IT Flashcards
Which of the following represents a lack of internal control in a computer-based system?
A. The design and implementation is performed in accordance with management’s specific authorization.
B. Provisions exist to ensure the accuracy and integrity of computer processing of all files and reports.
C. Provisions exist to protect data files from unauthorized access, modification, or destruction.
D. Programmers have access to change programs and data files when an error is detected.
D. Programmers have access to change programs and data files when an error is detected.
A situation in which programmers have access to change programs and data files when an error is detected is an example of inadequate separation of duties, which constitutes a lack of internal control. Computer programmers should write programs designed by analysts and should work in a development environment that is separate from the production system.
Which of the following is responsible for authorizing and recording transactions and for correcting errors?
A. Data control group
B. Computer operators
C. Security management
D. Users
D. Users
Users authorize and record transactions, use system output, and are responsible for correcting errors.
The data control group logs data inputs, processing, and outputs, and makes sure that transactions have been authorized. They do not authorize or record transactions themselves.
Computer operators maintain and run daily computer operations.
Security management is responsible for preventing unauthorized physical and logical access to the system.
The batch processing of business transactions can be the appropriate mode when:
A. unique hardware features are available.
B. timeliness is a major issue.
C. a single handling of the data is desired.
D. economy of scale can be gained because of high volumes of transactions.
D. economy of scale can be gained because of high volumes of transactions.
Batch processing means “that transactions are accumulated for some period of time.” Its use depends on the requirements of the users. When a high volume of transactions exists, economies of scale can be gained by utilizing batch processing since many transactions are processed in the same run.
Which of the following structures refers to the collection of data for all vendors in a relational data base?
A. Record
B. Field
C. File
D. Byte
C. File
A byte is a part of a field. A field is a part of a record. A record is a set of logically related data items that describes specific attributes of an entity, such as all payroll data relating to a single employee. Multiple records make up a file, so a collection of data from all vendors would be a file.
To obtain evidence that online access controls are properly functioning, an auditor most likely would:
A. create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system.
B. examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction.
C. enter invalid identification numbers or passwords to ascertain whether the system rejects them.
D. vouch a random sample of processed transactions to assure proper authorization.
C. enter invalid identification numbers or passwords to ascertain whether the system rejects them.
Evidence that online access controls are properly functioning can be obtained by entering a series of identification numbers and passwords, some correct and some incorrect, and determining that the system allows access to the correct data but rejects the rest.
“Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system” is incorrect because a checkpoint is a place in a computer program where its status can be recorded or its information saved (dumped) and later execution can be resumed from that point rather than from the beginning of the program. It would not detect unauthorized access to the system.
“Examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction” is incorrect because a transaction log is a detailed record of every transaction entered in a system through data entry. It would not disclose unauthorized access to the system.
“Vouch a random sample of processed transactions to assure proper authorization” is incorrect because vouching source documents for processed transactions would not indicate whether the system allows access to unauthorized users.
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
A. Segregation of duties
B. Ensure proper authorization of transactions
C. Adequately safeguard assets
D. Independently verify the transactions
D. Independently verify the transactions
Key verification is having another employee independently re-enter transactions, then programming the software to compare the inputs, looking for errors. Check digit verification uses an extra character in numbers such as account numbers and part numbers. The software recomputes the extra character and flags incorrect numbers. Either type of verification will reduce the risk of incorrect processing.
The other answer choices are incorrect because they are general controls that regulate the computer activity rather than the application processing. Segregation of duties, proper authorization of transactions, and safeguarding assets will not prevent errors in processing by the software.
A control procedure that could be used in an online system to provide an immediate check on whether an account number has been entered on a terminal accurately is a:
A. compatibility test.
B. hash total.
C. record count.
D. self-checking digit.
D. self-checking digit.
A self-checking digit is generated when the data element is inputted. A prescribed arithmetic operation is automatically done and stored on this element. This same operation is then performed later on, which would “ensure that the number has not been recorded incorrectly.”
A compatibility test validates the data within the field.
A hash total is the total of a non-quantitative field such as account number to be sure all records are processed.
A record count summarizes the number of records processed.
Which of the following best defines electronic data interchange (EDI) transactions?
A. Electronic business information is exchanged between two or more businesses.
B. Customers’ funds-related transactions are electronically transmitted and processed.
C. Entered sales data are electronically transmitted via a centralized network to a central processor.
D. Products sold on central web servers can be accessed by users at any time.
A. Electronic business information is exchanged between two or more businesses.
Electronic data interchange (EDI) is defined as the use of computerized communication to exchange data electronically in order to process transactions between and within computers and computer networks of various organizations.
A value-added network (VAN) is a privately owned network that performs which of the following functions?
A. Routes data transactions between trading partners
B. Routes data within a company’s multiple networks
C. Provides additional accuracy for data transmissions
D. Provides services to send marketing data to customers
A. Routes data transactions between trading partners
A value-added network (VAN) provides specialized hardware, software, and long-distance communications to private networks so that they can exchange data. A VAN adds value to the basic data communications process by handling the difficult task of interfacing with multiple types of hardware and software used by different parties.
A distributed processing environment would be most beneficial in which of the following situations?
A. Large volumes of data are generated at many locations and fast access is required.
B. Large volumes of data are generated centrally and fast access is not required.
C. Small volumes of data are generated at many locations, fast access is required, and summaries of the data are needed promptly at a central site.
D. Small volumes of data are generated centrally, fast access is required, and summaries are needed monthly at many locations.
A. Large volumes of data are generated at many locations and fast access is required.
A distributed/decentralized processing environment works best when significant volumes of data are generated at many remote locations and the user requires near-immediate access to the data. This type of processing environment will allow for quick access to the data as opposed to having that information generated at many locations and processed at a centralized location.
Company A has numerous personal computers (PCs) with full processing capabilities linked into an integrated local area network with a file server which in turn is fully connected to the central mainframe computer. Data entry, comprehensive processing, and inquiry routines are possible at all nodes in the network.
A control feature designed to negate the use of utility programs to read files which contain all authorized access user codes for the network is:
A. internally encrypted passwords.
B. a password hierarchy.
C. log-on passwords.
D. a peer-to-peer network.
A. internally encrypted passwords.
Internally encrypted passwords are a form of access control designed to prevent unauthorized access by use of a utility program to identify passwords.
Password hierarchy is a system of passwords designed in such a manner as to allow differing degrees of access to file manipulation activities.
Log-on passwords are the familiar passwords commonly used to gain initial access to a system or network.
A peer-to-peer network has all processing done at the same level (by PCs in this case) with no dedicated file server or mainframe.
Franklin, Inc., is a medium-size manufacturer of toys that makes 25% of its sales to Mega Company, a major national discount retailing firm. Mega will be requiring Franklin and other suppliers to use electronic data interchange (EDI) for inventory replenishment and trade payment transactions as opposed to the paper-based systems previously used. Franklin would consider all of the following to be advantages for using EDI in its dealings with Mega, except:
A. access to Mega’s inventory balances of Franklin’s products.
B. savings in the Accounts Receivable Department.
C. better status tracking of deliveries and payments.
D. compatibility with Franklin’s other procedures and systems.
D. compatibility with Franklin’s other procedures and systems.
Supplier/purchaser relationships where one firm requires another firm to use electronic data interchange (EDI) and trade payment transactions typically create benefits for the supplying firm, including access to inventory balances of their products at the purchaser, savings in Accounts Receivable, better tracking of deliveries and payments, and reduction in payment float. A result of such a required implementation of an outside system, however, may not be considered an advantage when there are compatibility issues with the supplier’s existing procedures and systems.
Which of the following activities would most likely detect computer-related fraud?
A. Using data encryption
B. Performing validity checks
C. Conducting fraud-awareness training
D. Reviewing the systems-access log
D. Reviewing the systems-access log
The question asks about fraud detection, not fraud prevention. Data encryption and fraud-awareness training are preventive measures. Validity checks ensure that data entry input is correct (for instance, that a general ledger account exists for each journal entry account number). Validity checks, while an important internal control over financial reporting, are not a method to detect fraud. Of all the answers, reviewing the systems-access log is the best choice. It would help discover if unauthorized access to the system has been allowed.
It is important to maintain proper segregation of duties in a computer environment. Which of the following access setups is appropriate?
A. Users have update access for production data
B. Users have update access for production data and application programmers have update access for production programs
C. Application programmers have update access for production data and users have update access for production programs
D. Users have update access for production data and application programmers have update access for both production data and programs
A. Users have update access for production data
Users need to update data through applications programs.
Application programmers should not be able to change production programs. They should submit changes to the change control unit.
Application programmers should never have update access to production data. Users have no need to change production programs.
An online data entry technique that can be employed when inexperienced personnel input data is the use of:
A. prompting.
B. written job descriptions.
C. compatibility tests.
D. checkpoints.
A. prompting.
Some software assists users in data entry by prompting (the use of questions and predetermined input formats). Prompting is very helpful in avoiding input errors by inexperienced personnel.
A company has an online order processing system. The company is in the process of determining the dollar amount of loss from user error. The company estimates the probability of occurrence of user error to be 90%, with evenly distributed losses ranging from $1,000 to $30,000. What is the expected annual loss from user error?
A. $13,050
B. $13,500
C. $13,950
D. $14,400
C. $13,950
Errors are be evenly distributed between $1,000 and $30,000. The average of this range is ($30,000 + $1,000) ÷ 2, or $15,500. The probability of error is 90%, so the expected value of the annual loss is 90% × $15,500, or $13,950.
Which of the following represents an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment?
A. Redundant data checks are needed to verify that individual EDI transactions are not recorded twice.
B. Internal audit work is needed because the potential for random data entry errors is increased.
C. Translation software is needed to convert transactions from the entity’s internal format to a standard EDI format.
D. More supervisory personnel are needed because the amount of data entry is greater in an EDI system.
C. Translation software is needed to convert transactions from the entity’s internal format to a standard EDI format.
Electronic data interchange is used to electronically transfer information between and within organization computers. However, it comes at a cost. The service is standardized, so translation is needed to convert data from the usual format to that acceptable to the EDI system.
“Redundant data checks are needed to verify that individual EDI transactions are not recorded twice” is incorrect because checks on the accuracy of the data are included in the EDI system, not added on.
“Internal audit work is needed because the potential for random data entry errors is increased” is incorrect because the potential for data entry errors is reduced by the EDI system.
“More supervisory personnel are needed because the amount of data entry is greater in an EDI system” is incorrect because the EDI does not change the data entry, only the further processing after data entry. These incorrect answer choices all refer to data entry rather than data transmission.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
A. Removable drives that can be locked up at night provide adequate security when the confidentiality of data is the primary risk.
B. Message authentication in EDI systems performs the same function as segregation of duties in other information systems.
C. Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
D. Security at the transaction phase in EDI systems is not necessary because problems at that level will be identified by the service provider.
C. Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
Electronic data interchange, or EDI, is the use of computerized communication to exchange business data electronically in order to process transactions. Encryption is transforming data into unreadable gibberish to be sent electronically. This data is then decrypted and read at its destination.
When data is transferred electronically, security is an issue. Software applications that encrypt data are more vulnerable to security risks than a hardware device performing the same function.
Removable drives will not prevent unauthorized access to electronic data, since the data could be intercepted en route. Message authentication, or being able to determine who sent a message, is a not a substitute for segregation of duties. Instead, authentication assists with allowing only authorized messages access to the information system. Most EDI systems now do not have a third-party provider transmitting electronic data, due to the advent of the Internet.
In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system should have adequate controls. The best set of controls for a payroll system includes:
A. batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup copies of activity and master files.
B. employee supervision, batch totals, record counts of each run, and payments by check.
C. passwords and user codes, batch totals, employee supervision, and record counts of each run.
D. sign test, limit tests, passwords, and user codes, online edit checks, and payments by check.
A. batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup copies of activity and master files.
The quality of a set of controls is best gauged by their ability to prevent unwanted actions from occurring or to cause desired actions to occur. The question offers several collections of various controls but the best set of controls includes input controls (batch and hash totals, record counts of each run), preventive controls (proper separation of duties, passwords and user codes), and recovery methods (backup copies of activity and master files).
Management reporting systems:
A. rely on internally generated data.
B. rely on both internally generated and externally generated data.
C. rely on externally generated data.
D. gather operating data but do not capture financial data.
B. rely on both internally generated and externally generated data
Management reporting systems rely on a mix of internal and external data. They also combine financial and operational data so that managers have flexibility in determining the information that they will use for decision making.
Which of the following best depicts the path of data as it moves through an information system?
A. Program flow-charts
B. System flow-charts
C. Decision table
D. HIPO chart
B. System flow-charts
A system flowchart provides the overall view of the inputs, processes, and outputs of an information system. The flowchart is designed to portray the path of data as it moves through an information system.
Which of the following is a primary function of a database management system?
A. Report customization
B. Capability to create and modify the database
C. Financial transactions input
D. Database access authorizations
B. Capability to create and modify the database
A database management system (DBMS) is a specialized computer program that manages and controls data and the interface between data and the application programs. Such a system is designed to make it easier to develop new applications and allows users to change the way they view data without changing how the data are stored physically.
The other answer choices (report customization, financial transactions input, and database access authorizations) are all performed by the system user rather than the DBMS.
A disk storage unit is preferred over a magnetic tape drive because the disk storage unit:
A. has nine tracks.
B. offers sequential access to data files.
C. offers random access to data files.
D. is a cheaper medium for data storage.
C. offers random access to data files.
Access to data takes less time with disk storage than with magnetic tape storage.
Consider how data is stored on magnetic tape. Blocks of data files are arranged linearly along the entire length of the tape. In order to move from a read location at or near the beginning of the tape to a read location near the end of the tape, it is necessary to travel over all tape between the two read locations.
On the other hand, if disk storage is used, it is possible to jump directly from one read location to another. This is possible because disk storage offers random access to data files.
Compared to online, real-time processing, batch processing has which of the following disadvantages?
A. A greater level of control is necessary.
B. Additional computing resources are required.
C. Additional personnel are required.
D. Stored data are current only after the update process.
Batch processing is updating master files periodically to reflect all transactions that occurred during a given time period. The only time the master file is current with batch processing is immediately after an update occurs. When using online, real-time processing, the computer captures data electronically, edits it for accuracy and completeness, and then updates the master file as each transaction occurs.