Module 41: Information Technology Flashcards Preview

BEC > Module 41: Information Technology > Flashcards

Flashcards in Module 41: Information Technology Deck (350):

information system within a business

an information system processes data and transactions to provide users with the information they need to plan, control and operate an organization, including:
1. collecting transaction and other data
2. entering it into the information system
3. processing the data
4. providing users with the information needed
5. controlling the process


advantage of computer systems versus manual systems

computer processing tends to reduce or eliminate processing time, and prevent computational errors and errors in processing routine transactions (when fraud is not involved)


General types of IT systems

1. office automation systems
2. transaction processing systems
3. management reporting systems
4. management information systems


Management reporting systems

designed to help with the decision making process by providing access to computer data
1. management information systems
2. decision support systems
3. expert systems
4. executive information systems


office automation systems

designed to improve productivity by supporting daily work of employees (e.g. word processing, spreadsheets, presentation tools, email, electronic calendars, contact management software


transaction processing systems

involve the daily processing of transactions (e.g. airplane reservations systems, payroll recording, cash receipts, cash disbursements)


management information systems

(management reporting system) systems designed to provide past, present and future information for planning, organizing and controlling the operations of the organization


decision support systems

(management reporting system) computer based information systems that combine models and data to resolve non-structured problems with extensive user involvement


expert support systems

(management reporting system) computer systems that apply reasoning models to data in a specific relatively structured area to render advice or recommendations, much like a human expert


executive information systems

(management reporting system) computerized systems that are specifically designed to support executive work


the two distinct roles for systems

1. recording of transactions of various types
2. providing support for decision making


designing and implementing a new information and control system provides an opportunity to reexamine

business processes, especially if the new system is an enterprise resource planning (ERP) system; more efficient and effective


Systems development lifecycle (SDLC)

the traditional methodology for developing information systems

characterized by its phases, each representing a specific set of development activities:
1. planning
2. analysis
3. design
4. development
5. testing
6. implementation
7. maintenance


SDLC Planning Phase

1. identify the problems that proposed system will solve

2. define the system to be developed (based on strategic goals of the organization)

3. determine the project scope (what the system will do and how it will be evaluated); a project scope document is used and can be revisited and revised

4. develop a project plan- defines the activities that will be performed, and the individuals and resources that will be used; a project manager develops the plan and tracks its progress; sets project milestones

5. evaluate the initial feasibility of the project- can involve determining the project's technical, organizational, and economical feasibility


SDLC Analysis Phase

Involves teams including end users, information technology specialists, systems analysts, and process design specialists to understand the requirements for the proposed system

1. Typically, processing data, and logic models are produced to help determine system requirements; a needs assessment may also be performed

2. Next, an analysis is performed on the existing system along the same dimensions

3. then a gap analysis is performed to examine the differences (gaps) between the required system and the existing system

4. Finally, priorities are established for the gaps, which will be documented in a requirements definition document, which will receive sign-off from the end users

*It is during this phase that a company can take advantage of processes inherent in the new system to improve the existing process


A needs assessment (SDLC analysis phase)

involves determining the requirements for the system in terms of processes, data capture, information and reporting


Requirements definition document (SDLC analysis phase)

final document that outlines the differences between the required system and the existing system (requirements) that will receive a sign-off from end users


Specific specification documents contain information on basic requirements which include (SDLC analysis phase)

1. performance levels
2. reliability
3. quality
4. interfaces
5. security and privacy
6. constraints and limitations
7. functional capabilities
8. data structures and elements


The Design Phase (SDLC)

the primary goal of the design phase is to build a technical blueprint of how the proposed system will work

the components that are typically designed during this phase include:
1. databases
2. user interfaces for input and output
3. required reports
4. programs
5. infrastructure and controls


The Development Phase (SDLC)

documents from the design phase are transformed into the actual system

the platform on which the system is to operate is built or purchased off-the-shelf and customized and databases are developed


The Testing Phase (SDLC)

involves verifying that the system works and meets the business requirements as set forth in the analysis phase

tests that should be performed:
1. unit testing
2. system testing
3. integration testing
4. user acceptance testing


unit testing (testing phase test)

involves testing the units or pieces of code


system testing (testing phase test)

involves testing the integration of the units or pieces of code into a system


integration testing (testing phase test)

involves testing whether the separate systems can work together


user acceptance testing (testing phase test)

determines whether the system meets the business requirements and enables users to perform their jobs efficiently and effectively


The Implementation Phase (SDLC)

involves putting the system in operation by the users; in order to effectively implement the system, detailed user documentation must be provided to the suers and the users must be adequately trained

implementation methods include:
1. parallel implementation
2. plunge implementation
3. pilot implementation
4. phased implementation


parallel implementation (implementation phase)

uses both systems until it is determined that the new system is operating properly

this has the advantages of a full operational test of the new system with less risk of system disaster

the disadvantage is the additional work and cost during the period both systems are operating


plunge implementation (implementation phase)

the organization ceases using the old system and begins using the new system immediately

less costly than the parallel method but it has a higher risk of system breakdown


pilot implementation (implementation phase)

involves having a small group of individuals using the new system until it is seen to be working properly

has the advantage of providing a partial operational test of the new system at a lower cost than parallel implementation


phased implementation (implementation phase)

involves installing the system in a series of phases (e.g. GL, AR, etc)


The Maintenance Phase (SDLC)

involves monitoring and supporting the new system

in this phase the organization provides ongoing training, help desk resources, and a system for making authorized and tested changes to the system


Types of Computers

1. supercomputers
2. mainframe computers
3. servers
4. microcomputers
5. tablets/ smart phones/ personal digital assistants



extremely powerful, high speed computers used for extremely high-volume and/or complex processing needs


mainframe computers

large, powerful, high-speed computers; less powerful than super computers but they have traditionally been used for high-volume transaction processing

clusters of low cost, less powerful "servers" are increasingly taking over the processing chores of mainframe computers



high-powered microcomputers that "serve" applications and data to clients that are connected via a network (web servers/ database servers)

typically have greater capacity (faster processors,more RAM, more storage capabilities) than their clients (microcomputers) and often act as a central repository for organizational data

servers today are often configured as a "virtual machine," meaning multiple operating systems can coexist and operate simultaneously on the same machine

virtual machines are appealing because they lower hardware costs and create energy savings



e.g. desktop computers, laptop computers

designed to be used by one person at a time (personal computers)

typically used for word processing, email, spreadsheets, surfing the web, creating and editing graphics, playing music, and gaming


tablets/ smart phones/ personal digital assistants

e.g. iPad, iPhone, android, blackberry

these are typically smaller, handheld wireless devices that depend on WiFi and/ or cellular technology for communications


Central Processing Unit (CPU)

the principal hardware components of a computer

1. arithmetic/ logical unit
2. primary memory
3. control unit

major function is to fetch stored instructions and data, decode the instructions, and carry out the instructions


Arithmetic/ logical unit (CPU)

performs mathematical operations and logical comparisons


Primary memory (CPU storage)

active data and program steps that are being processed by the CPU

it may be divided into RAM (random-access memory) and ROM (read-only memory)

application programs and data are stored in the RAM at execution time


Control Unit (CPU)

interprets program instructions and coordinates input, output, and storage devices


random (RAM)

=direct storage


Secondary Storage Devices

1. magnetic tape
2. magnetic discs
3. RAID (Redundant array of independent [previously, inexpensive] disks)
4. compact discs
5. solid state drives (SSDs)
6. could-based storage


magnetic tape

slowest type of storage available because data is stored sequentially

primarily used for archiving purposes today


magnetic disks

the most common storage medium in use on computers today

also called "hard disks" or "hard disk drives: (HDD)

data can be accessed directly


RAID (Redundant array of independent [previously, inexpensive] disks)

a way of storing the same data redundantly on multiple magnetic discs (back-up)

1. when originally recorded, data is written to multiple discs to decrease the likelihood of loss
2. if a disk fails, at least one of the other disks has the information and continues operation


compact discs

discs (CDs) and digital video discs (DVDs)

both are the same physical size and both use optical technology to read and write data to the disc


solid state drives (SSDs)

use microchips to store data and require not moving parts for read/write operations

SSDs are faster and more expensive per gigabyte than CDs, DVDs, and HDDs

SSDs are increasingly being used in place HDDs in microcomputers but cost and limited capacity have constrained their adoption as a primary storage device

more commonly used for auxiliary storage

SSDs that are "pluggable" are often called "thumb drives" "flash drives" or "USBs"


cloud based storage

also called "storage as a Service" (SaaS)

hosted offsite, typically by third parties, and is accessed via the internet


manner in which information is represented in a computer

1. digital
2. analog


digital (manner in which information is represented in a computer)

a series of binary digits (0s and 1s)

one binary is called a "bit"

a series of 8 bits is referred to as a "byte"

one byte can form a letter, a number, or special character (e.g. 00000111 is the binary equivalent of the decimal number 7)


analog (manner in which information is represented in a computer)

the representation that is produced by the fluctuations of a continuous signal (e.g. speech, temperature, weight, speed, etc.)

rather than using 0s and 1s to represent information analog signals use electrical, mechanical, hydraulic or pneumatic devises to transmit the fluctuations in the signal itself to represent information



equipment in direct communication with, and under the control of, the CPU

online also refers to having a connection to the Internet



equipment not in direct communication with the CPU; the operator generally must intervene to connect off-line equipment or data to the CPU (e.g. mount a magnetic tape of archival data)

Off-line also refers to the absence of an Internet connection



a terminal used for communications between the operator and the computer (e.g. the operator of a mainframe computer)


peripheral equipment

all non-CPU hardware that may be placed under the control of the central processor

classified as online or off-line, this equipment consists of input, storage, output, and communications



hardware units designed to operate specific input-output untits



a temporary storage unit used to hold data during computer operations



millions of instructions per second; a unit for measuring the execution speed of computers


Input Devices

1. keying data- data entry devices
2. online entry
3. turnaround documents
4. automated source data input devices
5. electronic commerce and electronic data interchange


Key-to-Tape and Key-to-disk (keying data- input device)

data is entered on magnetic tape and/ or disk respectively and then read into a computer


visual display terminal/monitor (online entry)

uses keyboard to directly enter data into computer
1. input interface- a program that controls the display for the user (usually on a computer monitor) and that allows the user to interact with the system

2. graphical user interface (GUI)- uses icons, pictures, and menus instead of text for inputs (e.g windows)

3. command line interface- uses text-type commands (e.g barcodes)


mouse, joystick, lightpens (online entry)

familiar devices that allow data entry


touch-sensitive screen (online entry)

allows users to enter data from a menu of items by touching the surface monitor


turnaround documents (input devices)

documents that are sent to the customer and returned as inputs (e.g. utility bills; to make payments "remittance")


automated source date inputs devices

1. magnetic tape reader
2. magnetic ink character reader (MICR)
3. scanner
4. automatic teller machine (ATM)
5. radio frequency identification (RFID)
6. point of scale (POS) recorders
7. voice recognition


magnetic tape reader (automated source date inputs devices)

a device capable of sensing information recorded as magnetic spots on magnetic tape


magnetic ink character reader- MICR (automated source date inputs devices)

device that reads characters that have been encoded with a magnetic ink (e.g. bank check readers)


Scanner (automated source date inputs devices)

a device that reads characters on printed pages


Automatic teller machine- ATM (automated source date inputs devices)

a machine used to execute and record transactions with financial institutions


Radio Frequency Identification- RFID (automated source date inputs devices)

uses radio waves to track and input data (e.g. wave card entry)

increasingly used for inventory and contactless payment systems

RFID tags can be read wirelessly by RFID readers; does not require line-of-sight access like bar code technology (e.g Mobil's Speedpass payment systems, FasTrak toll collection system)


Point-of-scale recorders- POS (automated source date inputs devices)

devises that read price and product code data (purchasing groceries)

ordinarily function as both a terminal and a cash register

allows one to record and track customer orders, process credit and debit cards, connect to other systems in a network, and manage inventory

example: a POS system for restaurants is likely to have all menu items stored in a database that can be queried for information in a number of ways

Increasingly, POS terminals are also we-enabled, which makes remote training and operation possible, as well as inventory tracking across geographically dispersed locations


Voice recognition (automated source date inputs devices)

a system that understands spoken words and transmits them into a computer


Electronic commerce and electronic data interchange (input device)

involves one company's computer communicating with another's computer

example: a buyer electronically sending a purchase order to a supplier


Output devices

1. many automated source data input devices and electronic commerce/electronic data interchange devices are capable of outputting data (writing in addition to reading) and therefore become output devices as well as input devices
2. monitors
3. printers
4. plotters- produce paper outputs of graphs
5. computer output to microfilm or microfiche (COM)- makes use of photographic process to store output


Systems software

1. Operating system
2. Utility programs
3. Communications software


Operating system (systems software)

manages the input, output, processing and storage devices and operations of a computer (Windows, Linux, Unix)

Performs scheduling, resource allocation, and data retrieval based on instructions provided in job control language


Utility programs (systems software)

handle common file, data manipulation and "housekeeping" tasks


Communications software (systems software)

controls and supports transmission between computers, computers and monitors, and access various databases


Software- computer programs that control hardware

1. systems software
2. applications software


Applications software

programs designed for specific uses, or "applications", such as
1. word processing, graphics, spreadsheets, email, and database systems
2. accounting software


Accounting software (applications software)

1. low-end: all in one package, designed for small organizations (quickbooks, peachtree, dell-tech)
2. high-end: ordinarily in modules (e.g. general ledger, receivables)
3. Enterprise resource planning (ERP): designed as relatively complete information system "suites" for large and medium size organizations (e.g. human resources, financial applications, manufacturing, distribution). Major vendors are well known- SAP, People Soft, Oracle, and J.D. Edwards


ERP System Advantages

Integration of various portions of the information system, direct electronic communication with suppliers and customers, increased responsiveness to information requests for decision-making

i.e. its all done for you; you have good support


ERP System Disadvantages

Complexity, costs, integration with supplier and customer systems may be more difficult than anticipated

**very expensive


Complier (software term)

produces a machine language object program from a source program language


Multiprocessing (software term)

simultaneous execution of two or more tasks, usually by two or more CPUs that are part of the same system


Multitasking (software term)

the simultaneous processing of several jobs on a computer


Object program (software term)

the converted source program that was changed using a compiler to create a set of machine readable instructions that the CPU understands


Source program (software term)

a program written in a language from which statements are translated into machine language; computer programming has developed in "generations"


Source Programming "Generations"

1. machine language
2. assembly language
3. "high-level" programming languages such as COBOL, Basic, Fortran, C++, and Java
4. an "application- specific" language usually built around database systems (i.e. SQL, a structured query language)
5. a relatively new and developing form that includes visual or graphical interfaces used to create source language that is usually compiled with a 3rd or 4th generation language compiler


Machine language (source programming generation 1)

composed of combinations of 1's and 0's that are meaningful to the computer (binary)


"high-level" programming languages such as COBOL, Basic, Fortran, C++, and Java (source programming generation 3)

C++ and Java are considered object-oriented programs (OOP) in that they are based on the concept of an "object" which is a data structure that uses a set of routines, called "methods," which operate on the data

The "objects" are efficient in that they often are reusable in other programs

Object-oriented programs keep together data structures and procedures (methods) through a procedure referred to as encapsulation.


assembly language (source programming generation 2)

a low-level programming language that uses words (mnemonics) instead of numbers to perform an operation.

assembly language must be translated to machine language by a utility program called an "assembler"

generally, an assembly language is specific to a computer architecture and is therefore not portable like most high-level languages


virtual memory (software term)

(storage) online secondary memory that is used as an extension of primary memory, thus giving the appearance of larger, virtually unlimited internal memory


protocol (software term)

rules determining the required format and methods for transmission of data


desk checking (programming term)

review of a program by the programmer for errors before the program is run and debugged on the computer


debug (programming term)

to find and eliminate errors in a computer program

many compliers assist debugging by listing errors in the program such as invalid commands


edit (programming term)

to correct input data prior to processing


loop (programming term)

a set of program instructions performed repetitively a predetermined number of times, or until all of a particular type of data has been processed


memory dump (programming term)

a listing of the contents of storage


patch (programming term)

a section of coding inserted into a program to correct a mistake or to alter a routine


run (programming term)

a complete cycle of a program including input, processing and output


Methods of Processing

1. batch or online real-time
2. centralized, decentralized, or distributed


batch processing

transactions flow through the system in groups of like transactions (batches).

Example: all cash receipts on accounts receivable for a day may be aggregated and run as a batch

ordinarily leaves a relatively easy-to-follow audit trail

*goes through edit checks and prints out errors (admin fee process)


online real-time processing (or direct access processing)

transactions are processed in the order in which they occur, regardless of type.

data files and programs are stored online so that updating can take place as the edited data flows to the application

system security must be in place to restrict access to programs and data to authorized persons

categorized into:
1. online transaction processing (OLTP)
2. online analytical processing (OLAP)


online transaction processing-OLTP (online real-time processing)

1. databases support day-to-day operations
2. example: airline reservation systems, bank automatic teller systems, internet website sales systems


online analytical processing- OLAP (online real-time processing)

enables the user to query the system (retrieve data), and conduct an analysis, etc.; primarily used for analytics

uses statistical and graphical tools

example: airline company downloads its OLTP reservation info into another database to allow analysis of that reservation information


decision support systems

computer-based info systems that combine models and data in an attempt to solve relatively unstructured problems with extensive user involvement


one approach to OLAP (online analytical processing) is to periodically download and combine operational databases into a

1. data warehouse: a subject-oriented, integrated collection of data used to support management decision-making processes or;

2. a data mart: a data warehouse that is limited in scope


data mining

using sophisticated techniques from statistics, artificial intelligence and computer graphics to explain, confirm and explore relationships among data (which is often stored in a data warehouse or data mart)


*Business intelligence (BI)

a combination of systems that help aggregate, access, and analyze business data and assist in the business decision-making process


Artificial intelligence (AI)

computer software designed to help make decisions (may be viewed as an attempt to model aspects of human thought on computers)


Expert system

one form of AI (artificial intelligence)

a computerized information system that guides decision processes within a well-defined area and allows decisions comparable to those of an expert

example: an expert system may be used by a credit card company to authorize credit card purchases to minimize fraud and credit losses


Centralized Processing

processing occurs at one location


Decentralized Processing

processing (and data) are stored on computers at multiple locations

may be viewed as a collection of independent databases


Distributed Processing

transactions for a single database are processed at various sites

processing may be either a batch or online real-time basis



a binary digit (0 or 1) which is the smallest storage unit in a computer



a group of adjacent bits (usually 8) that is treated as a single unit, or character, by the computer.

one byte can form a letter, a number, or a special character, or unprintable codes (those that control peripheral devices such as computers)



a group of related characters (social security number)



an ordered set of logically related fields

example: all payroll data (including SS number field and others) relating to a single employee



a group of related records (e.g. all the weekly pay records YTD), which is usually arranged in sequence



a group of related records in a relational database with a unique identifier (primary key field) in each record



a group of related files or a group of related tables (if a relational database)

ordinarily stored online


Master file

a file containing relatively permanent information used as a source of reference and periodically updated with a detail (transaction) file (e.g. permanent payroll files- all banking information)


detail or transaction file

a file containing current transaction information used to update the master file (e.g. hours worked by each employee during the current period used to update the payroll master file)


detail or transaction file

a file containing current transaction information used to update the master file (e.g. hours worked by each employee during the current period used to update the payroll master file)


traditional file processing systems

focus upon data processing needs of individual departments; each application program or system is set up to meet the needs of the particular requesting department or user group


advantages of traditional processing systems

1. currently operational for many existing systems
2. cost effective for simple applications


disadvantages of traditional processing systems

1. data files are dependent upon a particular application program
2. in complex systems, there is much duplication of data
3. each application must be developed individually
4. program maintenance is expensive
5. data may be difficult to share btwn functional areas (isolated)



the process of separating the database into logical tables to avoid certain kinds of updating difficulties (referred to as "anomalies")


database system

computer hardware and software that enables the database to be implemented


database management system

software that provides a facility for communications btwn various applications programs (e.g. a payroll prep program) and the database (e.g. master payroll file containing earnings)

*create and modify


data independence

basic to database systems is this concept which separates the data from the related application program


data modeling

identifying and organizing a database's data, both logically and physically.

data model determines what info is to be contained in a database, how the info will be used, and how the items in the database will be related to each other


entity-relationship modeling

an approach to data modeling

the model (called entity-relationship diagram, or ERD) divides the database into two logical parts:
1. entities (e.g. customer, product) and
2. relations (e.g. buys, pays for)


primary key

the fields that make a record in a relational database table unique


foreign key

the fields that are common to two (or more) related tables in relational database


REA data model

a data model designed for use in designing accounting information databases

Resources; Events; Agents


Data Dictionary

(data repository or data directory system)

data structure that stores meta-data



definitional data that provides info about or documentation of other data managed within an application or environment

i.e. data about data elements, records and data structures (length, fields, columns)


structured query language (SQL)

used for creating and querying relational databases; 3 types:
1. data definition language (DDL): used to define a database (creating, altering, deleting tables and establishing various constraints)
2. data manipulation language (DML): maintain a database (updating, inserting in, modifying, and querying)
3. data control language (DCL): used to control database (which users have various privileges


database structures

1. hierarchical
2. networked
2. relational
4. object-oriented
5. object-relational
6. distributed


Hierarchical (database structure)

data elements at one level "own" the data elements at the next lower level


Networked (database structure)

each data element can have several owners and can own several other elements


Relational (database structure)

a database with the logical structure of a group of related spreadsheets

have largely replaced hierarchical and networked database structures


Object-Oriented (database structure)

information (attributes and methods) are included in structures called object classes

this is the newest database management system technology


Object-relational (database structure)

includes both relational and object-oriented features


Distributed (database structure)

a single database that is spread physically across computers in multiple locations that are connected by a data communications link


Database controls

1. user department
2. access controls
3. backup and recovery
4. database administrator (DBA)
5. audit software


User department (database control)

strict controls over who is authorized to read and/or change the database are necessary


Access controls (database control)

controls within the database itself; limit the user to reading and/or changing (updating) only authorized portions of the database


Restricting privileges (access controls)

limits the access of users to the database, as well as operations a particular user may be able to perform

read only, not write, privileges


Logical views (access controls)

users may be provided with authorized views of only the portions of the database for which they have a valid need


Backup and recovery (database control)

a database is updated on a continuous basis during the day; 3 methods of backup and recovery include:
1. backup of database and logs of transactions
2. database replication
3. backup facility


Database administrator (database control)

individual responsible for maintaining the database and restricting access to the database to authorized personnel


Audit software (database control)

usually used by auditors to test the database


Advantages of database systems

1. data independence: easily used by diff. applications
2. minimal data redundancy
3. data sharing: sharing of data
4. reduced program maintenance
5. commercial applications are available for modification to a company's needs


Data file structures (2)

1. traditional file processing systems
2. database systems


Disadvantages of database systems

1. need for specialized personnel with database expertise
2. installation of database is costly
3. conversion of traditional file systems is costly
4. comprehensive backup and recovery procedures are necessary



a group of interconnected computers and terminals


Telecommunications development

the electronic transmission of info by radio, fiber optics, wire, microwave, laser, and other electromagnetic systems- has made possible the electronic transfer of information between networks of computers


Networks are classified by geographical scope

1. personal network area (PAN)
2. local area networks (LAN)
3. Metropolitan area network (MAN)
4. Wide area networks (WAN)


Personal network area (PAN)

a computer network that is centered around an individual and the personal communication devices she uses (Bluetooth, USB)


Local area networks (LAN)

privately owned networks within a single building or campus of up to a few miles in size

*emphasized in AICPA materials


Metropolitan area network (MAN)

a larger version of LAN; might include a group of nearby offices within a city


Wide area networks (WAN)

Networks that span a large geographical area, often a country or continent

composed of a collection of computers and other hardware and software for funning user programs


Networks are certified by ownership

1. Private
2. Public
3. Cloud computing/ cloud services


Private network ownership

one in which network resources are usually dedicated to a small number of applications or a restricted set of users, as in a corporation's network

advantages: secure, flexible, performance often exceeds that of public
disadvantages: costly


Public network ownership

resources are owned by third-party companies and leased to users on a usage basis (also referred to as public switch networks- PSN)

advantages and disadvantages: in general, the opposite of those for private networks, but certainly a significant disadvantage is that they are less secure


Cloud computing/ cloud services network ownership

the use and access of multiple server-based computational resources via digital network

applications are provided and managed by the cloud server and data is stored remotely in the cloud configurations


Risks of cloud computing

1. information security and privacy- users rely on cloud providers access controls
2. continuity of services-user problems occur if cloud provider has service interruptions
3. migration- users may have difficulty changing cloud providers because there are no data standards


Networks classified by use of internet

1. internet
2. intranet
2. extranet


Hypertext markup language (HTML) and/or Extensible markup language (XML)

network internet classifications: data communications are ordinarily

HTML and XML: languages used to create and format documents, link documents to other web pages, and communicate between web browsers

XML is increasingly replacing HTML in internet applications due to its superior ability to tag and format documents that are communicated among trading partners


Extensible Business Reporting Language (XBRL)

an XML-based language being developed specifically for the automation of business information requirements, such as the preparation, sharing, and analysis of financial reports, statements, and audit schedules



international collection of networks made up of independently owned computers that operate as a large computing network

internetwork communication requires the use of a common set of rules, or protocols (TCP), and a shared routing system (IP)


Hypertext transfer protocol (HTTP)

the primary internet protocol for data communication on the World Wide Web


Uniform resource locator (URL)

a standard for finding a document by typing in an address (


World Wide Web

a framework for accessing linked resources spread out over the millions of machines all over the Internet


Web browser

client software that provides the user with the ability to locate and display web resources


Web servers

software that "serves" (makes available) web resources to software clients



a method for protecting computers and computer information from outsiders

consists of security algorithms and router communications protocols that prevent outsiders from tapping into corporate database and email systems



a communications interface device that connects two networks and determines the best way for data packets to move forward to their destinations



a device that divides LAN (local area networks) into two segments, selectively forwarding traffic across the network boundary it defines; similar to a switch



a device that channels incoming data from any of multiple input ports to the specific output port that will take the data toward its intended destination



a combination of hardware and software that links to different types of networks

example: gateways between email systems allow users of differing email systems to exchange messages


Proxy server

a server that saves and serves copies of web pages to those who request them


Web 2.0

2nd generation of the web

refers to era of web-based collaboration and community-generated content via web-based software tools such as:
1. blog
2. wiki
3. twitter
4. RSS/ATOM Feeds- Really simple syndication



an asynchronous discussion, or web log, led by a moderator that typically focuses on a single topic



an information-gathering and knowledge-sharing website that is developed collaboratively by a community or group, all of whom can freely add, modify or delete content



a micro-variation of a blog


RSS/ATOM Feeds- Really simple syndication

an XML application that facilitates the sharing and syndication of website content by subscribers


TCP/IP (transmission control protocol/ internet protocol)

the basic communication language or protocol of the internet

two layers; one assembles messages and the other assigns IP addresses


IP address

the number that identifies a machine as unique on the internet


ISP (internet service provider)

an entity that provides access to the internet


Malicious programs that may adversely affect computer operations

1. virus
2. trojan horse
3. worm
4. antivirus software
5. botnet



a program (or piece of code) that requests the computer operating system to perform certain activities not authorized by the computer user

can be transmitted by files that contain macros that are sent as an email attachment



a stored set of instructions and functions that are organized to perform a repetitive task and can be easily activated, often by a simple key stroke combination

most macros serve valid purposes but those associated with viruses cause problems


trojan horse

a malicious, security-breaking program that is disguised as something benign, such as a game, but actually is intended to cause IT damage



a program that propagates itself over a network, reproducing itself as it goes


antivirus software

is used to attempt to avoid viruses, trojan horses and worms but the rapid development of new viruses results in a situation in which antivirus software developers are always behind virus developers



a network of computers that are controlled by computer code, called a "bot", that is designed to perform a repetitive task such as sending spam, spreading a virus, or creating a distributed denial of service attack



a local network, usually limited to an organization, that uses internet-based technology to communicate within the organization



similar to an intranet, but includes an organization's external customers and/or suppliers in the network


Database client-server architecture (design)

the architecture must divide three responsibilities (1) input, (2) processing, (3) storage

a client server model may be viewed as one in which communications ordinarily take the form of a request message from the client to the server asking for some service to be performed

a "client" may be viewed as the computer or workstation of an individual user

the server is a high-capacity computer that contains the network software and may provide a variety of services ranging from simply "serving" files to a client to performing analyses

1. overall client-server systems
2. subtypes of client/server architectures
3. distributed systems


Overall client-server systems (database client-server architecture)

a networked computing model (usually a LAN- local area network) in which database software on a server performs database commands sent to it from client computers

diagram on page 83


Subtypes of client/server architectures

1. file servers
2. database servers
3. three-tier architectures


File servers (subtypes of client/server architectures)

the file server manages file operations and is shared by each of the client PCs (ordinarily attached to a LAN- local area network)

3 responsibilities are divided in a manner in which most input/output , and processing occurs on client computers rather than on the server:
1. input/output
2. processing
3. storage

the file server acts simply as a shared data storage device, with all data manipulations performed by client PCs

*two tier architecture: client tier and server database tier


Database servers (subtypes of client/server architectures)

similar to file servers, but the server here contains the database management system and thus performs more of the processing

*two tier architecture: client tier and server database tier


Three-tier architectures (subtypes of client/server architectures)

a client/server configuration that includes three tiers

the change from file and database servers is that this architecture includes an additional server layer

examples of additional servers:
1. printer server: make shared printers available to clients
2. communications server: serve a variety of tasks
3. fax server: allows network to share hardware for faxes
4. web server: stores and serves web pages on request


Distributed systems (database client-server architecture)

connect all company locations to form a distributed network in which each location has its own input/output, processing, and storage capabilities


Local area networks (LANs)

privately owned networks within a single building or campus of up to a few miles in size


LAN Software

allows devices to function cooperatively and share network resources such as printers and disk storage space


Common LAN services

1. network server
2. file server: stores programs and data files for users
3. print server
4. communications server


LAN hardware components

1. workstations
2. peripherals
3. transmission media
4. network interface cards


workstation (LAN hardware component)

ordinarily microcomputers


peripherals (LAN hardware component)

example: printers, network attached storage (NAS) devices, optical scanners, fax board


transmission media (LAN hardware component)

physical path that connect components of LAN, ordinarily twisted-pair wire, coaxial cable, or optical fiber

LANs that are connected wirelessly are called WLANS or WiFi networks


Network interface cards (LAN hardware component)

connect workstation and transmission media


LAN control implications

1. general controls are often weak (controls over development and modification of programs, access and computer operations)
2. controls often rely upon end users, who may not be control conscious (people writing passwords)
3. often users may not be provided with adequate resources for problem resolution, troubleshooting and recovery support
4. controlling access and gaining accountability through logging of transactions enforces segregation of duties
5. good management controls are essential (access codes and passwords)
6. LAN software ordinarily does not provide security features available in larger scale environments

*test of controls may address whether controls related to the above are effective


LANs and audit techniques

LANs generally make possible the computer audit techniques that may be performed either by internal auditors or external auditors



personal computers (PCs) and laptop computers

a small business will probably use a PC to run a commercially purchased general ledger package (off the shelf software)

segregation of duties becomes especially difficult in such an environment because one individual may perform all recordkeeping (processing) as well as maintain other nonrecordkeeping responsibilities

a larger client may use a network of PCs that may or may not be linked to a large corporate mainframe computer


small company microcomputer control objectives

1. security
2. verification of processing
3. personnel


small company microcomputer security (control objective)

security over small computers, while still important, may not be as critical as security over the data and any in-house developed software

access to the hard drive must be restricted since anyone turning on the power switch can read the data stored on files

a control problem may exist because the computer operator often understands the system and also has access to the input data --> management may need to become more involved in supervision when lack of segregation of duties exist in data processing


small company microcomputer verification of processing (control objective)

periodically, an independent verification of applications being processed on the small computer system should be made to prevent the system from being used for personal projects

verification also helps prevent errors in internally developed software from going undetected


small company microcomputer personnel (control objective)

centralized authorization to purchase hardware and software should be required to ensure that appropriate purchasing decisions are made, including decisions that minimize software and hardware compatibility difficulties

software piracy and viruses may be controlled by prohibiting the loading of unauthorized software and data on company-owned computers


a small company may control possible software piracy (the use of unlicensed software) by employees by procedures such as...

1. establishing a corporate software policy
2. maintaining a log of all software purchases
3. auditing individual computers to identify installed software


End-User Computing (EUC)

the end user is responsible for the development and execution of the computer application that generates the information used by that same end user

user substantially eliminates many of the services offered by an MIS (management information system) department

overall physical access controls become more difficult when companies leave a controlled MIS environment and become more dependent upon individual users for controls


End-User Computing (EUC) risks

1. end-user applications are not always adequately tested before implemented
2. more client personnel need to understand control concepts
3. management often does not review the results of applications appropriately
4. old or existing applications may not be updated for current applicability and accuracy


End-user computing (EUC) control implications

1. require applications to be adequately tested before they are implemented
2. require adequate documentation
3. physical access controls
4. control access to appropriate users
5. control use of incorrect versions of data files (use control totals for batch processing of uploaded data)
6. require backup files
7. provide applications controls (edit checks, range tests, reasonableness checks)
8. support programmed or user reconciliations to provide assurance that processing is correct


Physical EUC (end-user computing) controls

1. clamps or chains to prevent removal of hard disks or internal boards
2. diskless workstations that require downloaded files
3. regular backup
4. security software to limit access to those who know user ID and password
5. control over access from outside
6. commitment to security matters written into job descriptions, employee contracts, and personnel evaluation procedures


EUC control access to appropriate users

1. passwords and user IDs
2. menus for EUC access to database
3. protect system by restricting user ability to load data
4. when user uploads data, require appropriate validation, authorization, and reporting control
5. independent review of transactions
6. record access to company databases by EUC applications


the controls for microcomputers and EUC are



Electronic commerce

involves individuals and organizations engaging in a variety of electronic transactions with computers and telecommunication networks (internet or telephone)


Electronic commerce IT system risks (5)

1. security
2. availability
3. processing integrity
4. online privacy
5. confidentiality

some believe these risks are impairing the growth of the web


WebTrust Seal of Assurance

developed by the AICPA and the Canadian Institute of Chartered Accountants

a form of assurance that tells potential customers that the firm has evaluated a website's business practices and controls to determine whether the are in conformity with WebTrust principles


Digital Certificates (Digital IDs)

allows an individual to digitally sign a message so the recipient knows that it actually came from that individual and wasn't modified



the conversion of data into a form called cipher text, that cannot be easily understood by unauthorized people



the process of converting encrypted data back into its original form so it can be understood

the conversion is performed using an algorithm and key which only the users control



a detailed sequence of actions to perform to accomplish some task


Key (encryption)

in the content of encryption, a value that must be fed into the algorithm used to decode an encrypted message in order to reproduce the original plain text


Private key system

an encryption system in which both the sender and receiver have access to the electronic key, but do not allow others access

disadvantage: both parties must have the key


system overhead (encryption)

the machine instructions necessary to encrypt and decrypt data constitute system overhead, which slows down the rate of processing


to assure continuity in the event of a natural disaster, firms should establish..

off-site mirrored Web servers


Electronic funds transfer (EFT)

making cash payments between two or more organizations or individuals electronically rather than by using checks (or cash)


EFT risk

EFT (electronic funds transfer) are vulnerable to the risk of unauthorized access to proprietary data and to the risk of fraudulent fund transfers


EFT controls

1. control of physical access to network facilities
2. electronic ID should be required
3. passwords should control access
4. encryption should be used to secure stored data and data being transmitted


Electronic Data Interchange (EDI)

the electronic exchange of business transactions, in a standard format, from one entity's computer to another's through an electronic communications network


EDI (electronic data interchange) risks

1. commonly used for sales and purchasing, and related accounts; the speed transactions occur often reduces receivables due to electronic processing of receipts
2. preventive controls, instead of detective controls, are usually used
3. no paper trail; some electronic copies are only kept for a certain period of time, which affect audits


Methods of communications between trading partners

1. point-to-point
2. value-added network (VAN)
3. public networks
4. proprietary networks


Point-to-Point communication between trading partners

a direct computer to computer private network link

automakers and governments traditionally use this method


point to point communication advantages

1. no reliance on third parties for computer processing
2. organization controls who has access to the network
3. organization can enforce proprietary (its own) software standard in dealings with all trading partners
4. timeliness of delivery may be improved since no third party is involved


point to point communication disadvantages

1. must establish connection with each trading partner
2. high initial cost
3. computer scheduling issues
4. need for common protocols between partners
5. need for hardware and software compatibility


Value-added network (VAN) communication between trading partners

a privately owned network that routes the EDI (electronic data interchanges) transactions between trading partners and in many cases provides translation, storage, and other processing

it alleviates problems related to interorganizational communication that results from the use of differing hardware and software

a VAN receives data from sender, determines intended recipient, and places data in the recipient's electronic mailbox


VAN (value-added network) communication advantages

1. reduces communication and data protocol problems since VANs can deal with differing protocols (eliminating need for trading partners to agree on them)
2. partners do not have to establish the numerous point-to-point connections
3. reduces scheduling problems since receiver can request delivery of transactions when it wishes
4. VAN translates application to a standard format the partner does not have to reformat
5. VAN can provide increased security


VAN (value-added network) communication disadvantages

1. cost (expensive)
2. dependence upon VAN's systems and controls
3. possible loss of data confidentiality


Public networks (communication between trading partners)

example: the internet-based commerce solutions described earlier (EFT, EDI)


public network communication advantages

1. avoids cost of proprietary lines
2. avoids cost of VAN
3. directly communicates transactions to trading partners
4. software is being developed which allows communication between differing systems


public network communication disadvantages

1. possible loss of data confidentiality
2. computer or transmission disruption
3. hackers and viruses
4. attempted electronic frauds


proprietary networks (communication between trading partners)

in some circumstances (health care, banking) organizations have developed their own network for their own transactions

costly to develop and operate (because of proprietary lines) although they are often extremely reliable


Controls required for other network systems are required for EDI systems


1. authentication-controls over the origin, proper submission, and proper delivery of EDI communications (have proof of this)
2. packets- a block of data that is transmitted from one computer to another (contains data and authentication info)
3. encryption- conversion of plain text into cipher text data used by an algorithm and key which only the users control


Benefits of EDI

1. quick response and access to info
2. cost efficiency
3. reduced paperwork
4. accuracy and reduced errors and error-correction costs
5. better communications and customer service
6. necessary to remain competitive


Exposures of EDI

1. total dependence upon computer system for operation
2. possible loss of confidentiality of sensitive info
3. increased opportunity for unayuthorized transactions and fraud
4. concentration of control among a few people involved in EDI
5. reliance on third parties (trading partners, VAN)
6. data processing, application and communication errors
7. potential legal liability due to errors
8. potential loss of audit trails and information needed by management due to limited retention policies
9. reliance on trading partner's system



the electronic transmission of info by raido, wire, fiber optic, coaxial cable, microwave, laser, or other electromagnetic system

information transmitted: voice, data, video, fax, other


Telecommunications hardware

1. computers
2. transmission facilities (copper wire, fiber optic cables, microwave stations, communcations satellites)
3. modems


Software does what?

controls and monitors the hardware, formats information, adds appropriate control info, performs switching operations, provides security, and supports the managment of communications


Telecommunications enables the following technologies:

aka if we did not have telecommuncations, we would not have:

1. EDI (electronic data interchanges)
2. EFT (electronic funds transfers)
3. point of sale (POS) system
4. commercial databases
5. airline reservation systems


controls needed for telecommunications:

1. system integrity at remote sites
2. data entry
3. central computer security
4. dial-in security
5. transmission accuracy and completeness
6. physical security over telecommunications facilities
7. encryption during transmissions


Computer service organizations (bureaus, centers)

these orgs record and process data for companies


COBIT 5** (Control Objectives for Information and Related Technology)

a framework developed by the Information Systems Audit and Control Association to assist enterprises in achieving their objectives for governance and management of enterprise IT

it is business-oriented in that it provides a systematic way of integrating IT with business strategy and governance


COBIT 5 Principals**

1. meeting shareholders needs
2. covering the enterprise end-to-end
3. applying a single integrated framework
4. enabling a holistic approach
5. separating governance from management


COBIT 5 Enablers**

factors that individually and collectively influence whether something will work in an organization

1. processes (an organized set of practices and activities to achieve certain objectives)
2. organizational structures (the key decision-making entities in an organization)
3. culture, ethics, and behavior of individuals and the org
4. principals, policies and frameworks (the vehicle to translate the desired behavior into guidance for day-to-day management)
5. information produced and used by the enterprise
6. services, infrastructure, and applications (the infrastructure, technology, and applications that provide the enterprise with information technology processing and services)
7. people, skills, and competencies required for successful completion of all activities and for making correct decisions


processes (COBIT enabler)

an organized set of practices and activities to achieve certain objectives


organizational structures (COBIT enabler)

the key decision-making entities in an organization


principals, policies and frameworks (COBIT enabler)

the vehicle to translate the desired behavior into guidance for day-to-day management


services, infrastructure, and applications (COBIT enabler)

the infrastructure, technology, and applications that provide the enterprise with information technology processing and services


Principals of a reliable system

one that is capable of operating without material error, fault, or failure during a specified period in a specified environment

5 AICPA TrustServices reliable principals:
1. security
2. availability
3. processing integrity
4. online privacy
5. confidentiality


Security (reliable principal)

the system is protected against unauthorized access (physical and logical)

lock doors and prevent access to data


Availability (reliable principal)

the system is available for operation and use as committed or agreed

the system is available for operation and use in conformity with the entity's availability policies

system failure results in interruption of business operations and loss of data


Processing integrity (reliable principal)

system processing is complete, accurate, timely, and authorized

invalid, incomplete or inaccurate processing can affect input data, data processing, updating of master files, and creation of output


Online privacy (reliable principal)

personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed

risks include disclosure of customer info such as SS #s, CC #s, credit rating, and medical conditions


Confidentiality (reliable principal)

information designated as confidential is protected as committed or agreed

examples of confidential data that might be disclosed:
transaction details
engineering details of products
business plans
banking info
legal documents
inventory/ other account info
customer lists
confidential details of operations


Segregation controls (org structure)

segregate functions between information systems department and user departments

do not allow information systems department to initiate or authorize transactions

at a minimum, segregate:
1. programming
2. data entry
3. operations
4. library function within the information systems department


user departments

are the other departments of the company that utilize the data prepared by the information systems department


Systems analysis (information systems department)

systems development manager

the system analyst analyzes the present user environment and requirements and may:
1. recommend specific changes
2. recommend the purchase of a new system
3. design a new information system


Systems programming (information systems department)

responsible for implementing, modifying, and debugging the software necessary for making the hardware work


Applications programming (information systems department)

responsible for writing, testing and debugging the application programs from specifications provided by the systems analyst


Database administration (information systems department)

responsible for maintain the database and restricting access to the database to authorized personnel


Data preparation (information systems department)

data may be prepared by user departments and input by key to storage devices


Operations (information systems department)

the operator is responsible for the daily computer operations of both the hard ware and the software

supervises operations on the operator's console, accepts any required input, and distributes any generated output

operator should have adequate documentation to run the program (a run manual), but should not have detailed program info

*help desks are usually a responsibility of the operators because of the operational nature of their functions (ex. assisting users with systems problems and obtaining technical support)


Data library (information systems department)

librarian is responsible for custody of the removable media (i.e. magnetic tape or disks) and for the maintenance of program and system documentation

in many systems the library function is maintained and performed electronically by the computer


Data control (information systems department)

the control group acts as a liaison between users and the processing center

this group records input data in a control log, follows the progress of processing, distributes output, and ensures compliance with control totals

*ideally, in a large system, the above key functions are segregated but in a smaller co. many are concentrated to a small number of employees

***at a minimum an attempt should be made to segregate programming, operating, and library functions


Information and Communication (IT)

the computerized accounting system is affected by whether the company uses small computers and/or a complex mainframe system

Small systems can use off the shelf software:
1. controls within the software may be well known
2. analysis of exception reports generated during processing is important to determine that exceptions are properly handled

for complex mainframe systems, software is usually developed internally:
1. controls are unknown to auditor prior to testing
2. analysis of exception reports is important


Monitoring (IT)

a common method for monitoring for inappropriate access is review of system-access log (who has access0

IT can also facilitate monitoring: continuously evaluate data/trax and capture samples of items


Control Activities-overall (IT)

in which a computer is involved may be segregated into:
1. computer general control activities
2. application control activities
3. programmed application controls
4. manual follow-up of computer exception reports
5. user control activities to test the completeness and accuracy of computer processed controls


Computer general control activities

control program development, program changes, computer operations, and access to programs and data


Computer application control activities

programmed control activities: relate to specific computer applications and are embedded in the comp program

manual follow-up of comp. exception reports: involves employee follow up of items listed on the comp exception reports


user control activities to test the completeness and accuracy of computer processed transactions

represent manual checks of computer output against source document or other input, and thus provide assurance that programmed aspects of the accounting system and control activities have operated effectively


computer general control activities

1. developing new programs and systems
2. changing existing programs and systems
3. controlling access to programs and data
4. controlling computer operations


segregation controls (developing new programs and systems-general computer control activities)

1. user departments participate in systems design
2. both users and information systems personnel test new systems
3. management, users, and information systems personnel approve new systems before they are placed into operation
4. all master and transaction file conversion should be controlled to prevent unauthorized changes and to verify the accuracy of the results
5. programs and systems should be properly documented


computer hardware is extremely reliable because

of chip technology and controls built into the hardware

controls include:
1. parity check
2. echo check
3. diagnostic routines
4. boundary protection
5. periodic maintenance


parity check

a special bit is added to each character that can be detected if the hardware loses a bit during the internal movement of a character


echo check

primarily used in telecommunications transmissions

during the sending and receiving of characters, the receiving hardware repeats back to the sending hardware what it received and the sending hardware automatically resends any characters that were received incorrectly


diagnostic routines

hardware or software supplied by the manufacturer to check the internal operations and devices within the computer system


boundary protection

must CPUs have multiple jobs running simultaneously (multiprogramming environment)

boundary controls do not allow one job to change the allocated memory of another job


periodic maintenance

the system should be examined periodically (often weekly) by a qualified service technician



systems and programs should be adequately documented

system specification documents should detail such matters as performance levels, reliability, security and privacy, constraints and limitations, functional capabilities, and data structure elements


changing existing programs and systems

should be documented in a change request log


change control procedures (modification controls)

1. information systems manager should review all changes
2. modified program should be appropriately tested
3. details of all changes should be documented
4. a code comparison program may be used to compare source and/or object codes of a controlled copy of a program with the program currently being used to process data (will identify unauthorized changes)


segregation controls (controlling access to programs and data- general computer control activity)

1. access to program documentation should be limited to those who require it in the performance of their duties
2. access to data files and programs should be limited to those authorized to process data
3. access to computer hardware should be limited to authorized individuals (computer operators and their supervisors)


limited physical access to computer facility

the physical facility that houses the computer equipment, files, and documentation should have controls to limit access only to authorized individuals

controls: guard, key card, manual key locks, fingerprint and palmprint access granting devices


visitor entry log (access to computer facility)

use visitor logs to document those who have had access to the area


access control software

(user identification)

the most used control is a combination of a unique identification code and a confidential password


call back (hardware and software access controls)

a specialized form of user ID in which the user dials the system, identifies themselves, and is disconnected from the system

then either manually or computer finds authorized phone number and calls back


encryption as access control

data is coded when stored in computer files and/or before transmission to or from remote locations

protects data since unauthorized users not only have to obtain data, they also have to decode it


segregation of controls to control computer operations

1. operators should have access to an operations manual that contains the instructions for processing programs and solving routine operational program issues, but not with detailed program documentation
2. the control group should monitor the operators activities and jobs should be scheduled


other controls for controlling computer operations

1. backup recovery
2. contingency processing
3. internal and external labels


contingency processing (as a form of controlling computer operations)

detailed contingency processing plans should be developed to prepare for system failures

responsibilities of individuals, as well as the alternate processing sites that should be utilized


internal and external labels (controlling computer operations)

external labels are gummed-paper labels attached to storage media which identify the file

internal labels perform the same function through the use of machine readable information in the first record of the file

use of labels allows the computer operator to determine whether the correct file has been selected for processing (file protection ring makes it read only)


programmed application controls

apply to a specific application

operate to assure the proper input and processing of data


overall programmed application controls

1. inputs should be authorized and approved
2. system should verify all significant data fields used to record info
3. conversion of data into machine-readable form should be controlled and verified for accuracy


input validation (edit) controls

1. preprinted form
2. check digit
3. control, batch, or proof total
4. hash total
5. record count
6. limit (reasonable test)
7. menu driven input
8. field check
9. validity check
10. missing data check
11. field size check
12. logic check
13. redundant data check
14. closed-loop verification


preprinted form

info is pre-assigned a place and a format on the input form


check digit

an extra digit added to an ID number to detect certain types of data transmission errors


control, batch, proof total

a total of one numerical field for all the records of a batch that would normally be added (total sales dollars)


hash total

a control total where the total is meaningless for financial purposes


record count

a control total of the total records processed


limit (reasonable) test

test of the reasonableness of a field of data, given a predetermined upper and/or lower limit

example: limit for auditing scores would be 100


menu driven input

what score did you get on the auditing section of the CPA exam? 75-100?

you must enter a number between 75 and 100


field check

control that limits the types of characters accepted into a specific data field

ex. pay rate should only include numerical data


validity check

a control that allows only "valid" transactions or data to be entered into the system (female is 1 and male is 2- anything else would not be valid)


missing data check

a control that searches for blanks inappropriately existing in input data (required fields in a form online)


field size check

a control of an exact number of characters to be input (EIN has to be 9 digits)


logic check

ensures that illogical combinations of input are not accepted


redundant data check

uses two identifiers in each transaction record to confirm that the correct master file record is being updated (duplicate profile entries- it notifies me when its already in the system)


closed loop verification

a control that allows data entry personnel to check the accuracy of input data


processing application controls

when the input has been accepted by the computer, it usually is processed through multiple steps


application controls- manual follow-up of computer exception reports

these controls involve employee (operator and/ or control group) follow-up of items listed on computer exception reports

their effectiveness depends on the effectiveness of both the programmed control activities that produce the reports and the manual follow-up activities


user control activities to test the completeness and accuracy of computer-processed controls

1. checks of computer output against source documents, control totals, or other input to provide assurance that programmed aspects of the f/r system and control activities have operated effectively
2. reviewing computer processing logs to determine that all correct computer jobs were executed properly
3. maintaining proper procedures and communications specifying authorized recipients of output (did the right person get the output?)


**Disaster recovery and business continuity

a plan should allow the firm to:
1. minimize the extent of disruption, damage, and loss
2. establish an alternate (temporary) method for processing info
3. resume normal operations as quickly as possible
4. train and familiarize personnel to perform emergency operations

a plan should include priorities, insurance, backup approaches, specific assignment, period testing and updating, and documentation


backup approaches for disaster recovery and business continuity

1. batch systems
2. online databases and master file systems


backup batch systems

three forms of the file saved, 1, 2, and 3

if one is destroyed, two recovers it and so on


backup online databases and master file systems

1. checkpoint
2. rollback
3. backup facilities



system makes copies of the system at certain "checkpoints"

if files are destroyed, the last checkpoint saved will restore the destroyed file



as a part of recovery, to undo changes made to a database to a point at which it was functioning properly


backup facilities

1. reciprocal agreement
2. hot site
3. cold site
4. internal site
5. mirrored web server


reciprocal agreement- backup facilities

an agreement btwn two or more organizations to aid each other with their data processing needs in the event of a disaster (mutual aid pact)


hot site- backup facilities

a commercial disaster recovery service that allows a business to continue computer operations in the event of a computer disaster

example: if a co's data processing center becomes inoperable, that enterprise can move all processing to a hot site that has all the equipment needed to continue operation (recovery operations center ROC)



cold site-backup facilities

similar to hot site, but the customer provides and installs the equipment needed to continue operations

less expensive, but takes longer to get into full operation after a disaster (empty shell)


internal site- backup facilities

large organizations with multiple data processing centers sometimes rely upon their own sites for backup in the event of a disaster


mirrored web server- backup facilities

an exact copy of a website which is the best way to back up the website