programming process.
The use of technology in e-commerce has created the need for increased security. E-commerce security measures include all of the following, except:
A. encryption.
B. firewalls.
C. simulation.
D. user account management.
C. simulation.
Simulation is used as an auditing tool in testing transaction processing systems. It is not used directly as a security measure in E-commerce.
The other answer choices are direct security measures used in e-commerce.
Compatibility tests are sometimes employed to determine whether an acceptable user is allowed to proceed. In order to perform compatibility tests, the system must maintain an access control matrix. The one item that is not part of an access control matrix is a:
A. list of all authorized user code numbers and passwords.
B. list of all files maintained on the system.
C. record of the type of access to which each user is entitled.
D. limit on the number of transaction inquiries that can be made by each user in a specified time period.
D. limit on the number of transaction inquiries that can be made by each user in a specified time period.
A limit on transaction totals and frequency is not part of the access control matrix. An access control matrix consists of:
a list of all authorized user code numbers and passwords,
a list of all files and programs maintained on the system, and
a record of the type of access to which each user is entitled.
Terms
Authorized
Compatibility Check (Compatibility Test)
Matrix
References
Five brand managers in a consumer food products company met regularly to figure out what price points were being lowered by their competitors and how well coupon promotions did. The data they needed to analyze consisted of about 50 gigabytes of daily point-of-sale (POS) data from major grocery chains for each month. The brand managers are competent users of spreadsheet and database software on personal computers (PCs). They considered several alternative software options to access and manipulate data to answer their questions.
Another brand manager suspected that several days of the POS data from one grocery chain were missing. The best approach for detecting missing rows in the data would be to:
A. sort on product identification code and identify missing product identification codes.
B. sort on store identification code and identify missing product identification codes.
C. compare product identification codes for consecutive periods.
D. compare product identification codes by store for consecutive periods.
D. compare product identification codes by store for consecutive periods.
Comparison of product identification codes by store for consecutive periods could reveal periods in which some products had no sales, a possible indication of missing data.
Unless product identification codes are consecutive, missing data would not be evident. This is not likely.
A sort of store identification codes would produce all product identification codes and related data for each store. This would not be useful.
Comparison of product identification codes for consecutive periods would not permit detection of missing rows of data.
Managers of local offices of an international consulting firm need better access to human resource data for their offices’ employees than they have now from the consolidated database at the firm’s headquarters. A distributed database, in which data about individuals would reside on computers at local offices but would be accessible to managers worldwide, has been proposed. A risk of the proposed arrangement is that:
A. segregation of incompatible duties might not be maintained at the firm’s headquarters.
B. the data might not be updated as quickly as with the centralized system.
C. database integrity might not be preserved during a network or computer failure.
D. the data are more vulnerable to outsiders than with the centralized system.
C. database integrity might not be preserved during a network or computer failure.
Database integrity might not be preserved during a network or computer failure because of the complexity of updates, the time delays when multiple sites are involved, and the number of nodes to be coordinated.
Segregation of incompatible duties at the headquarters is independent of and imposes no risk on distributing the database.
Since the database would be distributed to the local offices, it is likely that data would be updated more quickly than before.
Both the centralized and distributed systems permitted access to all data, so if access security is maintained at the same levels, there should be no difference in the vulnerability of the database to outsiders.
Image processing systems have the potential to reduce the volume of paper circulated throughout an organization. To reduce the likelihood of users relying on the wrong images, management should ensure that appropriate controls exist to maintain the:
A. legibility of image data.
B. accuracy of image data.
C. integrity of index data.
D. initial sequence of index data.
C. integrity of index data.
If index data for image processing systems are corrupted, users will likely be relying on the wrong images.
Legibility and accuracy of image data are important to its use, but are independent of using the wrong image.
Maintaining the initial sequence of index data may not be possible as the image data is modified and images are added/dropped.
Which of the following internal control procedures would prevent an employee from being paid an inappropriate hourly wage?
A. Having the supervisor of the data-entry clerk verify that each employee’s hours worked are correctly entered into the system
B. Using real-time posting of payroll so there can be no after-the-fact data manipulation of the payroll register
C. Giving payroll data-entry clerks the ability to change any suspicious hourly pay rates to a reasonable rate
D. Limiting access to employee master files to authorized employees in the personnel department
D. Limiting access to employee master files to authorized employees in the personnel department
The employee master file contains all of the personal wage rates, applicable deductions, fringe benefits, withholding criteria, etc., as well as other information unique to that individual that is necessary to process payroll. Thus, an internal control process that limits access to this file would prevent an employee from being paid an inappropriate hourly wage rate. An additional control would be to have someone other than the person recommending a payroll master file change review and approve the change.
A customer’s order was never filled because an order entry clerk transposed the customer identification number while entering the sales transaction into the system. Which of the following controls would most likely have detected the transposition?
A. Sequence test
B. Completeness test
C. Validity check
D. Limit test
C. Validity check
A validity check is an edit test in which an identification number or transaction code is compared with a table of valid identification numbers or codes maintained in computer memory. A validity check on a customer number would have determined if the entry represented a valid customer. If not, the entry clerk would have been prompted to repeat the entry.
A sequence check is an edit check that determines if a batch of input data is in the proper numerical or alphabetical sequence. This check would not compare the entry to all valid entries and notify the clerk of an error.
A completeness test is an online data entry control in which the computer checks if all data required for a particular transaction has been entered by the user. The entry clerk in the question entered a customer identification number, and a completeness test would have accepted the entry even though it was not valid.
A limit check ensures that a numerical amount in a record does not exceed some predetermined amount. As long as the entry clerk’s customer identification number had the correct number of digits, a limit check would have allowed it to pass.
Which of the following allows customers to pay for goods or services from a website while maintaining financial privacy?
A. Credit card
B. Site draft
C. E-cash
D. Electronic check
C. E-cash
E-cash currencies, such as bitcoins, are anonymous and allow payment for purchases from websites.
A credit card, a sight draft (one that promises immediate payment to the holder of the draft), and an electronic check (such as created when a debit card is used for a purchase) are not anonymous.
When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the:
A. lack of sales invoice documents as an audit trail.
B. potential for computer disruptions in recording sales.
C inability to establish an integrated test facility.
D. frequency of archiving and data retention.
B. potential for computer disruptions in recording sales.
As transactions travel through the Internet, they are subject to a variety of disruptions, at the sending computer, the receiving computer, during various processing steps, translations, and store-and-forward processes. These activities introduce risks such as unintentional errors, lost transactions, and duplication of transactions. Therefore, the auditor would be very concerned about completeness and accuracy controls over sale transactions processed via the Internet. Methods have been developed to replace the paper audit trail in all aspects of electronic commerce. While it may necessitate that the auditor test transactions throughout the financial statement period, the lack of paper sales invoices to audit can be overcome. The lack of a test facility or ability has internal control implications beyond just the processing of sales transactions. The frequency of archiving and data retention may affect when the auditor must test the internal controls over sales transactions, but with proper planning, testing can be done while the evidence of the electronic transaction is still available.
In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control technique to detect this action using employee identification numbers would be a:
A. batch total.
B. record count.
C. hash total.
D. subsequent check.
C. hash total.
Assuming that the substitution takes place after the time cards have been batched for processing, the best control technique listed would be the hash total. The hash total is a type of batch control total. It is the summation of a quantitative but non-informational data field; for example, check numbers, purchase order numbers, and employee identification numbers.
An update program for bank account balances calculates check digits for account numbers. This is an example of:
A. an input control.
B. a file management control.
C. access control.
D. an output control.
A. an input control.
Check digit verification is an example of an input control. The check digit is a number calculated based on a calculation using all but the last digit, which is the check digit. If the calculation returns the check digit, the number is accepted as valid. If the calculation returns a number other than the check digit, the input is rejected as invalid.
Which of the following is not true? Relational databases:
A. are flexible and useful for unplanned, ad hoc queries.
B. store data in table form.
C. use trees to store data in a hierarchical structure.
D. are maintained on direct access devices.
C. use trees to store data in a hierarchical structure.
Hierarchical databases use tree structures to organize data; relational databases use tables.
Relational databases are flexible and useful for unplanned, ad hoc queries, do store data in table form, and are maintained on direct access devices.
Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?
A. Change control
B. Management override
C. Data integrity
D. Computer operations
A. Change control
Change control is the process of modifying application software, including requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change. Since programmers can implement application code changes without approval, there is a weakness in control over changes to application programs.
Management override refers to management not following controls that are properly designed and in force.
Data integrity refers to accuracy of data entered into the program or processing of that data rather than the software itself.
Computer operations refer to the management of the computer system running the application rather than the steps programmed into the software.
A user noticed that the accounts receivable update program was not providing a listing of outstanding accounts. The user asked a programmer to modify the program so that the report would be generated with each run and had the request authorized by change management. The programmer obtained a copy of the program and made the required changes. She then tested the program in the test environment and was satisfied that it worked correctly. The programmer returned the program to the system librarian to return it to the production library. Which aspect of this process violated a proper segregation of duties?
A. A user made a suggestion for a program change.
B. The system librarian released a copy of the program to the programmer.
C. The programmer tested the changes in a test environment.
D. The system librarian accepted the program into the production library after it had been tested by the programmer.
D. The system librarian accepted the program into the production library after it had been tested by the programmer.
The system librarian should only accept a modified program that has been properly tested by someone independent of the programmer to make sure that no unauthorized changes have been made.
The use of message encryption software:
A. guarantees the secrecy of data.
B. requires manual distribution of keys.
C. increases system overhead.
D. reduces the need for periodic password changes.
C. increases system overhead.
The machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down.
No encryption approach absolutely guarantees the secrecy of data in transmission although encryption approaches are considered to be less amenable to being broken than others.
Keys may be distributed manually, but they may also be distributed electronically via secure key transporters.
Using encryption software does not reduce the need for periodic password changes because passwords are the typical means of validating users’ access to unencrypted data.
Which of the following is usually a benefit of using electronic funds transfer for international cash transactions?
A. Improvement of the audit trail for cash receipts and disbursements
B. Creation of self-monitoring access controls
C. Reduction of the frequency of data-entry errors
D. Off-site storage of source documents for cash transactions
C. Reduction of the frequency of data-entry errors
Since electronic funds transfer (EFT) allows transactions to take place more directly and with fewer intervening steps, there is less chance of human error. This can result in a reduction in the frequency of data-entry errors. EFT actually reduces the paper audit trail, although there are methods of monitoring and auditing such transactions at the time they occur. EFT may actually require stronger access controls due to the fact that fewer controls and reviews take place during the electronic processing of the transaction.
Which of the following is an objective of logical security controls for information systems?
A. To ensure complete and accurate recording of data
B. To ensure complete and accurate processing of data
C. To restrict access to specific data and resources
D. To provide an audit trail of the results of processing
C. To restrict access to specific data and resources
Logical security controls for information systems are used to restrict access to specific data and resources.
Input controls ensure complete and accurate recording of data.
Processing controls ensure complete and accurate processing of data.
Output controls provide an audit trail of results of processing.
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?
A. Modify and adapt operating system software
B. Correct detected data-entry errors for the cash disbursement system
C. Code approved changes to a payroll program
D. Maintain custody of the billing program code and its documentation
C. Code approved changes to a payroll program
In highly integrated systems, a person with unrestricted access to the computer, its programs, and live data might be able to perpetuate and conceal fraud. Functions such as changing systems software, finding and correcting data-entry errors, and maintaining programming code and documentation are segregated to prevent fraud. For example, an applications programmer uses designs developed by analysts to develop the information system and write the code for a computer program.
Many organizations have developed decision support system (DSS), a class of information systems that addresses the relationships between management decisions and information. Which of the following best describes the objective of a DSS?
A. To automate a manager’s problem-solving process
B. To provide interactive assistance during the process of problem solving
C. To impose a predefined sequence of analysis during the process of problem solving
D. To minimize a manager’s use of judgment in the process of problem solving
B. To provide interactive assistance during the process of problem solving
A DSS provides interactive problem-solving assistance. The DSS provides the decision maker with access to the computational capabilities, models, and data resources of the system to help in exploring the problem and developing potential solutions.
A DSS should support rather than automate a manager’s judgment.
A DSS provides interactive rather than predefined problem-solving assistance.
A DSS supports rather than replaces a manager’s judgment in problem solving.
Because of the sensitivity of its data, an online system for developing estimates and generating proposals was implemented with several layers of access control. Control over users’ initial log-in is a function of the:
A. integrated test facility.
B. operating system.
C. subschema authorizations.
D. application software.
B. operating system.
Initial log-in to a system is a function of the operating system–level access control software.
An integrated test facility is an audit approach to validating processing.
Database subschema authorizations control access to specific views of fields in a database.
Access to applications and their data is a function of application level software.
Which of the following would an auditor ordinarily consider the greatest risk regarding an entity’s use of electronic data interchange (EDI)?
A. Authorization of EDI transactions
B. Duplication of EDI transmissions
C. Improper distribution of EDI transactions
D. Elimination of paper documents
C. Improper distribution of EDI transactions
Electronic data interchange (EDI) transmits confidential information to business partners. There is always a risk in data transmission of it being received by unintended recipients, and this would concern an auditor.
“Authorization of EDI transactions” is incorrect because proper authorization is required for transactions whether or not EDI is involved.
“Duplication of EDI transmissions” is incorrect because duplication of transmissions to insure receipt is not a risk. The risks associated with these answer choices are controlled at the originating entity and do not result from improper transmission of the data.
“Elimination of paper documents” is incorrect because elimination of paper documents reduces the chance that the information will be acquired by unintended recipients.
To ensure the completeness of a file update, the user department retains copies of all unnumbered documents submitted for processing and checks these off individually against a report of transactions processed. This is an example of the use of:
A. established batch totals.
B. one-for-one checking.
C. computer sequence checks.
D. computer matching.
B. one-for-one checking.
One-for-one checking involves retaining copies of all unnumbered documents submitted for processing and checking them off individually against a report of transactions processed.
Batch totals require numerical control.
Computer sequence checks require that transactions be numbered.
Computer matching is performed under program control and not by the user.
Which of the following tasks would be included in a document flowchart for processing cash receipts?
A. Compare control and remittance totals
B. Record returns and allowances
C. Authorize and generate an invoice
D. Authorize and generate a vouches
A. Compare control and remittance totals
One of the key tasks in processing cash receipts is to compare control totals and remittance totals. Such a task may be represented by a box on a flowchart describing the process. Tasks such as recording returns and allowances, authorizing and generating invoices, and authorizing and generating vouchers are not part of processing cash receipts.
During the annual audit, it was learned from an interview with the controller that the accounting system was programmed to use a batch processing method and a detailed posting type. This would mean that individual transactions were:
A. posted upon entry, and each transaction had its own line entry in the appropriate ledger.
B. assigned to groups before posting, and each transaction had its own line entry in the appropriate ledger.
C. posted upon entry, and each transaction group had a cumulative entry total in the appropriate ledger.
D. assigned to groups before posting, and each transaction group had a cumulative entry total in the appropriate ledger.
B. assigned to groups before posting, and each transaction had its own line entry in the appropriate ledger.
Batch processing is updating master files periodically to reflect all transactions that occurred during a given time period. To do this, transactions are grouped in batches and processed as a batch.
The other answer choices are incorrect because:
each transaction can have its own line entry in either batch or continuous processing and each transaction is posted to the ledger account as a part of the detailed posting of the batch, not just in a total
Contingency planning alternatives can vary by computer processing environment. A company is least likely to use a reciprocal processing agreement for:
A. small systems.
B. large batch operations.
C. online teleprocessing facilities.
D. small batch operations.
C. online teleprocessing facilities.
Online teleprocessing would generally not involve a reciprocal processing agreement.
Reciprocal processing agreements are often used for small systems, large batch operations, and small batch operations.
The linked list form of file organization is characterized by which of the following?
A. Fixed-length file
B. Pointer field
C. Randomizing formula
D. All of the answer choices are correct.
B. Pointer field
A linked list has a pointer field which displays the address of the next record in the list.
The processing in knowledge-based systems is characterized by:
A. algorithms.
B. deterministic procedures.
C. heuristics.
D. simulations.
C. heuristics. 启发式教学法
Knowledge-based systems use symbolic processing based on heuristics, rules-of-thumb.经验方法
Algorithms are defined procedures, characteristic of typical computer programs.
Deterministic procedures are procedures, implemented in computer programs, that permit no uncertainty in outcomes.
Simulations are computer programs that prepare results as if a set of assumptions were true.
An auditor is planning an audit of a customer information system which uses a local area network (LAN) with personal computers (PCs). Increased risks associated with the company’s use of a LAN and PCs, as opposed to use of a mainframe, could include all of the following, except:
A. lack of documentation of procedures to ensure the complete capture of data.
B. poor security of data residing on the PCs.
C. problems with failures of the hardware used for processing data.
D. incomplete data communications.
C. problems with failures of the hardware used for processing data.
Problems with failures of the hardware used for processing data are not considered a major risk, as PCs have hardware components similar to mainframe computers. The integrity of the hardware is quite high.
A major concern with LANs is that users are responsible for building and maintaining procedures for capturing and processing data. One of the major problems associated with this form of end-user computing is that users often do not do a good job of documenting procedures.
Security is a major concern for sensitive data residing on a PC and/or a LAN.
Data communications are always a high risk factor on LANs because they do not happen automatically. The auditor will need to gain assurance that the company has mechanisms, including reconciliations, to ensure complete data communications.
In traditional information systems, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of:
A. user management.
B. systems programmers.
C. data entry clerks.
D. tape librarians.
A. user management.
In distributed or cooperative systems, the responsibility for ensuring that adequate backups are taken is the responsibility of user management because the systems are under the control of users.
In distributed environments, there will be no systems programmers comparable to those at central sites for traditional systems, there may be no data entry clerks because users are typically performing their own data entry, and there are no tape librarians
At a remote computer center, management installed an automated scheduling system to load data files and execute programs at specific times during the day. The best approach for verifying that the scheduling system performs as intended is to:
A. analyze job activity with a queuing model to determine workload characteristics.
B. simulate the resource usage and compare the results with actual results of operations.
C. use library management software to track changes to successive versions of application programs.
D. audit job accounting data for file accesses and job initiation/termination messages.
D. audit job accounting data for file accesses and job initiation/termination messages.
Auditing job accounting data for file accesses and job initiation/termination messages will reveal whether the right data files were loaded/dismounted at the right times and the right programs were initiated/terminated at the right times, and thus verify whether the scheduling system performs as intended.
Analyzing job activity with a queuing model to determine workload characteristics gives information about resource usage but does not verify whether the right data files were loaded/dismounted at the right times and the right programs were initiated/terminated at the right times.
Simulating the resource usage and comparing the results with actual results of operating helps management characterize the workload but does not verify whether the right data files were loaded/dismounted at the right times and the right programs were initiated/terminated at the right times.
Using library management software to track changes to successive versions of application programs permits control of production and test versions but does not verify whether the scheduling system performs as intended.
Many companies and government organizations would like to convert to open systems in order to:
A. get volume discounts from equipment vendors.
B. achieve more economies of scale for equipment.
C. use less expensive computing equipment.
D. facilitate the integration of proprietary components.
C. use less expensive computing equipment.
Converting to open systems increases the number of vendors from which substitutable components could be acquired, which increases price competition for equipment.
In general, running open systems:
tends to increase the number of vendors, which decreases the amount of the average purchase from any one vendor, thereby decreasing the opportunities for volume discounts from vendors.
allows organizations to scale their computing facilities to a precise size, which may be inconsistent with attempting to achieve economies of scale due to larger volumes concentrated in fewer sites.
reduces an organization’s reliance on proprietary components, which reduces the need for their integration into existing systems.
The online data entry control called pre-formatting is:
A. a program initiated prior to regular input to discover errors in data before entry so that the errors can be corrected.
B. a check to determine if all data items for a transaction have been entered by the terminal operator.
C. a series of requests for required input data that requires an acceptable response to each request before a subsequent request is made.
D. the display of a document with blanks for data items to be entered by the terminal operator.
D. the display of a document with blanks for data items to be entered by the terminal operator.
Just as preprinted source documents can be used to control the data collection and data recording processes in a manual system, the flashing of an outline of a document on a video monitor can be used to control the data transcription process in a computerized system that utilizes online data entry. This technique is referred to as pre-formatting screens.
A pillow manufacturer tracks its production manually. That process results in continuing inaccuracies in inventory and production records on monthly production of about 1 million pillows in three plants. Not knowing how much raw materials inventory is needed, the company maintains surplus inventory of about 25 days production usage at each plant so it can meet its delivery commitments. The company believes it would be advantageous to implement electronic data interchange (EDI) with its suppliers to facilitate just-in-time inventory management.
If implementing electronic data interchange (EDI) with suppliers permitted more frequent orders and more frequent communication about them, the company could be more effective by using electronic data interchange (EDI) to:
A. reduce costs by reducing raw materials inventory.
B. ensure that it always maintained a 25-day buffer stock.
C. track materials through production to completed orders.
D. schedule production to reduce the number of setups required.
A. reduce costs by reducing raw materials inventory.
If implementing electronic data interchange (EDI) with suppliers permitted more frequent orders and more frequent communication about them, the company could reduce costs, e.g., inventory carrying costs, by reducing raw materials inventory.
The company could ensure that it always maintained the 25-day buffer stock, but there would be no reason to do so if it could ensure more reliable deliveries by ordering more frequently.
Tracking materials through production and scheduling production (intracompany processes) are not a use of electronic data interchange (EDI), which is inter-company exchange of business information.
In a large organization, the biggest risk in not having an adequately staffed information center help desk is:
A. increased difficulty in performing application audits.
B. inadequate documentation for application systems.
C. increased likelihood of use of unauthorized program code.
D. persistent errors in user interaction with systems.
D. persistent errors in user interaction with systems.
The biggest risk in not having an adequately staffed help desk is that users will unknowingly persist in making errors in their interaction with the information systems.
A systems program:
A. manipulates application programs.
B. employs complex mathematical algorithms.
C. is used in systems analysis and design activities.
D. manipulates transaction data in one of many applications.
A. manipulates 操纵 application programs.
By definition, systems software consists of programs that act on the instructions provided in application programs. Stated another way, a systems program manipulates application programs.
A company switches all processing to an alternate site, and staff members report to the alternate site to verify that they are able to connect to all major systems and perform all core business processes from the alternate site. Which of the following best identifies the activities performed by the staff?
A. Closed loop verification
B. Disaster recovery planning
C. Authentication validation
D. Segregation control testing
B. Disaster recovery planning
Having an alternate processing site is an example of disaster recovery planning since it allows processing to continue on the alternate site if something should happen to the main processing system. A disaster recovery plan is used to smoothly and quickly restore data processing capacity when there is a disaster.
The other answer choices are incorrect:
A closed loop refers to a mechanism whereby one party verifies the purported identity of another party by requiring them to supply a copy of a token transmitted to that identity. It is a form of authentication rather than disaster recovery.
Authentication validation is a process of ensuring that proper parties are allowed to access the system. It is not related to disaster recovery.
Segregation control testing is a policy to prevent individuals from accessing software or data without the collusion of another party. It is not related to disaster recovery.
What is the best thing a personal computer (PC) user should do if a program takes longer than usual to load or execute?
A. Test the system by running a different application program.
B. Reboot the system.
C. Run antivirus software.
D. Back up the hard disk files to floppies.
C. Run antivirus software.
The best approach to the described condition is to run antivirus software. A program taking longer than usual to load or execute is a symptom of a virus. Many viruses will spread and cause additional damage if many normal procedures are performed. Use of an appropriate antivirus program may identify and even eliminate a virus infection.
Testing the system by running a different application program can enable a virus to spread 传播.
Rebooting the system can enable a virus to spread.
Backing up hard disk files to floppies can enable a virus to spread.
In distributed data processing, a ring network:
A. has all computers linked to a host computer and each linked computer routes all data through the host computer.
B. links all communication channels to form a loop and each link passes communication through its neighbor to the appropriate location.
C. attaches all channel messages along one common line with communication to the appropriate location via direct access.
D. organizes itself along hierarchical lines of communication usually to a central host computer.
B. links all communication channels to form a loop and each link passes communication through its neighbor to the appropriate location.
Ring networks do not have a central computer. Each site connects directly to only two other sites but is still able to communicate to all other sites via going through its neighbors. This means all data is passed through each site until arriving at the correct location. This essentially creates a loop where each link passes communication through its neighbor to the appropriate recipient. It is this configuration that gives ring network its name.
In an e-commerce environment that requires that the information technology (IT) system be available on a continuous basis, more emphasis will be placed on which of the following aspects of the planning than in a traditional organization?
A. Maintain appropriate written source documents so the data can be re-entered if it is lost or compromised
B. Maintain redundant systems for instant availability to assure the flow of transactions
C. Review additional expenses to obtain the required amount of business interruption insurance coverage for the organization
D. Assure that appropriate data backups are stored in an off-site location
B. Maintain redundant 多余的 systems for instant availability to assure the flow of transactions
If the system must be available on a continuous basis, there is an important need for backup systems that are instantly available in case of interruption of the primary system.
Written source documents can later be inspected, but will not assure continued operation of the system. Business interruption insurance can provide funds to restore the system, but will not insure continued availability of the system. Data backups will enable reconstruction of lost information, but do not affect availability of the system to users.
In a large database system maintained on a mainframe computer, the most common medium for data files for the database is:
A. magnetic tape.
B. central processing unit memory.
C. hard disk.
D. read only memory (ROM).
C. hard disk.
In a large database system maintained on a mainframe computer, the most common medium for data files for the database is the hard disk.
In a large system, the magnetic tape files would not be a cost efficient storage medium.
Data should never be stored in CPU memory. Efficiency of operations would be severely impaired and risk of data loss would be substantial.
Read only memory does not apply to data files. Read only memory normally is reserved for the computer operating system.
Very rarely will information systems meet all user requirements when initially implemented. As a result, systems development personnel may be tempted to make unauthorized changes to the software or system to meet user needs. To mitigate this risk, management should implement:
A. logical access controls.
B. proper segregation of duties.
C. data input controls.
D. change management control policies.
Change management control policies put into place the proper processes and approval channels to make changes to an organization’s systems.
D. change management control policies.
Change management control policies put into place the proper processes and approval channels to make changes to an organization’s systems.
The capability for computers to communicate with physically remote terminals is an important feature in the design of modern business information systems. Which of the following risks associated with the use of telecommunications systems is minimized through the use of a password control system?
A. Unauthorized access to system program and data files
B. Unauthorized physical availability of remote terminals
C. Physical destruction of system program and data files
D. Physical destruction of remote terminals
A. Unauthorized access to system program and data files
Unauthorized access to system program and data files is a risk associated with the use of telecommunications systems that is minimized through the use of a password control system.
Physical locks and other such devices are used to prevent unauthorized physical availability of remote terminals.
Organizational controls for security and protection are necessary to prevent physical destruction of remote terminals and system program and data files.
If a database has integrity, this means that the:
A. software was implemented after extensive acceptance testing.
B. database has only consistent data.
C. database is secure from accidental entry.
D. incidence of failure for the database was within statistically acceptable limits.
B. database has only consistent data.
Integrity relates to the quality of a database. Among other considerations, data should be consistent and data inputs should conform to a predetermined standard of elements, size, and content.
The concept of a management information system (MIS) continues to evolve over time. Which of the following is generally understood to be a central element of an MIS?
A. Maintenance of a large collection of raw, unorganized data to support a variety of information needs
B. Processing of data items is based on decision models.
C. The user-machine nature of an MIS means that users have to be skilled in the use of computers to realize any benefits.
D. A single, highly integrated computer system that combines processing for all organizational functions.
B. Processing of data items is based on decision models.
The use of decision models to organize data is a central element of MIS.
The management of data in an organized database is a central element of MIS.
Users of an MIS do not have to be computer experts to realize benefits.
The MIS concept is not based on computers, and consists of an organized federation of subsystems rather than a single, highly integrated system.
A computer system that converts the inputs into data that allows management to make unstructured decisions concerning the company’s future is:
A. a transaction processing system.
B. an office automation system.
C. a strategic information system.
D. a decision support system.
C. a strategic information system.
A strategic information system provides information that may allow an organization to make strategic, competitive decisions.
Transaction processing systems support basic routine business functions.
An office automation system is used by clerical personnel to process existing information.
Decision support systems process semi-structured and unstructured problems.
Passenger 1 and passenger 2 are booking separately on an airline website for the last available seat on a flight. Passenger 1 presses the enter key a few seconds before passenger 2, thus locking out passenger 2 and obtaining the last seat. This locking is a form of which of the following types of control?
A. Concurrent update control
B. Compensating control
C. Data-entry control
D. Operational data control
A. Concurrent update control
Only a concurrent update control can prevent problems when multiple users simultaneously update a record (i.e., the control locks other users out of the system until one has finished updating the file). The remaining controls listed do not have this functionality.
Which of the following procedures should be included in the disaster recovery plan for an information technology department?
A. Replacement personal computers for user departments
B. Identification of critical applications
C. Physical security of warehouse facilities
D. Cross-training of operating personnel
B. Identification of critical applications
A disaster recovery plan allows a company to quickly resume normal business activities after a break in those activities due to a system failure or a natural disaster. A disaster recovery plan needs to include:
recovery priorities, insurance, specific assignments for employees and departments, backup facilities, periodic testing of the recovery plan, and complete documentation of recovery plan (stored off-site).
The information technology (IT) department would not be concerned with user department computers, warehouse security, or the training of operating personnel. (These are all outside the IT department.) The IT department would be concerned with identifying its critical applications in order to prioritize those applications which must be easily and quickly retrieved and implemented should a disaster occur.
A digital signature is used primarily to determine that a message is:
A. unaltered in transmission.
B. not intercepted en route.
C. received by the intended recipient.
D. sent to the correct address.
A. unaltered in transmission.
A digital signature allows the creator of a message to digitally “sign” the data and provides proof of authorization. Because a digital signature cannot be altered, it allows the recipient to determine that a message has been unaltered 不变的 in transmission.
A company began issuing handheld devices to key executives. Each of the following factors is a reason for requiring changes to the security policy, except:
A. storage of sensitive data.
B. portability of the device.
C. vulnerability of the device.
D. convenience of the device.
D. convenience of the device.
“Convenience 便利 of the device” is correct because convenience is a feature of the tablet device but is not a security risk in itself.
Storage of sensitive data, portability of the device, and vulnerability of the device are incorrect because the device can easily be stolen, so sensitive data must be protected in that case.
A department store company with stores in 11 cities is planning to install a network so that stores can transmit daily sales by item to headquarters and store salespeople can fill customer orders from merchandise held at the nearest store. Management believes that having daily sales statistics will permit better inventory management than is the case now with weekly deliveries of sales reports on paper. Salespeople have been asking about online inventory availability as a way to retain the customers that now go to another company’s stores when merchandise is not available. The planning committee anticipates many more applications so that in a short time the network would be used at or near its capacity.
The planning committee was concerned that unauthorized people might attempt to gain access to the network. If the company installs a network using leased lines, then it should ensure that:
A. phone numbers for the network are kept confidential.
B. tone suppression devices are installed on all ports.
C. transmission facilities on its premises are secure.
D. network availability is limited to certain times of the day.
C.transmission facilities on its premises are secure.
If the company installs a leased-line network, it should ensure that transmission facilities on its premises are secure.
In a leased-line network, there are no phone numbers and hence no ports with tone devices for incoming calls.
Limiting network availability to certain times of the day is often associated with public switched lines, not leased lines, to reduce the time during which unauthorized people could potentially gain access to the system.
In spite of management’s insistence on following procedures, there have been occasions, usually associated with emergencies, in which a program in the test library was used for the company’s operations. A risk of using test library programs in emergency situations is that:
A. the personnel preparing the programs may not be authorized to write or modify them.
B. the programs may not be further tested before being placed into production permanently.
C. the integrity of the production library is threatened under such circumstances.
D. operational personnel may not be fully satisfied with the output of the programs.
B. the programs may not be further tested before being placed into production permanently.
The temptation is to place the test library program into production if it appeared to run satisfactorily.
Test library programs can be assumed to be prepared by authorized personnel.
The integrity of the production library is not threatened because no changes were made to the production library.
Test library programs are run in such circumstances because the personnel involved believe that using them is better than using the prior programs or no programs at all.
The best evidence that contingency planning is effective is to have:
A. no processing interruptions during the past year.
B. comprehensive documentation of the plan.
C. sign-off on the plan by the internal audit department.
D. successful testing of the plan.
D. successful testing of the plan.
The only way to know whether contingency planning has been effective is to test the plan, by simulating an interruption or by conducting a paper test with a walk-through of recovery procedures.
The absence of processing interruptions indicates nothing about the interruptions that might occur in the future, especially those that are not under the organization’s control.
A contingency plan may have comprehensive documentation, but until the plan is tested, an organization has no indication of its effectiveness.
Audit sign-off is one indicator of plan quality, but until the plan is tested, an organization has no indication of its effectiveness.
Because an organization makes heavy use of client/server architecture, end users have much of its critical and sensitive information on their personal computers (PCs) and departmental file servers. The chief financial officer has asked the auditors for input for developing an end-user computing policy. The policy requires a long-range, end-user computing plan. Which of the following documents should most strongly influence the development of this plan?
A. The multi-year audit plan
B. The information security policy
C. The systems development methodology
D. The organization’s strategic operational plan
D. The organization’s strategic operational plan
Strategic goals outline how the organization will use information systems to create a competitive advantage, and the strategic operational plan is, therefore, one of the most important influences on the development of the end-user computing strategic plan.
The audit plan flows from the strategic plan, not vice versa.
Changing technology could influence the organization’s approach to security, so the security policy also flows from the strategic plan.
Changing technology could influence the organization’s approach to systems development, so the systems development methodology also flows from the strategic plan.
Some companies have been the target of terrorist attacks in recent years. The best approach to avoid having a data center be selected as a terrorist’s target is to:
A. ensure that the disaster recovery plans are fully tested.
B. harden the electrical and communications systems against attack.
C. maintain as low a profile as possible for the data center.
D. monitor the locations and activities of known terrorists.
C. maintain as low a profile as possible for the data center.
The best approach to avoid having the data center identified as a terrorist’s target is to establish as low a profile as possible for the data center, e.g., by refraining from (1) identifying the building on the outside as a data center, (2) showcasing the data center through glass windows, of (3) advertising the important role the data center plays in operations.
Ensuring that the disaster recovery plans are fully tested and hardening the electrical and communications systems so that they could withstand some kinds of attacks would not contribute to avoiding being selected as a terrorist’s target.
Monitoring the locations and activities of known terrorists, even if permitted by law, would not by itself help the company avoid having the data center selected as a terrorist’s target.
The internal auditor is reviewing a new policy on electronic mail. Appropriate elements of such a policy would include all of the following, except:
A. erasing all employees’ electronic mail immediately upon employment termination.
B. encrypting electronic mail messages when transmitted over phone lines.
C. limiting the number of electronic mail packages adopted by the organization.
D. directing that personnel do not send highly sensitive or confidential messages using electronic mail.
A. erasing all employees’ electronic mail immediately upon employment termination.
“The company should have access to the business-related e-mail that is left behind. Access to e-mail can also be critical in business or possible criminal investigations.” The privacy concerns of the individual case must be mitigated by competing business interest; the need to follow-up on business e-mail and to assist in investigations.
Encryption helps prevent eavesdropping of unauthorized persons trying to compromise e-mail messages.
Limiting the number of electronic mail packages is a reasonable element of policy on electronic mail.
It would be reasonable and prudent for electronic mail policy to direct that highly sensitive or confidential messages not be sent using electronic mail.
Your firm has recently converted its purchasing cycle from a manual process to an online computer system. Which of the following is a probable result associated with conversion to the new automated system?
A. Processing errors are increased.
B. The nature of the firm’s risk exposure is reduced.
C. Processing time is increased.
D. Traditional duties are less segregated.
D. Traditional duties are less segregated.
Conversion to automated data processing usually reduces the existing segregation of duties because the computer combines many functions which previously could have been performed by separate persons. Thus, an individual with access to the various computer functions could perform incompatible duties.
Conversion to automated data processing usually reduces processing errors, has little or no effect on the types of risk to which the firm is exposed, and usually reduces processing time.
duties properly assigned to an information security officer could include all of the following, except:
A. developing an information security policy for the organization.
B. maintaining and updating the list of user passwords.
C. commenting on security controls in new applications.
D. monitoring and investigating unsuccessful access attempts.
B.maintaining and updating the list of user passwords.
The information security officer should not even know the user passwords. These are normally stored by a computer in encrypted format, and users change them directly.
Developing an information security policy for the organization, commenting on security controls in new applications, and monitoring and investigating unsuccessful access attempts are appropriate duties of the information security officer.
Devices that are used only to perform sequential file processing will not permit:
A. data to be edited on a separate computer run.
B. data to be edited in an offline mode.
C. batch processing to be initiated from a terminal.
D. data to be edited on a real-time basis.
D. data to be edited on a real-time basis.
Using a sequential file organization, data is placed in the file using a key or code for sequencing.
Sequential data can only be accessed after all preceding data records have been passed.
Hence, it is impossible to edit the data on a real-time basis.
Which one of the following would not be included as a reason for a company to use EFT (electronic funds transfer) with an EDI (electronic data interchange) system?
A. To take advantage of the time lag associated with negotiable instruments
B. To allow the company to negotiate discounts with EDI vendors based upon prompt payment
C. To improve its cash management program
D. To reduce input time and input errors
A. To take advantage of the time lag associated with negotiable instruments
Time lag is the amount of time it takes a regular check to arrive at the payee, be deposited, and clear through regular banking channels. All of these processes are eliminated with EFT.
EFT can reduce the payment time and allows for control of payments and transfers among accounts. Integration of EDI and EFT eliminates the requirements to manually input transaction data and introduce errors during the process.
Which of the following solutions creates an encrypted communication tunnel across the Internet for the purpose of allowing a remote user secure access into the network?
A. Packet-switched network
B. Digital encryption
C. Authority certificate
D. Virtual private network
D. Virtual private network
A virtual private network (VPN) uses the Internet to provide secure remote access to an organization’s network.
The other answer choices (packet-switched network, digital encryption, and authority certificate) are incorrect because none of them create an encrypted communications tunnel across the Internet. They all refer to verification of the data being transmitted rather than the communication process.
An example of an internal check is:
A. making sure that output is distributed to the proper people.
B. monitoring the work of programmers.
C. collecting accurate statistics of historical transactions while gathering data.
D. recalculating an amount to assure its accuracy.
D. recalculating an amount to assure its accuracy.
Examples of internal checks are as follows:
Limit check, which identifies if data have a value higher or lower than a predetermined amount
Identification, which determines if the data is valid
Sequence check, which checks sequencing
Error log, which is simply an up-to-date log of all identified errors
Transaction log, which provides the basic audit trail
Arithmetic proof, which computes the calculation in order to validate the result
Hence, an example of an internal check is recalculating an amount to assure its accuracy or arithmetic proof.
A company’s management is aware that it cannot foresee every contingency even with the best planning. Management believes, however, that a more thorough recovery plan increases the ability to resume operations quickly after an interruption and thus to:
A. maintain the same level of employment.
B. minimize the cost of facility repair.
C. fulfill its obligations to customers.
D. receive the maximum benefit from planning.
C. fulfill its obligations to customers.
The better the recovery plans, the more likely the company would be to resume operations quickly and fulfill its obligations to customers.
The company may or may not maintain the same level of employment after a disaster, e.g., a disaster that destroys productive capacity in one plant may lead to layoffs.
Thorough planning may or may not minimize the cost of facility repair, i.e., the best approach may be to undergo more expensive repair sooner in order to resume operations sooner.
The maximum benefit from planning is that it prompts action to avoid the most likely or most devastating events with the potential to interrupt business. Management would be delighted if planning ensured that business was never interrupted and thus that the recovery plan was never invoked.
In a continuous improvement environment, automated monitoring of controls is:
A. necessary.
B. optional.
C. prohibited.
D. None of the answer choices are correct.
B. optional.
While automated monitoring of controls is helpful in creating an environment of continuous improvement, it is not necessary. Manual monitoring of controls can also help identify areas of process or control inefficiencies or ineffectiveness.
Which of the following situations would most likely provide the best way to secure data integrity for a personal computer environment?
A. Provision of personal computers to all users
B. Trained, proficient user group
C. All computers linked to a local area network (LAN)
D. Adequate program documentation
C. All computers linked to a local area network (LAN)
Data integrity relates to using data for its intended purpose. A local area network would promote data integrity by making data available only to those users having a legitimate reason for access. Centralized access controls would help promote data integrity.
Passwords are often components of control systems over EDP facilities. A password is an example of:
A. physical control.
B. edit control.
C. digital control.
D. access control.
D. access control.
Passwords are a form of access controls since they limit access to computer systems and the information stored in them.
Physical controls limit access to an area and do not include passwords.
Edit controls test the validity of data.
Digital controls are examples of physical controls.
Which of the following best describes a hot site?
A. Location within the company that is most vulnerable to a disaster
B. Location where a company can install data processing equipment on short notice
C. Location that is equipped with a redundant hardware and software configuration
D. Location that is considered too close to a potential disaster area
C. Location that is equipped with a redundant hardware and software configuration.
A hot site is a completely operational data processing facility that is designed to meet the user’s requirements and can be made available to the user for disaster recovery on short notice. Such a site includes both redundant hardware and software that are configured specifically to meet the user’s needs.
to ensure the completeness of update in an online system, separate totals are accumulated for all transactions processed throughout the day. The computer then agrees these totals to the total of items accepted for processing. This is an example of:
A. run-to-run controls.
B. computer matching.
C. computer sequence check.
D. one-for-one checking.
A. run-to-run controls.
Run-to-run controls for an online system are able to accumulate separate totals for all transactions processed during the day and then agree the totals to the total of items accepted for processing.
Computer matching compares transaction data to referenced fields or records.
Computer sequence checks identify changes or breaks in a numerical sequence.
One-for-one checking generally requires manual comparisons of input data elements to processing results.
The identification of users who have permission to access data elements in a database is found in the:
A. operating system.
B. systems manual.
C. database schema.
D. database file definition.
C. database schema.
A database schema is “a view of the entire structure of the database.” It is “the organizational chart showing how the database is structured.” The database schema shows all elements of the database and areas of responsibility of individuals.
In an effort to recognize improvement opportunities, a company is reviewing its in-house systems. The best reason for the company to consider switching to cloud computing as a solution is that it:
A. is the best way to secure sensitive corporate information.
B. is accessible only from within the company on its intranet.
C. usually has lower upfront costs for equipment and maintenance.
D. provides better program modification options.
C. usually has lower upfront costs for equipment and maintenance.
Computing clouds provide computation, software, data access, and storage resources without the cost of sophisticated computer systems or large IT.
Shared resources, software, and information are provided to users as a metered service over the Internet, not a company’s intranet. Cloud computing has security issues as the user is relying on a third party. Cloud computing does not offer any advantages for program modification options; the advantages are essentially the same under either an in-house system or cloud computing.
A company employing an online computer system has CRT terminals located in all operating departments for inquiry and updating purposes. Many of the company’s employees have access to and are required to use the CRT terminals. A control the company would incorporate to prevent an employee from making an unauthorized change to computer records unrelated to that employee’s job would be to:
A. restrict the physical access to terminals.
B. establish user codes and passwords.
C. use validity checks.
D. apply a compatibility test to transactions or inquiries entered by the user.
D. apply a compatibility test to transactions or inquiries entered by the user.
Use of a compatibility test for users would assure that an employee used a CRT only for purposes related to that employee’s job description. For example, an accounts receivable clerk would not be allowed access to inventory or fixed asset records since those records would not be compatible with the duties of an accounts receivable clerk.
None of the control measures mentioned in the other answers would specifically prevent an employee from making an unauthorized change in computer records unrelated to that employee’s job.
In one company, the application systems must be in service 24 hours a day. The company’s senior management and information systems management have worked hard to ensure that the information systems recovery plan supports the business disaster recovery plan. A crucial aspect of recovery planning for the company is ensuring that:
A. organizational and operational changes are reflected in the recovery plans.
B. changes to systems are tested thoroughly before being placed into production.
C. management personnel can fill in for operations staff should the need arise.
D. capacity planning procedures accurately predict workload changes.
A. organizational and operational changes are reflected in the recovery plans.
A crucial aspect of recovery planning for the company is ensuring that organizational and operational changes are incorporated in the plans because such changes have the potential to make the recovery plans inapplicable.
It is vital that changes to systems be tested thoroughly before being placed into production, but that is not a part of recovery planning.
A good recovery plan would specify how operational staff might be replaced should the need arise, but their replacements might not be management personnel.
Being able to predict workload changes accurately permits a company to minimize its information systems facility costs, but that is not a part of recovery planning.
Because much of the data involved in daily operations would be helpful to competitors if they had access to it, a company authorizes access for employees to only the data required for accomplishing their jobs. This approach is known as access on:
A. a need-to-know basis.
B. an individual accountability basis.
C. a just-in-time basis.
D. a management-by-exception basis.
A. a need-to-know basis.
Access on a need-to-know basis means that access is authorized only as is required for employees to perform authorized job functions.
Individual accountability means that individuals with access to data are responsible for the use and security of data obtained via their access privileges.
Just-in-time means arranging delivery of inventory or materials as close to the time they would be incorporated into products as is possible rather than maintaining large quantities of inventory or materials.
Management-by-exception means spending managerial time on exceptional conditions on the grounds that attending to exceptions is a better approach to management than spending time on the transactions or processes that are operating in their normal ranges.
A disaster recovery alternate site configured to meet user data processing requirements, including the appropriate hardware, is called a:
A. cold site.
B. remote processing site.
C. reciprocal site.
D. hot site.
D. hot site.
A hot site is one that contains all essential hardware to restore the system in a minimal amount of time. A hot site is more costly than a cold site, which includes only appropriate power, air conditioning, and support systems, but no hardware.
To reduce security exposure when transmitting proprietary data over communication lines, a company should use:
A. asynchronous modems.
B. authentication techniques.
C. call-back procedures.
D. cryptographic devices.
D. cryptographic devices.
Cryptographic devices protect data in transmission over communication lines.
Asynchronous modems handle data streams from peripheral devices to a central processor.
Authentication techniques confirm that valid users have access to the system.
Call-back procedures are used to ensure incoming calls are from authorized locations.
Good planning will help an organization restore computer operations after a processing outage. Good recovery planning should ensure that:
A. backup/restart procedures have been built into job streams and programs.
B. change control procedures cannot be bypassed by operating personnel.
C. planned changes in equipment capacities are compatible with projected workloads.
D. service level agreements with owners of applications are documented.
A. backup/restart procedures have been built into job streams and programs.
An essential component of a disaster recovery plan is that the need for backup/restart has been anticipated and provided for in the application systems.
Change control procedures should not be bypassed by operating personnel, changes in equipment capacities should be compatible with projected workloads, and service level agreements with owners of critical applications should be adequate, but these are not generally considerations in disaster recovery planning.
Which of the following configurations of elements represents the most complete disaster recovery plan?
A. Vendor contract for alternate processing site, backup procedures, and names of persons on the disaster recovery team
B. Alternate processing site, backup and off-site storage procedures, identification of critical applications, and test of the plan
C. Off-site storage procedures, identification of critical applications, and test of the plan
D. Vendor contract for alternate processing site, names of persons on the disaster recovery team, and off-site storage procedures
B. Alternate processing site, backup and off-site storage procedures, identification of critical applications, and test of the plan
Disaster plans must include all of the following factors:
A backup for programs and data An alternative processing site Off-site storage of backup Identification of critical applications A method for testing the plan
An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?
A. Data restoration plan
B. Disaster recovery plan
C. System security policy
D. System hardware policy
B. Disaster recovery plan
A disaster recovery plan (DRP) is designed to smoothly and quickly restore the data processing capability of the organization when there is a disaster. When developing a DRP, the first step is to create a set or responsibilities for the various participants and tasks that are to be included in the plan. Once this step is completed, the participants named would likely be the ones to complete the plan.
The plan would include the following:
Setting recovery priorities
Providing the necessary insurances
Providing for backup computer and telecommunications facilities
Having procedures for periodic testing and revision
Complete documentation of the process
Which of the following systems assists with non-routine decisions, serves strategic levels of the organization, and helps answer questions regarding what a company’s competitors are doing, as well as identifies new acquisitions that would protect the company from cyclical business swings?
A. Executive support system
B. Decision support system
C. Transaction processing system
D. Management information system
A. Executive support system
An executive information system provides executives with information to make strategic plans, control the company, monitor business conditions, and identify business problems and opportunities.
The word “strategic” tells you this system provides information at a high level, the executive level. The other answer choices are incorrect because they operate at lower levels in the organization and do not provide information directly related to strategic planning.
The primary objective of security software is to:
A. control access to information system resources.
B. restrict access to prevent installation of unauthorized utility software.
C. detect the presence of viruses.
D. monitor the separation of duties within applications.
A. control access to information system resources.
The primary objective of security software is to control access to information system resources such as data files, software and program libraries.
Security software can detect the use of unauthorized utility software, but not its installation.
Viruses are detected by anti-virus software.
Security software may be helpful as a tool in establishing separation of duties. However, security software does not monitor separation of duties.
EDP control used to assure that paychecks had been written for all employees for a pay period would be the use of a:
A. record count.
B. hash total on employee Social Security numbers.
C. check digit.
D. validity check.
B. hash total on employee Social Security numbers.
Hash totals on employee Social Security numbers would represent a total of all Social Security numbers. This would be an EDP control used to assure the paychecks had been written for all employees for a pay period.
Record count simply calculates the number of records. It may be effective for the number of checks, but not validate the correct employees.
Check digit validates a numeric field and would not give assurance in this instance.
Validity check validates only one field in a given record.
In the systems development cycle, coding is:
A. part of the detailed design phase.
B. part of the data flow diagram.
C. a form of program maintenance.
D. part of the feasibility study.
A. part of the detailed design phase.
The systems development cycle consists of analysis, conceptual design, detailed design, implementation, and operation.
In this cycle, coding (of data, accounts, etc.) is a part of the detailed design stage, the stage in which programs and data structures are developed and facilities are installed and employees are trained.
Which of the following is responsible for ensuring that transactions are processed correctly and that input and output are reconciled?
A. Data control group
B. Computer operators
C. Security management
D. Users
A. Data control group
The data control group makes sure that:
a log is kept of all inputs, data processing operations, stored data, and system output, source data have been properly approved, transactions are processed correctly,
input and output are reconciled, records of input errors are maintained so they can be corrected and resubmitted, data-related errors are sent to the users who originated the transaction for correction, systems output is distributed to the intended and proper user, and
there is adequate rotation of operator duties.
A type of flowchart representing areas of responsibility (such as departments) as columns is called horizontal or ________ flowcharts.
A. data flow
B. level
C. program
D. document
D. document
Document flowcharts, also called horizontal flowcharts, depict areas of responsibility such as departments arranged horizontally across the chart. For example, purchasing, receiving, and storage might be used in a flowchart representing materials acquisition.
An enterprise resource planning system is designed to:
A. allow non-experts to make decisions about a particular problem.
B. help with the decision-making process.
C. integrate data from all aspects of an organization’s activities.
D. present executives with the information needed to make strategic plans.
C. integrate data from all aspects of an organization’s activities.
Enterprise resource planning (ERP) systems integrate all aspects of a company’s operations in its information system. Such systems integrate financial and non-financial operating data, and collect data from external sources.
The answer choices “allow non-experts to make decisions about a particular problem” and “help with the decision-making process” are incorrect because ERP systems provide the data but do not enhance the ability to make decisions based on that data.
“Present executives with the information needed to make strategic plans” is incorrect because ERP systems provide operating data, not information from the analysis of that data or projections about the future needed to make strategic plans.
An automobile and personal property insurer has decentralized its information processing to the extent that headquarters had less processing capacity than any of its regional processing centers. These centers are responsible for initiating policies, communicating with policyholders, and adjusting claims. The company uses leased lines from a national telecommunications company. Initially, the company thought there would be little need for inter-region communication, but that has not been the case. The company underestimated the number of customers that would move between regions and the number of customers with claims arising from accidents outside their regions. The company has a regional center in an earthquake-prone area and is planning how to continue processing if that center, or any other single center, were unable to perform its processing.
Unfortunately, the company has not revised its contingency plan since the time when its data processing was mostly centralized at headquarters. The existing plan is likely to be out of date because of:
A. changes in equipment, data, and software.
B. inadequate processing capability at headquarters.
C. lack of arrangements for a backup site for headquarters.
D. personnel turnover at regional centers.
A. changes in equipment, data, and software.
Because the company has not revised its contingency plan since the decentralization, the existing plan will probably be out of date because of changes in equipment, data, and software.
Headquarters has adequate processing capability, so the plan is not affected.
A cold site may not be needed by headquarters.
Personnel turnover alone would not cause the plan to be out of date.
Which of the following systems is most effective for this application?
A. A decision support system
B. An executive support system
C. An office automation system
D. An enterprise resource planning system
D. An enterprise resource planning system
Enterprise resource planning (ERP) systems integrate all aspects of a company’s operations in its information system. Such systems integrate financial and non-financial operating data, and collect data from external sources.
A decision support system provides information for a particular decision, not enterprise-wide data.
An executive support system provides information at a high level to support executive strategic planning, not detailed enterprise-wide data.
An office automation system computerizes the information system but does not provide detailed enterprise-wide data.
A systems analyst who is responsible for the development of an organization’s information system is least likely to perform which of the following functions?
A. Analyze the present system.
B. Prepare computer program specifications.
C. Design computer applications.
D. Develop and code computer programs.
D. Develop and code computer programs.
A systems analyst would be likely to be involved in analysis of the present system, preparing program specifications, designing computer applications and flowcharts. A systems analyst would not develop and code computer programs. This is a function performed by a programmer.
In the annual review of the data center of a nationwide mortgage servicing company, the internal audit manager was concerned about the data center not having an adequate contingency plan. The audit manager was especially concerned because the data center was located close to a river that occasionally flooded and in the vicinity of a major railroad and a major highway.
Management acted on the internal auditor’s recommendation to prepare a contingency plan. The most critical aspect of the plan would be to provide for:
A. monitoring for fraud or abuse during recovery.
B. continuation of mortgage servicing.
C. security and control over information assets.
D. minimizing expenses during recovery periods.
B. continuation of mortgage servicing.
The most critical aspect of the planning would be to provide for continuation of mortgage servicing. Without mortgage servicing, the company would be out of business.
Deterring and detecting fraud or abuse while processing in recovery mode is important, but that is not the most critical aspect to consider.
There should be control over information assets at all times, but that is not the most critical aspect.
The company would want to minimize expenses during recovery periods but not at the expense of continuing to service mortgages.
With respect to backup procedures for master files that are magnetic tape as opposed to master files on magnetic disk:
A. a separate backup run is required for both tape and disk.
B. a separate backup run is required only for the tape.
C. a separate backup run is required for disk while the prior master on magnetic tape serves as a backup.
D. the grandfather cycle is required in either filing situation.
C. a separate backup run is required for disk while the prior master on magnetic tape serves as a backup.
Disk-oriented systems typically employ destructive updating (i.e., new (updated) master records are written over the old master records, thereby destroying them). Consequently, disk-oriented systems require separate backup procedures. Whereas, tape-oriented systems generate a new master file tape as an output from the updating run, leaving the old master file tape and the transaction file tape for use as backup.
Which of the following technological elements of computer-based information systems has the least effect in driving the changes that are currently occurring in the workplace?
A. Advances in microcomputer hardware and software
B. Decision support systems and artificial intelligence
C. Availability of computing power to end-users
D. Advances in disaster recovery systems
D. Advances in disaster recovery systems
Although advances in disaster recovery systems may ease addressing the risks of disasters, such advances probably have little effect on the changes seen currently occurring in the workplace. These changes are most affected by advances in computer technology, computer applications, and computer availability.
Which of the following transaction processing modes provides the most accurate and complete information for decision making?
A. Batch
B. Distributed
C. Online
D. Application
C. Online
An online transaction is processed with other computers or networks immediately through the Internet. The transaction is processed without delay as it is initiated and executed. Input or initiation equipment (e.g., a cash register) is in direct and open communication with the CPU (central processing unit) of the processing computer system. An online system provides updated information for the entire system, not only a part.
In batch processing, items to be processed are collected in groups to permit fast and convenient processing (processed as a group). However, there is a delay before the batch is processed.
Distributed data processing is a network of interdependent computers where certain functions are centralized, other functions are decentralized, and processing is shared among two or more computers. Since some functions are decentralized, there is a delay in combining records for the entire system.
An application is a computer program for performing a specific function, such as a payroll program. It does not provide complete information for the entire entity.
Greater reliance of management on information systems increases the exposure to:
A. unauthorized third-party access to systems.
B. systematic programming errors.
C. inadequate knowledge bases.
D. business interruption.
D. business interruption.
Greater reliance of management on information systems increases the exposure to business interruption. As management relies more on information systems for crucial functions, system failures have the potential to interrupt business.
The exposure of unauthorized third-party access to systems is increased by the absence of adequate access controls to systems, not by greater reliance of management on information systems.
Systematic programming errors are the result of misspecification of requirements or lack of correspondence between specifications and programs, not of greater reliance of management on information systems.
Inadequate knowledge bases are a function of lack of care in building them; exposure does not result from greater reliance of management on information systems.
A data and program backup procedure in which files are electronically transferred to a remote location is called:
A. grandfather-father-son.
B. a remote backup facility.
C. an off-site backup and recovery procedure.
D. electronic vaulting.
D. electronic vaulting跳跃的.
Electronic vaulting is the process of electronically transmitting and storing backups of programs and data at a remote data storage facility.
The fixed assets and related depreciation of a company are currently tracked on a password-protected spreadsheet. The information technology governance committee is designing a new enterprise-wide system and needs to determine whether the current fixed asset process should be included because the current system seems to be working properly. What long-term solution should the committee recommend?
A. Continuing to use the current spreadsheet process because there have been no issues in this area
B. Developing a new fixed-asset system to manage the assets and related depreciation
C. Purchasing a stand-alone fixed-asset program for managing the assets and related depreciation
D. Adopting the fixed-asset module of the new system for integration
D. Adopting the fixed-asset module of the new system for integration
An enterprise-wide system is intended to include financial records of the entire entity, so the depreciation records should become part of the new system. Enterprise resource planning (ERP) systems integrate all aspects of a company’s operations with its traditional information system.
All of the other answer choices are incorrect because information maintained in separate systems is not available to the main system, which defeats the purpose of an ERP system.
An advantage of decentralizing data processing facilities is:
A. economies of scale obtainable through the use of microcomputers.
B. that all similar activities are better handled at a local level.
C. that system failure is of lesser significance.
D. the virtual elimination of the need for communication capability.
C. that system failure is of lesser significance.
Some advantages of decentralized 使分散 data processing facilities are:
decentralization increases direct access by users,
standalone capabilities are distributed to points of need,
participation is increased in designs and use, and
the ability to share computing power, which decreases the significance of system failure.
In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator?
A. Managing remote access
B. Developing application programs
C. Reviewing security policy
D. Installing operating system upgrades
A. Managing remote access
The key element is defining the responsibilities of a network administrator in a multinational organization. A network administrator in this environment would be expected to deal with the full scope of network activities, which would include access to the network from remote locations.
Developing application programs, reviewing security policy, and installing systems upgrades are not tasks that would be performed at the network administrator level, even if the administrator had the skills necessary to do so.
Notebook computers provide automation outside of the normal office location. Which of the following would provide the least security for sensitive data stored on a notebook computer?
A. Encryption of data files on the notebook computer
B. Setting up a password for the screensaver program on the notebook computer
C. Using a notebook computer with a removable hard disk drive
D. Using a locking device that can secure the notebook computer to an immovable object
B. Setting up a password for the screensaver program on the notebook computer
Password protection for a screensaver program can be easily bypassed.
Data encryption provides adequate security for notebook computers. Removable hard drives would provide adequate security. Security is promoted by physically locking the notebook computer to an immovable object.
Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence?
A. Preventive
B. Corrective
C. Application
D. Detective
C. Application
Application controls refer to the transactions and data relating to each computer-based application system and are, therefore, specific to each process.
Preventive, corrective, and detective controls are terms that apply to particular types of controls that may appear in any application, and so are incorrect answer choices. Corrective controls remedy problems discovered through detective controls. They include procedures to identify the cause of a problem, correct errors arising from the problem, and modify the system so that future errors may be minimized or eliminated. A detective control is a control that provides an alert after an unwanted event. A detective control is designed to catch an error and provide the feedback necessary so corrective action may be taken.
What is a major disadvantage to using a private key to encrypt data?
A. Both sender and receiver must have the private key before this encryption method will work.
B. The private key cannot be broken into fragments and distributed to the receiver.
C. The private key is used by the sender for encryption but not by the receiver for decryption.
D. The private key is used by the receiver for decryption but not by the sender for encryption.
A. Both sender and receiver must have the private key before this encryption method will work.
A major disadvantage of private key encryption is that both the sender and receiver must have the same (private) key, and this must be securely transmitted to avoid interception and decryption of the message by others.
“The private key cannot be broken into fragments and distributed to the receiver” is incorrect because the private key can be transmitted in distinct fragments.
“The private key is used by the sender for encryption but not by the receiver for decryption” and “the private key is used by the receiver for decryption but not by the sender for encryption” are both incorrect because both the sender and receiver use the same key.
Credit Card International developed a management reporting software package that enables members interactively to query a data warehouse and drill down into transaction and trend information via various network set-ups. What type of management reporting system has Credit Card International developed?
A. Online analytical processing system
B. Online transaction-processing system
C. Online executive information system
D. Online information storage system
A. Online analytical processing system
This system is intended to allow users to analyze stored data, so it is an analytical system.
An online transaction-processing system does not process transactions.
An online executive information system does not provide high-level (summary) information.
An online information storage system does not store data; instead, it accesses data already stored.
Flowcharting is a useful internal audit tool for evaluating controls in operational units and operations. A problem relating to flowcharts is the time and cost of developing and maintaining them. One means for reducing this cost is through use of which of the following?
A. Flowcharting software
B. Organization charts as surrogates for flowcharts
C. Outsourcing
D. Standard flowcharts
A. Flowcharting software
Flowcharting software could be used to reduce the cost of preparing and updating flowcharts.
The other answer choices are probably not viable alternatives. Organization charts typically show people rather than operations and controls. “Standard” flowcharts might show an ideal process layout but would probably not capture the actual situation present in a real unit. Outsourcing would probably be much more costly than the internal use of software.
