IT Governance and Management Flashcards Preview

BEC > IT Governance and Management > Flashcards

Flashcards in IT Governance and Management Deck (76):
1

Manual Vs. Computer Controls:

2

Manual Controls:

3

Computer Controls:

4

Morgan Property Management, Inc. recently switched from a manual accounting system to a computerized accounting system. The system supports online real-time processing in a networked environment, and six employees have been granted access to various parts of the system in order to perform their jobs.

Relative to the manual system, Morgan can expect to see

A.  That functions that had previously been spread across multiple employees have been combined.
B.  An increase in the incidence of clerical errors.
C.  A decrease in the incidence of systemic errors.
D.  A decrease in the need for access controls to the accounting records.

A.  That functions that had previously been spread across multiple employees have been combined.

It is common for computerized systems to combine functions that would be considered incompatible in a manual system (for example, in computerized systems, a single employee is often responsible for creating the deposit and posting the transactions to the cash receipts journal, the accounts receivable subledger, and the general ledger).

This can occur because the system limits the transactions that it is possible for the employee to record, creating a compensating control.

5

One important purpose of COBIT is to

A.  Guide managers, users, and auditors to adopt best practices related to the management of information technology.
B.  Identify specific control plans that should be implemented to reduce the occurrences of fraud.
C.  Specify the components of an information system that should be installed in an e-commerce environment.
D.  Suggest the type of information that should be made available for management decision-making. 

A.  Guide managers, users, and auditors to adopt best practices related to the management of information technology.

 

6

 

Which of the following is a key difference in controls when changing from a manual system to a computer system?

A.  Internal control principles change.
B.  Internal control objectives differ.
C.  Control objectives are more difficult to achieve.
D.  Methodologies for implementing controls change.

D.  Methodologies for implementing controls change.

 

The requirement is to identify the key differences in controls when changing from a manual system to a computer system. This answer is correct because the methods of achieving control are different for a computer system.

7

Checkpoint auto leasing is a small company with six employees. The best action that it can take to increase its internal control effectiveness is

A.  Hire temporary employees to aid in the segregation of duties.
B.  Hire a bookkeeper to perform monthly "write up" work.
C.  Clearly delegate responsibilities to each employee for the functions that they are assigned.
D.  Engage the owner in direct participation in the activities, including financial record-keeping, of the business.

D.  Engage the owner in direct participation in the activities, including financial record-keeping, of the business.

This is the best answer since engaging the owner in the activities of the business is an important compensating control in small organizations.

8

Which of the following statements is (are) true.

I. A greater level of control is necessary in automated than manual systems.
II. The uniformity of transaction processing is higher in automated and manual systems.

A.  Both I and II.
B.  I only.
C.  II only.
D.  Neither I or II.

C.  II only.

Statement two is correct. Automated transaction processing results in a greater uniformity of transactions.

9

COBIT Purpose:

COBIT Purpose:

Align IT and business goals/strategies. Link business risks, control needs and IT.

Common language for users, auditors, mgt, and business process owners in identifying risks and structuring controls. 

10

Basic COBIT Framework:

11

According to the COBIT model, what are the four IT domains?

Four IT Domains:

  1. Planning and organization,
  2. acquisition and implementation,
  3. delivery and support, and
  4. monitoring.  

12

According to the COBIT model, what are the five physical resources that, together, comprise an IT system?

Five physical resources that, together, comprise an IT system:

  1. People,
  2. applications,
  3. technology,
  4. facilities,
  5. data. 

13

According to the COBIT model, what are the seven criteria or properties that information should possess?

Seven criteria or properties that information should possess:

  1. Effectiveness,
  2. efficiency,
  3. confidentiality,
  4. integrity,
  5. availability,
  6. compliance,
  7. reliability

14

What are the three major components of the COBIT model? 

Three major components of the COBIT model:

  1. Domains and processes,
  2. information criteria,
  3. IT resources.  

15

Describe the control objectives for information and related technology (COBIT) framework.

A widely used international standard for identifying best practices in IT security and control. Provides management with an information technology (IT) governance model that helps in delivering value from IT processes and in understanding and managing the IT related risks.

16

In COBIT, the process of developing tactics to realize the strategic vision for IT falls within the _________ control process domain.

A.  Acquire and implement.
B.  Deliver and support.
C.  Monitor and evaluate.
D.  Plan and organize.

D.  Plan and organize.

The process of developing tactics to realize the strategic vision for an information technology unit falls within the plan and organize control process domain in COBIT. 

17

In COBIT, the process of reviewing system response time logs falls within the _______ control process domain.

A.  Acquire and implement.
B.  Deliver and support.
C.  Monitor and evaluate.
D.  Plan and organize.

C.  Monitor and evaluate.

The process of reviewing system response logs is within the "monitor the processes" (M1) activity, which falls within the "monitor and evaluate" domain. Therefore, this is the correct answer.

18

In COBIT, the process of identifying automated solutions falls within the ________ control process domain.

A.  Acquire and implement.
B.  Deliver and support.
C.  Monitor and evaluate.
D.  Plan and organize.

A.  Acquire and implement.

The process of identifying automated solutions does fall within the acquire and implement control process domain. 

19

Control Objectives for Information and Related Technology (COBIT) provides a framework for

A.  Internet-based systems.
B.  IT governance and management of enterprise IT.
C.  Auditing IT Systems.
D.  The implementation for new technology.

B.  IT governance and management of enterprise IT.

20

Management of a financial services company is considering a strategic decision concerning the expansion of its existing local area network (LAN) to enhance the firm’s customer service function. Which of the following aspects of the expanded system is the least significant strategic issue for management?

A.  How the expanded system can contribute to the firm’s long-range business plan.
B.  How the expanded system would support daily business operations.
C.  How indicators can be developed to measure how well the expanded system achieves its business objectives.
D.  How the expanded system will contribute to the reduction of operating costs.

D.  How the expanded system will contribute to the reduction of operating costs.

This answer is correct. Cutting costs, per se, is the least important issue. Payoff, or return on costs, is a more relevant strategic consideration.

21

In COBIT, the process of ensuring security and continuous service falls within the _______ control process domain.

A.  Acquire and implement.
B.  Deliver and support.
C.  Monitor and evaluate.
D.  Plan and organize.

B.  Deliver and support.

The process of security and continuous service does fall within the deliver and support control process domain. 

22

Enterprise Resource Planning Systems (ERPs):

ERPs: It's a management information system that integrates all functional areas within an organization to allow information exchange and collaboration among all parties involved in business operations

Goals: 

  • Integration: integrate all data into 1 database w user-defined views. 
  • Cost savings: decreases maintenance costs (only 1 system to maintain)
  • Employment Empowerment: impoves communication and decision making by increasing information availabilty. 
  • "Best Practices": Include most successful business processes of an industry. 

23

Components of ERP System:

Components of ERP System:

  1. Online Transaction Processing System (OLTP): Includes core business functions: sales, production, purchasing, payroll, financial-reporting, etc.
    • This just collects data. It provides fundamental motivation for purchase of ERP.
  2. Online Analytical Processing System (OLAP): Incorporates data warehouse and data mining capabilities within the ERP. 
    • It provides integreated views of transactions in all parts of system
    • It's an increasingly important multidimensional analytical tool.

24

ERP Systems: Architecture:

25

Cloud Based Systems and Storage:

Cloud Based Systems and Storage: It's a virtual data pool often managed by a 3rd party vendor. 

Categories and Examples:

  1. Infraestructure as a Service (IaaS): Use of cloud to access to virtual hardware, such as computers and storage (E.g. Amazon Services and Carbonite).
  2. Platform as a Service (PaaS): Creating cloud-based software and programs like Salesforce.com
  3. Software as a Service (SaaS): Remote access to software like productivity programs. 

Benefits of Clouds:

  • Universal Access
  • Cost Reductions
  • Scalability-grow with organization
  • Outsourcing and Economies of Scale - outsource to provider w lower costs
  • Enterprise-wide integration

Risks:

  • Data loss (all eggs in one basket increases risk of data loss)
  • Increased system penetration risk

26

An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems?

A. Modifications can be made to each module without affecting other modules.

B. Increased responsiveness and flexibility while aiding in the decision-making process.

C. Increased amount of data redundancy, since more than one module contains the same information.

D. Reduction in costs of implementation and training. 

B. Increased responsiveness and flexibility while aiding in the decision-making process.

Improving responsiveness and flexibility, and aiding the decision-making processes in an organization, are important goals of an ERP system. Hence, this is the best answer.

27

What is an example of the use of the cloud to access hardware?

A.  IaaS
B.  PaaS
C.  SAP
D.  ERP

A.  IaaS

 

28

What is an example of the use of the cloud to create software and programs?

A.  IaaS
B.  PaaS
C.  SaaS
D.  SAP

B.  PaaS

29

What is an example of the use of the cloud to access software and programs?

A.  IaaS
B.  PaaS
C.  SaaS
D.  SAP

C.  SaaS

30

Business Continuity Plan:

Business Continuity Plan:  The process of planning for disasters and embedding this plan in an organization's culture. 

6-Step Model: 

  1. Create a BCM policy and program  --  Create a framework and structure around which the BCM is created. This includes defining the scope of the BCM plan, identifying roles in this plan, and assigning roles to individuals.
  2. Understand and evaluate organizational risks  --  Identifying the importance of activities and processes is critical to determining needed costs to prevent interruption, and, ensure their restoration in the event of interruption. A business impact analysis (BIA) will identify the maximum tolerable interruption periods by function and organizational activity.
  3. Determine business continuity strategies  --  Having defined the critical activities and tolerable interruption periods, define alternative methods to ensure sustainable delivery of products and services. Key decisions related to the strategy include desired recovery times, distance to recovery facilities, required personnel, supporting technologies, and impact on stakeholders.
  4. Develop and implement a BCM response  --  Document and formalize the BCM plan. Define protocols for defining and handling crisis incidents. Create, assign roles to, and train the incident response team(s).
  5. Exercise, maintain, and review the plan  --  Exercising the plan involves testing the required technology, and implementing all aspects of the recovery process. Maintenance and review require updating the plan as business processes and risks evolve.
  6. Embed the BCM in the organization's culture  --  Design and deliver education, training and awareness materials that enable effective responses to identified risks. Manage change processes to ensure that the BCM becomes a part of the organization's culture. 
     

31

Disaster Discovery Plans:

Disaster Discovery Plans: DRPs enable organizations to recover from disasters and to enable continuing operations. They are integral to an organization's system of internal control. DRP processes include maintaining program and data files, and, enabling transaction processing facilities.

In addition to backup data files, DRPs must identify mission-critical tasks and ensure that processing for these tasks can continue with virtually no interruptions, at an affordable cost

Goals:

  1. The recovery point objective (RPO) defines the acceptable amount of data lost in an incident. 
  2. The recovery time objective (RTO) defines the acceptable downtime for a system, or, less commonly, of an organization. It specifies the longest acceptable time for a system to be inoperable.  

Disaster recovery plans are frequently classified by the types of backup facilities maintained and the time required to resume processing:

  1. Cold site ("empty shell")  --  An off-site location that has all the electrical connections and other physical requirements for data processing, but does not have the actual equipment or files. A cold site is the least expensive type of alternative processing facility available to the organization. If on a mobile unit (e.g., a truck bed), called a mobile cold site.
  2. Warm site  --  A location where the business can relocate to after the disaster that is already stocked with computer hardware similar to that of the original site, but does not contain backed-up copies of data and information. If on a mobile unit, called a mobile warm site.
  3. Hot site  -- An off-site location completely equipped to quickly resume data processing. All equipment plus backup copies of essential data files and programs are often at the site. Enables resumed operations with minimal disruption, typically within a few hours. More expensive than warm and cold sites.
  4. Reciprocal agreements  --  These are shared use facilities governed by inter-organizational agreements that house IT facilities. May be cold, warm, or hot.
  5. Mirrored site  --  Fully redundant, fully staffed, and fully equipped site with real-time data replication of mission critical systems. Expensive and used for mission critical systems (e.g., credit card processing at VISA and MasterCard).  

 

32

A controller is developing a disaster recovery plan for a corporation's computer systems. In the event of a disaster that makes the company's facilities unusable, the controller has arranged for the use of an alternate location and the delivery of duplicate computer hardware to this alternate location. Which of the following recovery plans would best describe this arrangement?

A. Hot site.

B. Cold site.

C. Back-up site procedures.

D. Hot spare site agreement.

B. Cold site.

In a cold site approach to disaster recovery, hardware and records are delivered after the occurrence of a disaster. This approach is less expensive, but more risky than a hot site approach.

33

In an e-commerce environment that requires that the information technology (IT) system be available on a continuous basis, more emphasis will be placed on which of the following aspects of the planning than in a traditional organization?

A.  Maintain appropriate written source documents so the data can be re-entered if it is lost or compromised.
B.  Maintain redundant systems for instant availability to assure the flow of transactions.
C.  Review additional expenses to obtain the required amount of business interruption insurance coverage for the organization.
D.  Assure that appropriate data backups are stored in an off-site location. 

B.  Maintain redundant systems for instant availability to assure the flow of transactions.

This is the best answer since system redundancy is essential to ensuring business continuit

34

The performance audit report of an information technology department indicated that the department lacked a disaster recovery plan. Which of the following steps should management take first to correct this condition?

A. Bulletproof the information security architecture.

B. Designate a hot site.

C. Designate a cold site.

D. Prepare a statement of responsibilities for the tasks included in a disaster recovery plan.

D. Prepare a statement of responsibilities for the tasks included in a disaster recovery plan.

35

In DRP, top priority is given to which activities?

A.  Accounting.
B.  Manufacturing.
C.  Mission critical.
D.  Business critical.

C.  Mission critical.

Mission critical tasks are given first priority in DRP.

36

In DRP, the lowest priority is given to which activities?

A.  Accounting.
B.  Manufacturing.
C.  Mission critical.
D.  Task critical.

D.  Task critical.

Task critical tasks are given the lowest priority in DRP. 

37

IT Functions and Controls Related to People:

Organizational Structure of the Information Technology (IT) Department:

There are three main functional areas within many IT Departments:

  • A. Applications Development;
  • B. Systems Administration and Programming; and
  • C. Computer Operations. 

38

Applications Development Department:

Applications Development  --  This department is responsible for creating new end-user computer applications and for maintaining existing applications.

  • Systems analysts  --  Are responsible for analyzing and designing computer systems; systems analysts generally lead a team of programmers who complete the actual coding for the system; they also work with end users to define the problem and identify the appropriate solution.
  • Application programmers  --  Work under the direction of the systems analyst to write the actual programs that process data and produce reports.
  • New program development, and maintenance of existing programs, is completed in a "test" or "sandbox"environment using copies of live data and existing programs rather than in the "live" system.

39

Systems Administration and Programming Dept:

Systems Administration and Programming  --  This department maintains the computer hardware and computing infrastructure and grants access to system resources.

  • System administrators  --  The database administrator, network administrator, and web administrators are responsible for management activities associated with the system they control. For example, they grant access to their system resources, usually with user-names and passwords. System administrators, by virtue of the influence they wield, must not be permitted to participate directly in these systems' operations.
  • System programmers  --  Maintain the various operating systems and related hardware. For example, they are responsible for updating the system for new software releases and installing new hardware. Because their jobs require that they be in direct contact with the production programs and data, it is imperative that they are not permitted to have access to information about application programs or data files.  

40

Computer Operations Dept:

Computer Operations  --  This department is responsible for the day-to-day operations of the computer system, including receipt of batch input to the system, conversion of the data to electronic media, scheduling computer activities, running programs, etc.

  • Data control  --  This position controls the flow of all documents into and out of Computer Operations; for batch processing, schedules batches through data entry and editing, monitors processing, and ensures that batch totals are reconciled; data control should not access the data, equipment, or programs. This position is called "quality assurance" in some organizations.
  • Data entry clerk (data conversion operator)  --  For systems still using manual data entry (which is rare), this function keys (enters) handwritten or printed records to convert them into electronic media; the data entry clerk should not be responsible for reconciling batch totals, should not run programs, access system output, or have any involvement in application development and programming.
  • Computer operators  --  Responsible for operating the computer: loading program and data files, running the programs, and producing output. Computer operators should not enter data into the system or reconcile control totals for the data they process. (That job belongs to Data Control.)
  • File librarian  --  Files and data not online are usually stored in a secure environment called the File Library; the file librarian is responsible for maintaining control over the files, checking them in and out only as necessary to support scheduled jobs. The file librarian should not have access to any of the operating equipment or data (unless it has been checked into the library)

41

Segregated Functions on IT Roles:

Functions in these three areas should be strictly segregated.  In particular:

  • Computer operators and data entry personnel  --  Should never be allowed to act as programmers.
  • Systems programmers  --  Should never have access to application program documentation.
  • Data administrators  --  Should never have access to computer operations ("live" data).
  • Application programmers and systems analysts  --  Should not have access to computer operations ("live" data).
  • Application programmers and systems analysts  --  Should not control access to data, programs, or computer resources.  

42

Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals?

A. Network maintenance and wireless access.

B. Data entry and antivirus management.

C. Data entry and application programming.

D. Data entry and quality assurance. 

C. Data entry and application programming.

The separation of the data entry function from the application programming function is critical to the segregation of duties within an IT department. This is because if one both enters data and changes the programs into which those data are entered, one can perpetrate consequential financial frauds. This is why data entry occurs within the operations unit of an IT department and application development occurs within the development function of an IT department. These functions must be kept separate and their duties segregated. Therefore, this is the best answer to the question.

43

In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator?

A. Managing remote access.

B. Developing application programs.

C. Reviewing security policy.

D. Installing operating system upgrades.

A. Managing remote access.

System administrators  --  The database administrator, network administrator, and web administrators are responsible for management activities associated with the system they control. For example, they grant access to their system resources, usually with user-names and passwords.

44

To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?

A. Modify and adapt operating system software.

B. Correct detected data entry errors for the cash disbursement system.

C. Code approved changes to a payroll program.

D. Maintain custody of the billing program code and its documentation.

C. Code approved changes to a payroll program.

Application programmers  --  Work under the direction of the systems analyst to write the actual programs that process data and produce reports.

Application programmers and systems analysts  --  Should not have access to computer operations ("live" data)

45

What is the role of the systems analyst in an IT environment?

A.  Developing long-range plans and directs application development and computer operations.
B.  Designing systems, prepares specifications for programmers, and serves as intermediary between users and programmers.
C.  Maintaining control over the completeness, accuracy, and distribution of input and output.
D.  Selecting, implementing, and maintaining system software, including operating systems, network software, and the data base management system. 

B.  Designing systems, prepares specifications for programmers, and serves as intermediary between users and programmers.

Systems analysts  --  Are responsible for analyzing and designing computer systems; systems analysts generally lead a team of programmers who complete the actual coding for the system; they also work with end users to define the problem and identify the appropriate solution.

46

In business information systems, the term "stakeholder" refers to which of the following parties?

A.  The management team responsible for the security of the documents and data stored on the computers or networks.
B.  Information technology personnel responsible for creating the documents and data stored on the computers or networks.
C.  Authorized users who are granted access rights to the documents and data stored on the computers or networks.
D.  Anyone in the organization who has a role in creating or using the documents and data stored on the computers or networks.

D.  Anyone in the organization who has a role in creating or using the documents and data stored on the computers or networks.

The "stakeholders" in an IT environment include both the IT personnel responsible for developing and maintaining the system as well as the personnel from all areas of the organization, who are the end users of the systems. In extranet environments, these end users may also include customers and suppliers who access data relevant to their activities with the organization online.

47

IT people controls are mostly

A. Application, Corrective.

B. General, Corrective.

C. General, Detective.

D. General, Preventive

D. General, Preventive

Most IT people controls are general and preventive. For example, the segregation of duties prevents employees from making unauthorized changes to program and data files.

48

System Development and Implementation: Developing a Business Application

Developing a Business Applications: The importance, and potential negative consequences, of systems development is evident in the many large-scale systems failures that have cost organizations millions of dollars, e.g., the Denver airport baggage system, ERP at Hershey's, the Bank of America Trust Department.

Developing a functioning computer system, on time, and on budget, requires communication and coordination among multiple groups of people with very different points of view and priorities. Without a clear plan for defining, developing, testing, and implementing the system, it is perilously easy to end up with a system that fails to meet its objectives and must be scrapped. The systems development life cycle is designed to provide this plan. 
 

49

Purpose of the Systems Development Life Cycle (SDLC) Method:

Purpose of the Systems Development Life Cycle (SDLC) Method: The systems development life cycle provides a structured approach to the systems development process by:

  • A. identifying the key roles in the development process and defining their responsibilities;
  • B. establishing a set of critical activities to measure progress towards the desired result; and
  • C. requiring project review and approval at critical points throughout the development process.  

50

Roles in the SDLC Method:

Roles in the SDLC Method:

  • IT steering committee  --  Members of the committee are selected from functional areas across the organization, including the IT Department; the committee's principal duty is to approve and prioritize systems proposals for development.
  • Lead systems analyst  --  The manager of the programming team:
    • Usually responsible for all direct contact with the end-user.
    • Often responsible for developing the overall programming logic and functionality.
  • Application programmers  --  The team of programmers who, under direction of the lead analyst, are responsible for writing and testing the program.  
  • End users  --  The employees who will use the program to accomplish their tasks:
    • Responsible for identifying the problem to be addressed and approving the proposed solution to the problem

51

Stages in, and Risks to, the SDLC Method:
 

Stages in, and Risks to, the SDLC Method:

  1. Stage 1 - Planning and Feasibility Study  --  When an application proposal is submitted for consideration, the proposal is evaluated in terms of three aspects:
    • Technical feasibility  --  Is it possible to implement a successful solution given the limits currently faced by the IT Department?
    • Economic feasibility  --  Even if the application can be developed, should it be developed? Are the potential benefits greater than the anticipated cost?
    • Operational feasibility  --  Given the status of other systems and people within the organization, how well will the proposed system work?
    • After establishing feasibility, a project plan is developed; the project plan establishes:
      • Critical success factors  --  The things that the project must complete in order to succeed.
      • Project scope  --  A high-level view of what the project will accomplish.
      • Project milestones and responsibilities  --  The major steps in the process, the timing of those steps, and identification of the individuals responsible for each step.
  2. Stage 2 - Analysis  --  During this phase the systems analysts work with end users to understand the business process and document the requirements of the system; the collaboration of IT personnel and end users to define the system is known as joint application development (JAD).
    • Requirements definition  --  The requirements definition formally identifies the things that the system must accomplish; this definition serves as the framework for system design and development.
      • All parties sign off on the requirements definition to signify their agreement with the project's goals and processes.
  3. Stage 3 - Design  --  During the design phase, the technical specifications of the system are established; the design specification has two primary components:
    • Technical architecture specification  --  Identifies the hardware, systems software, and networking technology on which the system will run.
    • Systems model  --  Uses graphical models (flowcharts, etc.) to describe the interaction of systems processes and components; defines the interface between the user and the system by creating menu and screen formats for the entire system.
  4. Stage 4 - Development  --  During this phase, programmers use the systems design specifications to develop the program and data files:
    • The hardware and IT infrastructure identified during the design phase are purchased during the development phase.
    • The development process must be carefully monitored to ensure compatibility among all systems components as correcting of errors becomes much more costly after this phase.
  5. Stage 5 - Testing  --  The system is evaluated to determine whether it meets the specifications identified in the requirements definition.
    • Testing procedures must project expected results and compare actual results with expectations:
      • Test items should confirm correct handling of correct data and data that includes errors.
      • Testing most be performed at multiple levels to ensure correct intra- and inter-system operation:
        • Individual processing unit  --  Provides assurance that each piece of the system works properly.
        • System testing  --  Provides assurance that all of the system modules work together.
        • Inter-system testing  --  Provides assurance that the system interfaces correctly with related systems;
        • User acceptance testing  --  Provides assurance that the system can accomplish its stated objectives with the business environment.
  6. Stage 6 - Implementation  --  Before the new system is moved into production, existing data must be often be converted to the new system format, and users must be trained on the new system; implementation of the new system may occur in one of four ways:
    • Parallel implementation  --  The new system and the old system are run concurrently until it is clear that the new system is working properly.
    • "Cold turkey" or "plunge" or "big bang" implementation  --  The old system is dropped and the new system put in place all at once
    • Phased implementation  --  Instead of implementing the complete system across the entire organization, the system is divided into modules that are brought on line one or two at a time.
    • Pilot implementation  --  Similar to phased implementation except, rather than dividing the system into modules, the users are divided into smaller groups and are trained on the new system one group at a time:
  7. Stage 7 - Maintenance  --  Monitoring the system to ensure that it is working properly and updating the programs and/or procedures to reflect changing needs:
    • User support groups and help desks  --  Provide forums for maintaining the system at high performance levels and for identifying problems and the need for changes.
    • All updates and additions to the system should be subject to the same structured development process as the original program. 

 

52

Program Library, Documentation, and Record Mgt

Program Library, Documentation, and Record Mgt:

Source code programs are normally maintained in a library under secure storage (the Source Program Library, or SPL) that is maintained by a file librarian. The library, or an archive of the library, should be off-site and built to withstand fires, floods, and other natural disasters. It (obviously) must also include the same logical and physical controls as are built into the organization's other data processing and storage sites.

When new programs are developed or old programs modified, the SPLMS manages the migration from the Application Development Test Environment to the active Production Library.

The SPLMS ensures that only valid changes are made to the system by checking for all necessary authorizations and, for program modifications, by comparing the new source code to the old source code. Only after verification does the program migrate to the SPL.

Authorized versions of major programs should be maintained in a secure, off-site location. (The external auditor frequently maintains these files.) 

53

A brokerage firm has changed a program so as to permit higher transaction volumes. After proper testing of the change, the revised programs were authorized and copied to the production library.  This practice is an example of

A.  Prototyping.
B.  Program integration.
C.  SDLC (System Development Life Cycle).
D.  Change control.

D.  Change control.

The practice of authorizing changes, approving tests results, and copying developmental programs to a production library is program change control.

54

After changes to a source program have been made and verified, it moves to

A.  Atlanta.
B.  Development.
C.  The operator.
D.  Production.

D.  Production.

After changes and verification to those changes, source programs move into production.

Approved changes go to the Production Library. 

55

Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?

A.  Change control.
B.  Management override.
C.  Data integrity.
D.  Computer operations.

A.  Change control.

*Internal Control Deficiency*

The management of changes to applications is part of the Source Program Library Management System (SPLMS)

56

Rose and McMullin, a regional public accounting firm, has recently accepted a contract to audit On-the-Spot, Inc., a mobile vending service that provides vending machines for large events. On-the-Spot uses a computerized accounting system, portions of which were developed internally to integrate with a standard financial reporting system that was purchased from a consultant.

What type of documentation will be most useful to Rose and McMullin in determining how the system as a whole is constructed?

A.  Operator documentation.
B.  Program documentation.
C.  Systems documentation.
D.  User documentation

C.  Systems documentation.

Systems documentation provides an overview of the program and data files, processing logic, and interactions with each of the other programs and systems and is appropriate for the auditor to use as a means of gaining familiarity with the system. 

There are 4 Levels of Documentation:

  1. Systems documentation  --  Overviews the program and data files, processing logic and interactions with each other's programs and systems; often includes narrative descriptions, flowcharts, and data flow diagrams; used primarily by systems developers; can be useful to auditors.
  2. Program documentation  --  A detailed analysis of the input data, the program logic, and the data output; consists of program flowcharts, source code listings, record layouts, etc.; used primarily by programmers; program documentation is an important resource if the original programmer is unavailable.
  3. Operator documentation (also called the "run manual")  --  In large computer systems, operator documentation provides information necessary to execute the program such as the required equipment, data files and computer supplies, execution commands, error messages, verification procedures, and expected output; used exclusively by the computer operators.
  4. User documentation  --  Describes the system from the point of view of the end user; provides instructions on how and when to submit data and request reports, procedures for verifying the accuracy of the data and correcting errors.   
     

57

Which of the following types of documentation would a computer operator use to determine how to set up and run a specific computer application.

A.  Program documentation.
B.  Run manual.
C.  Systems documentation.
D.  Data flow diagrams.

B.  Run manual.

Operator documentation (also called the "run manual")  --  In large computer systems, operator documentation provides information necessary to execute the program such as the required equipment, data files and computer supplies, execution commands, error messages, verification procedures, and expected output; used exclusively by the computer operators.

58

In a small business with only microcomputers, which documentation would be most useful to an untrained user to learn how to correct data errors in a database application?

A.  Operator documentation.
B.  Program documentation.
C.  Systems documentation.
D.  User documentation.

D.  User documentation.

User documentation  --  Describes the system from the point of view of the end user; provides instructions on how and when to submit data and request reports, procedures for verifying the accuracy of the data and correcting errors.   

59

Input Controls and Origination Controls

Input Controls and Origination Controls: 
(Also known as programmed controls, edit checks, or automated controls) are controls over data entry and data origination process. They ensure that the transactions entered into the system meet the following control objectives:

  • Valid  --  All transactions are appropriately authorized; no fictitious transactions are present; no duplicate transactions are included.
  • Complete  --  All transactions have been captured; there are no missing transactions.
  • Accurate  --  All data has been correctly transcribed, all account codes are valid; all data fields are present; all data values are appropriate.  

60

Which of the following controls in not usually found in batch processing systems?

A.  Closed loop verification.
B.  Financial control totals.
C.  Check digits.
D.  Limit checks.

A.  Closed loop verification.

Closed loop verification is an input control associated with online real-time systems.

Batch Control Totals: --  Manually calculated totals of various fields of the documents in a batch. Batch totals are compared to computer-calculated totals and are used to ensure the accuracy and completeness of data entry. Batch control totals are available, of course, only for batch processing systems or applications.

  • Financial totals  --  Totals of a currency field that result in meaningful totals, such as the dollar amounts of checks. a. (Note that the total of the hourly rates of pay for all employees, for example, is not a financial total because the summation has no accounting-system meaning.)
  • Hash totals  --  Totals of a field, usually an account code field, for which the total has no logical meaning, such as a total of customer account numbers in a batch of invoices.
  • Record counts  --  Count of the number of documents in a batch or the number of lines on the documents in a batch. 

61

Which of the following is considered an application input control?

A. Run control total.

B. Edit check.

C. Report distribution log.

D. Exception report. 

B. Edit check.

 

62

 

Mark Chen was recently hired by the Rollins Company at a monthly salary of $1,800. When his employee information was entered into the company's personnel system, his monthly salary amount was entered correctly, but he was inadvertently classified as an hourly employee.

Which of the following controls would be most likely to detect this error?

A.  Range check.
B.  Reasonableness check.
C.  Closed loop verification.
D.  Limit check.

B.  Reasonableness check.

Reasonableness checks look at the values in two related fields to ensure that they make sense as a unit;
for example, Mark's $1,800 rate is reasonable and his assignment as an hourly employee could be reasonable, but the combination of the two fields ($1,800 hourly rate) is unreasonable.

63

Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data?

A.  Reasonableness test.
B.  Field check.
C.  Digit verification check.
D.  Validity check.

D.  Validity check.

A validity check compares the value entered in a field to a list of valid data values. An error message is displayed if the value is not found on the list.

64

Which of the following techniques would be used to verify that a program was free of unauthorized changes?

A.  Source code comparison program.
B.  Echo check.
C.  Tests of controls.
D.  Authorization matrix.

A.  Source code comparison program.

A source code comparison program is used to compare an archived version of the program to the program actually in use.

65

An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error?

A. Online prompting.

B. Mathematical accuracy.

C. Preformatted screen.

D. Reasonableness.

D. Reasonableness.

April has only 30 days. The reasonableness test will catch this error.

66

Processing, File, and Output Controls:

Processing and file controls  --  Controls over processing and files, including the master file update process.
Output controls  --  Control over the production of reports. 
 

67

Processing Controls:

Processing Controls: Controls designed to ensure that master file updates are completed accurately and completely. Controls also serve to detect unauthorized transactions entered into the system and maintain processing integrity.

  • Run-to-run controls  --  Use comparisons to monitor the batch as it moves from one programmed procedure (run) to another; totals of processed transactions are reconciled to batch totals - any difference indicates an error. Also called "control totals."
  • Internal labels ("header" and "trailer" records)  --  Used primarily in batch processing, electronic file identification allows the update program to determine that the correct file is being used for the update process.
  • Audit trail controls  --  Each transaction is written to a transaction log as the transaction is processed; the transaction logs become an electronic audit trail allowing the transaction to be traced through each stage of processing; electronic transaction logs constitute the principal audit trail for online, real-time systems.  

68

File Controls:

File Controls: 

  • Parity check (parity bit)  --  A zero or one included in a byte of information that makes the sum of bits either odd or even.A parity check is designed to detect errors in data transmission.
  • Read after write check  --  Verifies that data was written correctly to disk by reading what was just written and comparing it to the source.
  • Echo check  --  Verifies that transmission between devices is accurate by "echoing back" the received transmission from the receiving device to the sending unit.
  • Error reporting and resolution  --  Controls to ensure that generated errors are reported and resolved by individuals who are independent of the initiation of transactions (segregation of duties).
  • Boundary protection  --  Sort of a computer traffic cop. When multiple programs and/or users are running simultaneously and sharing the same resource (usually the primary memory of a CPU), boundary protection prevents program instructions and data from one program from overwriting the program instructions or data from another program.
  • Internal labels ("header" and "trailer" records)  --  Used primarily in batch processing, electronic file identification allows the update program to determine that the correct file is being used for the update process. Read by the system. Very important for removable storage.
  • External labels  --  Labels on removable storage that are read by humans.
  • Version control  --  Procedures and software to ensure that the correct file version is used in processing (e.g., for transaction files).
  • File access and updating controls  --  These controls ensure that only authorized, valid users can access and update files.  
     

69

Output Controls:

Output Controls: Ensure that computer reports are accurate and are distributed only as authorized.

  • Spooling (print queue) controls  --  Jobs sent to a printer that cannot be printed immediately are spooled - stored temporarily on disk - while waiting to be printed; access to this temporary storage must be controlled to prevent unauthorized access to the files.
  • Disposal of aborted print jobs  --  Reports are sometimes damaged during the printing or bursting (separation of continuous feed paper along perforation lines) process; since the damaged reports may contain sensitive data, they should be disposed of using secure disposal techniques.
  • Distribution of reports  --  Data control is responsible for ensuring that reports are maintained in a secure environment before distribution and that only authorized recipients receive the reports; a Distribution Log is generally maintained to record transfer of the reports to the recipients.
  • End user controls  --  For particularly critical control totals, or where end-users have created systems, perform checks of processing totals and reconciling report totals to separately maintained records. This is also sometimes called one-to-one checking.
  • Logging and archiving of forms, data and programs  --  Should be in a secure, off-site location.
  • Record retention and disposal  --  This is discussed in the separate lesson on "Program Library, Documentation, and Record Management" related to this topic. 

70

What is the primary objective of data security controls?

A. To establish a framework for controlling the design, security, and use of computer programs throughout an organization.

B. To ensure that storage media are subject to authorization prior to access, change, or destruction.

C. To formalize standards, rules, and procedures to ensure that the organization's controls are properly executed.

D. To monitor the use of system software to prevent unauthorized access to system software and computer programs. 

B. To ensure that storage media are subject to authorization prior to access, change, or destruction.

Ensuring that accessing, changing, or destroying storage media is subject to authorization is, in fact, a primary objective of data security controls.

71

An audit trail is considered what type of control?

A.  Input.
B.  Processing.
C.  Output.
D.  Software.

B.  Processing.

Processing Control:

Audit trail controls  --  Each transaction is written to a transaction log as the transaction is processed; the transaction logs become an electronic audit trail allowing the transaction to be traced through each stage of processing; electronic transaction logs constitute the principal audit trail for online, real-time systems.  

72

A poor quality connection caused extensive line noise, resulting in faulty data transmission.
Which of the following controls is most likely to detect this condition?

A.  Line check.
B.  Batch control total.
C.  Closed loop verification.
D.  Parity check.

D.  Parity check.

A parity check is designed to detect errors in data transmission.

73

More than one file may be stored on a single magnetic disc.  Several programs may be in the core storage unit simultaneously. In both cases it is important to prevent the mixing of data.  One way to do this is to use

A.  File integrity control.
B.  Boundary protection.
C.  Interleaving.
D.  Paging.

B.  Boundary protection.

This answer is correct because the primary purpose of boundary protection is to prevent the mixing of data on a magnetic memory disc and a core storage unit.

74

One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control for this is use of

A.  A tape library.
B.  A self-checking digit system.
C.  Computer generated hash totals.
D.  A computer log.

D.  A computer log.

This answer is correct because the use of a computer log will allow a review of an individual’s access to the system.

75

The distribution of reports is considered what type of control?

A.  Input.
B.  Processing.
C.  Output.
D.  Software.

C.  Output.

 

76