Module 41: Information Technology Flashcards Preview

BEC > Module 41: Information Technology > Flashcards

Flashcards in Module 41: Information Technology Deck (350):
1

information system within a business

an information system processes data and transactions to provide users with the information they need to plan, control and operate an organization, including:
1. collecting transaction and other data
2. entering it into the information system
3. processing the data
4. providing users with the information needed
5. controlling the process

2

advantage of computer systems versus manual systems

computer processing tends to reduce or eliminate processing time, and prevent computational errors and errors in processing routine transactions (when fraud is not involved)

3

General types of IT systems

1. office automation systems
2. transaction processing systems
3. management reporting systems
4. management information systems

4

Management reporting systems

designed to help with the decision making process by providing access to computer data
types:
1. management information systems
2. decision support systems
3. expert systems
4. executive information systems

5

office automation systems

designed to improve productivity by supporting daily work of employees (e.g. word processing, spreadsheets, presentation tools, email, electronic calendars, contact management software

6

transaction processing systems

involve the daily processing of transactions (e.g. airplane reservations systems, payroll recording, cash receipts, cash disbursements)

7

management information systems

(management reporting system) systems designed to provide past, present and future information for planning, organizing and controlling the operations of the organization

8

decision support systems

(management reporting system) computer based information systems that combine models and data to resolve non-structured problems with extensive user involvement

9

expert support systems

(management reporting system) computer systems that apply reasoning models to data in a specific relatively structured area to render advice or recommendations, much like a human expert

10

executive information systems

(management reporting system) computerized systems that are specifically designed to support executive work

11

the two distinct roles for systems

1. recording of transactions of various types
2. providing support for decision making

12

designing and implementing a new information and control system provides an opportunity to reexamine

business processes, especially if the new system is an enterprise resource planning (ERP) system; more efficient and effective

13

Systems development lifecycle (SDLC)

the traditional methodology for developing information systems

characterized by its phases, each representing a specific set of development activities:
1. planning
2. analysis
3. design
4. development
5. testing
6. implementation
7. maintenance

14

SDLC Planning Phase

1. identify the problems that proposed system will solve

2. define the system to be developed (based on strategic goals of the organization)

3. determine the project scope (what the system will do and how it will be evaluated); a project scope document is used and can be revisited and revised

4. develop a project plan- defines the activities that will be performed, and the individuals and resources that will be used; a project manager develops the plan and tracks its progress; sets project milestones

5. evaluate the initial feasibility of the project- can involve determining the project's technical, organizational, and economical feasibility

15

SDLC Analysis Phase

Involves teams including end users, information technology specialists, systems analysts, and process design specialists to understand the requirements for the proposed system

1. Typically, processing data, and logic models are produced to help determine system requirements; a needs assessment may also be performed

2. Next, an analysis is performed on the existing system along the same dimensions

3. then a gap analysis is performed to examine the differences (gaps) between the required system and the existing system

4. Finally, priorities are established for the gaps, which will be documented in a requirements definition document, which will receive sign-off from the end users

*It is during this phase that a company can take advantage of processes inherent in the new system to improve the existing process

16

A needs assessment (SDLC analysis phase)

involves determining the requirements for the system in terms of processes, data capture, information and reporting

17

Requirements definition document (SDLC analysis phase)

final document that outlines the differences between the required system and the existing system (requirements) that will receive a sign-off from end users

18

Specific specification documents contain information on basic requirements which include (SDLC analysis phase)

1. performance levels
2. reliability
3. quality
4. interfaces
5. security and privacy
6. constraints and limitations
7. functional capabilities
8. data structures and elements

19

The Design Phase (SDLC)

the primary goal of the design phase is to build a technical blueprint of how the proposed system will work

the components that are typically designed during this phase include:
1. databases
2. user interfaces for input and output
3. required reports
4. programs
5. infrastructure and controls

20

The Development Phase (SDLC)

documents from the design phase are transformed into the actual system

the platform on which the system is to operate is built or purchased off-the-shelf and customized and databases are developed

21

The Testing Phase (SDLC)

involves verifying that the system works and meets the business requirements as set forth in the analysis phase

tests that should be performed:
1. unit testing
2. system testing
3. integration testing
4. user acceptance testing

22

unit testing (testing phase test)

involves testing the units or pieces of code

23

system testing (testing phase test)

involves testing the integration of the units or pieces of code into a system

24

integration testing (testing phase test)

involves testing whether the separate systems can work together

25

user acceptance testing (testing phase test)

determines whether the system meets the business requirements and enables users to perform their jobs efficiently and effectively

26

The Implementation Phase (SDLC)

involves putting the system in operation by the users; in order to effectively implement the system, detailed user documentation must be provided to the suers and the users must be adequately trained

implementation methods include:
1. parallel implementation
2. plunge implementation
3. pilot implementation
4. phased implementation

27

parallel implementation (implementation phase)

uses both systems until it is determined that the new system is operating properly

this has the advantages of a full operational test of the new system with less risk of system disaster

the disadvantage is the additional work and cost during the period both systems are operating

28

plunge implementation (implementation phase)

the organization ceases using the old system and begins using the new system immediately

less costly than the parallel method but it has a higher risk of system breakdown

29

pilot implementation (implementation phase)

involves having a small group of individuals using the new system until it is seen to be working properly

has the advantage of providing a partial operational test of the new system at a lower cost than parallel implementation

30

phased implementation (implementation phase)

involves installing the system in a series of phases (e.g. GL, AR, etc)

31

The Maintenance Phase (SDLC)

involves monitoring and supporting the new system

in this phase the organization provides ongoing training, help desk resources, and a system for making authorized and tested changes to the system

32

Types of Computers

1. supercomputers
2. mainframe computers
3. servers
4. microcomputers
5. tablets/ smart phones/ personal digital assistants

33

supercomputers

extremely powerful, high speed computers used for extremely high-volume and/or complex processing needs

34

mainframe computers

large, powerful, high-speed computers; less powerful than super computers but they have traditionally been used for high-volume transaction processing

clusters of low cost, less powerful "servers" are increasingly taking over the processing chores of mainframe computers

35

servers

high-powered microcomputers that "serve" applications and data to clients that are connected via a network (web servers/ database servers)

typically have greater capacity (faster processors,more RAM, more storage capabilities) than their clients (microcomputers) and often act as a central repository for organizational data

servers today are often configured as a "virtual machine," meaning multiple operating systems can coexist and operate simultaneously on the same machine

virtual machines are appealing because they lower hardware costs and create energy savings

36

Microcomputers

e.g. desktop computers, laptop computers

designed to be used by one person at a time (personal computers)

typically used for word processing, email, spreadsheets, surfing the web, creating and editing graphics, playing music, and gaming

37

tablets/ smart phones/ personal digital assistants

e.g. iPad, iPhone, android, blackberry

these are typically smaller, handheld wireless devices that depend on WiFi and/ or cellular technology for communications

38

Central Processing Unit (CPU)

the principal hardware components of a computer

contains:
1. arithmetic/ logical unit
2. primary memory
3. control unit

major function is to fetch stored instructions and data, decode the instructions, and carry out the instructions

39

Arithmetic/ logical unit (CPU)

performs mathematical operations and logical comparisons

40

Primary memory (CPU storage)

active data and program steps that are being processed by the CPU

it may be divided into RAM (random-access memory) and ROM (read-only memory)

application programs and data are stored in the RAM at execution time

41

Control Unit (CPU)

interprets program instructions and coordinates input, output, and storage devices

42

random (RAM)

=direct storage

43

Secondary Storage Devices

1. magnetic tape
2. magnetic discs
3. RAID (Redundant array of independent [previously, inexpensive] disks)
4. compact discs
5. solid state drives (SSDs)
6. could-based storage

44

magnetic tape

slowest type of storage available because data is stored sequentially

primarily used for archiving purposes today

45

magnetic disks

the most common storage medium in use on computers today

also called "hard disks" or "hard disk drives: (HDD)

data can be accessed directly

46

RAID (Redundant array of independent [previously, inexpensive] disks)

a way of storing the same data redundantly on multiple magnetic discs (back-up)

1. when originally recorded, data is written to multiple discs to decrease the likelihood of loss
2. if a disk fails, at least one of the other disks has the information and continues operation

47

compact discs

discs (CDs) and digital video discs (DVDs)

both are the same physical size and both use optical technology to read and write data to the disc

48

solid state drives (SSDs)

use microchips to store data and require not moving parts for read/write operations

SSDs are faster and more expensive per gigabyte than CDs, DVDs, and HDDs

SSDs are increasingly being used in place HDDs in microcomputers but cost and limited capacity have constrained their adoption as a primary storage device

more commonly used for auxiliary storage

SSDs that are "pluggable" are often called "thumb drives" "flash drives" or "USBs"

49

cloud based storage

also called "storage as a Service" (SaaS)

hosted offsite, typically by third parties, and is accessed via the internet

50

manner in which information is represented in a computer

1. digital
2. analog

51

digital (manner in which information is represented in a computer)

a series of binary digits (0s and 1s)

one binary is called a "bit"

a series of 8 bits is referred to as a "byte"

one byte can form a letter, a number, or special character (e.g. 00000111 is the binary equivalent of the decimal number 7)

52

analog (manner in which information is represented in a computer)

the representation that is produced by the fluctuations of a continuous signal (e.g. speech, temperature, weight, speed, etc.)

rather than using 0s and 1s to represent information analog signals use electrical, mechanical, hydraulic or pneumatic devises to transmit the fluctuations in the signal itself to represent information

53

Online

equipment in direct communication with, and under the control of, the CPU

online also refers to having a connection to the Internet

54

Off-Line

equipment not in direct communication with the CPU; the operator generally must intervene to connect off-line equipment or data to the CPU (e.g. mount a magnetic tape of archival data)

Off-line also refers to the absence of an Internet connection

55

Console

a terminal used for communications between the operator and the computer (e.g. the operator of a mainframe computer)

56

peripheral equipment

all non-CPU hardware that may be placed under the control of the central processor

classified as online or off-line, this equipment consists of input, storage, output, and communications

57

controllers

hardware units designed to operate specific input-output untits

58

buffer

a temporary storage unit used to hold data during computer operations

59

MIPS

millions of instructions per second; a unit for measuring the execution speed of computers

60

Input Devices

1. keying data- data entry devices
2. online entry
3. turnaround documents
4. automated source data input devices
5. electronic commerce and electronic data interchange

61

Key-to-Tape and Key-to-disk (keying data- input device)

data is entered on magnetic tape and/ or disk respectively and then read into a computer

62

visual display terminal/monitor (online entry)

uses keyboard to directly enter data into computer
1. input interface- a program that controls the display for the user (usually on a computer monitor) and that allows the user to interact with the system

2. graphical user interface (GUI)- uses icons, pictures, and menus instead of text for inputs (e.g windows)

3. command line interface- uses text-type commands (e.g barcodes)

63

mouse, joystick, lightpens (online entry)

familiar devices that allow data entry

64

touch-sensitive screen (online entry)

allows users to enter data from a menu of items by touching the surface monitor

65

turnaround documents (input devices)

documents that are sent to the customer and returned as inputs (e.g. utility bills; to make payments "remittance")

66

automated source date inputs devices

1. magnetic tape reader
2. magnetic ink character reader (MICR)
3. scanner
4. automatic teller machine (ATM)
5. radio frequency identification (RFID)
6. point of scale (POS) recorders
7. voice recognition

67

magnetic tape reader (automated source date inputs devices)

a device capable of sensing information recorded as magnetic spots on magnetic tape

68

magnetic ink character reader- MICR (automated source date inputs devices)

device that reads characters that have been encoded with a magnetic ink (e.g. bank check readers)

69

Scanner (automated source date inputs devices)

a device that reads characters on printed pages

70

Automatic teller machine- ATM (automated source date inputs devices)

a machine used to execute and record transactions with financial institutions

71

Radio Frequency Identification- RFID (automated source date inputs devices)

uses radio waves to track and input data (e.g. wave card entry)

increasingly used for inventory and contactless payment systems

RFID tags can be read wirelessly by RFID readers; does not require line-of-sight access like bar code technology (e.g Mobil's Speedpass payment systems, FasTrak toll collection system)

72

Point-of-scale recorders- POS (automated source date inputs devices)

devises that read price and product code data (purchasing groceries)

ordinarily function as both a terminal and a cash register

allows one to record and track customer orders, process credit and debit cards, connect to other systems in a network, and manage inventory

example: a POS system for restaurants is likely to have all menu items stored in a database that can be queried for information in a number of ways

Increasingly, POS terminals are also we-enabled, which makes remote training and operation possible, as well as inventory tracking across geographically dispersed locations

73

Voice recognition (automated source date inputs devices)

a system that understands spoken words and transmits them into a computer

74

Electronic commerce and electronic data interchange (input device)

involves one company's computer communicating with another's computer

example: a buyer electronically sending a purchase order to a supplier

75

Output devices

1. many automated source data input devices and electronic commerce/electronic data interchange devices are capable of outputting data (writing in addition to reading) and therefore become output devices as well as input devices
2. monitors
3. printers
4. plotters- produce paper outputs of graphs
5. computer output to microfilm or microfiche (COM)- makes use of photographic process to store output

76

Systems software

1. Operating system
2. Utility programs
3. Communications software

77

Operating system (systems software)

manages the input, output, processing and storage devices and operations of a computer (Windows, Linux, Unix)

Performs scheduling, resource allocation, and data retrieval based on instructions provided in job control language

78

Utility programs (systems software)

handle common file, data manipulation and "housekeeping" tasks

79

Communications software (systems software)

controls and supports transmission between computers, computers and monitors, and access various databases

80

Software- computer programs that control hardware

1. systems software
2. applications software

81

Applications software

programs designed for specific uses, or "applications", such as
1. word processing, graphics, spreadsheets, email, and database systems
2. accounting software

82

Accounting software (applications software)

1. low-end: all in one package, designed for small organizations (quickbooks, peachtree, dell-tech)
2. high-end: ordinarily in modules (e.g. general ledger, receivables)
3. Enterprise resource planning (ERP): designed as relatively complete information system "suites" for large and medium size organizations (e.g. human resources, financial applications, manufacturing, distribution). Major vendors are well known- SAP, People Soft, Oracle, and J.D. Edwards

83

ERP System Advantages

Integration of various portions of the information system, direct electronic communication with suppliers and customers, increased responsiveness to information requests for decision-making

i.e. its all done for you; you have good support

84

ERP System Disadvantages

Complexity, costs, integration with supplier and customer systems may be more difficult than anticipated

**very expensive

85

Complier (software term)

produces a machine language object program from a source program language

86

Multiprocessing (software term)

simultaneous execution of two or more tasks, usually by two or more CPUs that are part of the same system

87

Multitasking (software term)

the simultaneous processing of several jobs on a computer

88

Object program (software term)

the converted source program that was changed using a compiler to create a set of machine readable instructions that the CPU understands

89

Source program (software term)

a program written in a language from which statements are translated into machine language; computer programming has developed in "generations"

90

Source Programming "Generations"

1. machine language
2. assembly language
3. "high-level" programming languages such as COBOL, Basic, Fortran, C++, and Java
4. an "application- specific" language usually built around database systems (i.e. SQL, a structured query language)
5. a relatively new and developing form that includes visual or graphical interfaces used to create source language that is usually compiled with a 3rd or 4th generation language compiler

91

Machine language (source programming generation 1)

composed of combinations of 1's and 0's that are meaningful to the computer (binary)

92

"high-level" programming languages such as COBOL, Basic, Fortran, C++, and Java (source programming generation 3)

C++ and Java are considered object-oriented programs (OOP) in that they are based on the concept of an "object" which is a data structure that uses a set of routines, called "methods," which operate on the data

The "objects" are efficient in that they often are reusable in other programs

Object-oriented programs keep together data structures and procedures (methods) through a procedure referred to as encapsulation.

93

assembly language (source programming generation 2)

a low-level programming language that uses words (mnemonics) instead of numbers to perform an operation.

assembly language must be translated to machine language by a utility program called an "assembler"

generally, an assembly language is specific to a computer architecture and is therefore not portable like most high-level languages

94

virtual memory (software term)

(storage) online secondary memory that is used as an extension of primary memory, thus giving the appearance of larger, virtually unlimited internal memory

95

protocol (software term)

rules determining the required format and methods for transmission of data

96

desk checking (programming term)

review of a program by the programmer for errors before the program is run and debugged on the computer

97

debug (programming term)

to find and eliminate errors in a computer program

many compliers assist debugging by listing errors in the program such as invalid commands

98

edit (programming term)

to correct input data prior to processing

99

loop (programming term)

a set of program instructions performed repetitively a predetermined number of times, or until all of a particular type of data has been processed

100

memory dump (programming term)

a listing of the contents of storage

101

patch (programming term)

a section of coding inserted into a program to correct a mistake or to alter a routine

102

run (programming term)

a complete cycle of a program including input, processing and output

103

Methods of Processing

1. batch or online real-time
2. centralized, decentralized, or distributed

104

batch processing

transactions flow through the system in groups of like transactions (batches).

Example: all cash receipts on accounts receivable for a day may be aggregated and run as a batch

ordinarily leaves a relatively easy-to-follow audit trail

*goes through edit checks and prints out errors (admin fee process)

105

online real-time processing (or direct access processing)

transactions are processed in the order in which they occur, regardless of type.

data files and programs are stored online so that updating can take place as the edited data flows to the application

system security must be in place to restrict access to programs and data to authorized persons

categorized into:
1. online transaction processing (OLTP)
2. online analytical processing (OLAP)

106

online transaction processing-OLTP (online real-time processing)

1. databases support day-to-day operations
2. example: airline reservation systems, bank automatic teller systems, internet website sales systems

107

online analytical processing- OLAP (online real-time processing)

enables the user to query the system (retrieve data), and conduct an analysis, etc.; primarily used for analytics

uses statistical and graphical tools

example: airline company downloads its OLTP reservation info into another database to allow analysis of that reservation information

108

decision support systems

computer-based info systems that combine models and data in an attempt to solve relatively unstructured problems with extensive user involvement

109

one approach to OLAP (online analytical processing) is to periodically download and combine operational databases into a

1. data warehouse: a subject-oriented, integrated collection of data used to support management decision-making processes or;

2. a data mart: a data warehouse that is limited in scope

110

data mining

using sophisticated techniques from statistics, artificial intelligence and computer graphics to explain, confirm and explore relationships among data (which is often stored in a data warehouse or data mart)

111

*Business intelligence (BI)

a combination of systems that help aggregate, access, and analyze business data and assist in the business decision-making process

112

Artificial intelligence (AI)

computer software designed to help make decisions (may be viewed as an attempt to model aspects of human thought on computers)

113

Expert system

one form of AI (artificial intelligence)

a computerized information system that guides decision processes within a well-defined area and allows decisions comparable to those of an expert

example: an expert system may be used by a credit card company to authorize credit card purchases to minimize fraud and credit losses

114

Centralized Processing

processing occurs at one location

115

Decentralized Processing

processing (and data) are stored on computers at multiple locations

may be viewed as a collection of independent databases

116

Distributed Processing

transactions for a single database are processed at various sites

processing may be either a batch or online real-time basis

117

bit

a binary digit (0 or 1) which is the smallest storage unit in a computer

118

byte

a group of adjacent bits (usually 8) that is treated as a single unit, or character, by the computer.

one byte can form a letter, a number, or a special character, or unprintable codes (those that control peripheral devices such as computers)

119

Field

a group of related characters (social security number)

120

Record

an ordered set of logically related fields

example: all payroll data (including SS number field and others) relating to a single employee

121

File

a group of related records (e.g. all the weekly pay records YTD), which is usually arranged in sequence

122

Table

a group of related records in a relational database with a unique identifier (primary key field) in each record

123

database

a group of related files or a group of related tables (if a relational database)

ordinarily stored online

124

Master file

a file containing relatively permanent information used as a source of reference and periodically updated with a detail (transaction) file (e.g. permanent payroll files- all banking information)

125

detail or transaction file

a file containing current transaction information used to update the master file (e.g. hours worked by each employee during the current period used to update the payroll master file)

126

detail or transaction file

a file containing current transaction information used to update the master file (e.g. hours worked by each employee during the current period used to update the payroll master file)

127

traditional file processing systems

focus upon data processing needs of individual departments; each application program or system is set up to meet the needs of the particular requesting department or user group

128

advantages of traditional processing systems

1. currently operational for many existing systems
2. cost effective for simple applications

129

disadvantages of traditional processing systems

1. data files are dependent upon a particular application program
2. in complex systems, there is much duplication of data
3. each application must be developed individually
4. program maintenance is expensive
5. data may be difficult to share btwn functional areas (isolated)

130

normalization

the process of separating the database into logical tables to avoid certain kinds of updating difficulties (referred to as "anomalies")

131

database system

computer hardware and software that enables the database to be implemented

132

database management system

software that provides a facility for communications btwn various applications programs (e.g. a payroll prep program) and the database (e.g. master payroll file containing earnings)

*create and modify

133

data independence

basic to database systems is this concept which separates the data from the related application program

134

data modeling

identifying and organizing a database's data, both logically and physically.

data model determines what info is to be contained in a database, how the info will be used, and how the items in the database will be related to each other

135

entity-relationship modeling

an approach to data modeling

the model (called entity-relationship diagram, or ERD) divides the database into two logical parts:
1. entities (e.g. customer, product) and
2. relations (e.g. buys, pays for)

136

primary key

the fields that make a record in a relational database table unique

137

foreign key

the fields that are common to two (or more) related tables in relational database

138

REA data model

a data model designed for use in designing accounting information databases

Resources; Events; Agents

139

Data Dictionary

(data repository or data directory system)

data structure that stores meta-data

140

meta-data

definitional data that provides info about or documentation of other data managed within an application or environment

i.e. data about data elements, records and data structures (length, fields, columns)

141

structured query language (SQL)

used for creating and querying relational databases; 3 types:
1. data definition language (DDL): used to define a database (creating, altering, deleting tables and establishing various constraints)
2. data manipulation language (DML): maintain a database (updating, inserting in, modifying, and querying)
3. data control language (DCL): used to control database (which users have various privileges

142

database structures

1. hierarchical
2. networked
2. relational
4. object-oriented
5. object-relational
6. distributed

143

Hierarchical (database structure)

data elements at one level "own" the data elements at the next lower level

144

Networked (database structure)

each data element can have several owners and can own several other elements

145

Relational (database structure)

a database with the logical structure of a group of related spreadsheets

have largely replaced hierarchical and networked database structures

146

Object-Oriented (database structure)

information (attributes and methods) are included in structures called object classes

this is the newest database management system technology

147

Object-relational (database structure)

includes both relational and object-oriented features

148

Distributed (database structure)

a single database that is spread physically across computers in multiple locations that are connected by a data communications link

149

Database controls

1. user department
2. access controls
3. backup and recovery
4. database administrator (DBA)
5. audit software

150

User department (database control)

strict controls over who is authorized to read and/or change the database are necessary

151

Access controls (database control)

controls within the database itself; limit the user to reading and/or changing (updating) only authorized portions of the database

152

Restricting privileges (access controls)

limits the access of users to the database, as well as operations a particular user may be able to perform

read only, not write, privileges

153

Logical views (access controls)

users may be provided with authorized views of only the portions of the database for which they have a valid need

154

Backup and recovery (database control)

a database is updated on a continuous basis during the day; 3 methods of backup and recovery include:
1. backup of database and logs of transactions
2. database replication
3. backup facility

155

Database administrator (database control)

individual responsible for maintaining the database and restricting access to the database to authorized personnel

156

Audit software (database control)

usually used by auditors to test the database

157

Advantages of database systems

1. data independence: easily used by diff. applications
2. minimal data redundancy
3. data sharing: sharing of data
4. reduced program maintenance
5. commercial applications are available for modification to a company's needs

158

Data file structures (2)

1. traditional file processing systems
2. database systems

159

Disadvantages of database systems

1. need for specialized personnel with database expertise
2. installation of database is costly
3. conversion of traditional file systems is costly
4. comprehensive backup and recovery procedures are necessary

160

Network

a group of interconnected computers and terminals

161

Telecommunications development

the electronic transmission of info by radio, fiber optics, wire, microwave, laser, and other electromagnetic systems- has made possible the electronic transfer of information between networks of computers

162

Networks are classified by geographical scope

1. personal network area (PAN)
2. local area networks (LAN)
3. Metropolitan area network (MAN)
4. Wide area networks (WAN)

163

Personal network area (PAN)

a computer network that is centered around an individual and the personal communication devices she uses (Bluetooth, USB)

164

Local area networks (LAN)

privately owned networks within a single building or campus of up to a few miles in size

*emphasized in AICPA materials

165

Metropolitan area network (MAN)

a larger version of LAN; might include a group of nearby offices within a city

166

Wide area networks (WAN)

Networks that span a large geographical area, often a country or continent

composed of a collection of computers and other hardware and software for funning user programs

167

Networks are certified by ownership

1. Private
2. Public
3. Cloud computing/ cloud services

168

Private network ownership

one in which network resources are usually dedicated to a small number of applications or a restricted set of users, as in a corporation's network

advantages: secure, flexible, performance often exceeds that of public
disadvantages: costly

169

Public network ownership

resources are owned by third-party companies and leased to users on a usage basis (also referred to as public switch networks- PSN)

advantages and disadvantages: in general, the opposite of those for private networks, but certainly a significant disadvantage is that they are less secure

170

Cloud computing/ cloud services network ownership

the use and access of multiple server-based computational resources via digital network

applications are provided and managed by the cloud server and data is stored remotely in the cloud configurations

171

Risks of cloud computing

1. information security and privacy- users rely on cloud providers access controls
2. continuity of services-user problems occur if cloud provider has service interruptions
3. migration- users may have difficulty changing cloud providers because there are no data standards

172

Networks classified by use of internet

1. internet
2. intranet
2. extranet

173

Hypertext markup language (HTML) and/or Extensible markup language (XML)

network internet classifications: data communications are ordinarily

HTML and XML: languages used to create and format documents, link documents to other web pages, and communicate between web browsers

XML is increasingly replacing HTML in internet applications due to its superior ability to tag and format documents that are communicated among trading partners

174

Extensible Business Reporting Language (XBRL)

an XML-based language being developed specifically for the automation of business information requirements, such as the preparation, sharing, and analysis of financial reports, statements, and audit schedules

175

Internet

international collection of networks made up of independently owned computers that operate as a large computing network

internetwork communication requires the use of a common set of rules, or protocols (TCP), and a shared routing system (IP)

176

Hypertext transfer protocol (HTTP)

the primary internet protocol for data communication on the World Wide Web

177

Uniform resource locator (URL)

a standard for finding a document by typing in an address (www.sldkfslkfjd.com)

178

World Wide Web

a framework for accessing linked resources spread out over the millions of machines all over the Internet

179

Web browser

client software that provides the user with the ability to locate and display web resources

180

Web servers

software that "serves" (makes available) web resources to software clients

181

Firewall

a method for protecting computers and computer information from outsiders

consists of security algorithms and router communications protocols that prevent outsiders from tapping into corporate database and email systems

182

Router

a communications interface device that connects two networks and determines the best way for data packets to move forward to their destinations

183

Bridge

a device that divides LAN (local area networks) into two segments, selectively forwarding traffic across the network boundary it defines; similar to a switch

184

Switch

a device that channels incoming data from any of multiple input ports to the specific output port that will take the data toward its intended destination

185

Gateway

a combination of hardware and software that links to different types of networks

example: gateways between email systems allow users of differing email systems to exchange messages

186

Proxy server

a server that saves and serves copies of web pages to those who request them

187

Web 2.0

2nd generation of the web

refers to era of web-based collaboration and community-generated content via web-based software tools such as:
1. blog
2. wiki
3. twitter
4. RSS/ATOM Feeds- Really simple syndication

188

blog

an asynchronous discussion, or web log, led by a moderator that typically focuses on a single topic

189

wiki

an information-gathering and knowledge-sharing website that is developed collaboratively by a community or group, all of whom can freely add, modify or delete content

190

twitter

a micro-variation of a blog

191

RSS/ATOM Feeds- Really simple syndication

an XML application that facilitates the sharing and syndication of website content by subscribers

192

TCP/IP (transmission control protocol/ internet protocol)

the basic communication language or protocol of the internet

two layers; one assembles messages and the other assigns IP addresses

193

IP address

the number that identifies a machine as unique on the internet

194

ISP (internet service provider)

an entity that provides access to the internet

195

Malicious programs that may adversely affect computer operations

1. virus
2. trojan horse
3. worm
4. antivirus software
5. botnet

196

virus

a program (or piece of code) that requests the computer operating system to perform certain activities not authorized by the computer user

can be transmitted by files that contain macros that are sent as an email attachment

197

macro

a stored set of instructions and functions that are organized to perform a repetitive task and can be easily activated, often by a simple key stroke combination

most macros serve valid purposes but those associated with viruses cause problems

198

trojan horse

a malicious, security-breaking program that is disguised as something benign, such as a game, but actually is intended to cause IT damage

199

worm

a program that propagates itself over a network, reproducing itself as it goes

200

antivirus software

is used to attempt to avoid viruses, trojan horses and worms but the rapid development of new viruses results in a situation in which antivirus software developers are always behind virus developers

201

botnet

a network of computers that are controlled by computer code, called a "bot", that is designed to perform a repetitive task such as sending spam, spreading a virus, or creating a distributed denial of service attack

202

Intranet

a local network, usually limited to an organization, that uses internet-based technology to communicate within the organization

203

Extranet

similar to an intranet, but includes an organization's external customers and/or suppliers in the network

204

Database client-server architecture (design)

the architecture must divide three responsibilities (1) input, (2) processing, (3) storage

a client server model may be viewed as one in which communications ordinarily take the form of a request message from the client to the server asking for some service to be performed

a "client" may be viewed as the computer or workstation of an individual user

the server is a high-capacity computer that contains the network software and may provide a variety of services ranging from simply "serving" files to a client to performing analyses

1. overall client-server systems
2. subtypes of client/server architectures
3. distributed systems

205

Overall client-server systems (database client-server architecture)

a networked computing model (usually a LAN- local area network) in which database software on a server performs database commands sent to it from client computers

diagram on page 83

206

Subtypes of client/server architectures

1. file servers
2. database servers
3. three-tier architectures

207

File servers (subtypes of client/server architectures)

the file server manages file operations and is shared by each of the client PCs (ordinarily attached to a LAN- local area network)

3 responsibilities are divided in a manner in which most input/output , and processing occurs on client computers rather than on the server:
1. input/output
2. processing
3. storage

the file server acts simply as a shared data storage device, with all data manipulations performed by client PCs

*two tier architecture: client tier and server database tier

208

Database servers (subtypes of client/server architectures)

similar to file servers, but the server here contains the database management system and thus performs more of the processing

*two tier architecture: client tier and server database tier

209

Three-tier architectures (subtypes of client/server architectures)

a client/server configuration that includes three tiers

the change from file and database servers is that this architecture includes an additional server layer

examples of additional servers:
1. printer server: make shared printers available to clients
2. communications server: serve a variety of tasks
3. fax server: allows network to share hardware for faxes
4. web server: stores and serves web pages on request

210

Distributed systems (database client-server architecture)

connect all company locations to form a distributed network in which each location has its own input/output, processing, and storage capabilities

211

Local area networks (LANs)

privately owned networks within a single building or campus of up to a few miles in size

212

LAN Software

allows devices to function cooperatively and share network resources such as printers and disk storage space

213

Common LAN services

1. network server
2. file server: stores programs and data files for users
3. print server
4. communications server

214

LAN hardware components

1. workstations
2. peripherals
3. transmission media
4. network interface cards

215

workstation (LAN hardware component)

ordinarily microcomputers

216

peripherals (LAN hardware component)

example: printers, network attached storage (NAS) devices, optical scanners, fax board

217

transmission media (LAN hardware component)

physical path that connect components of LAN, ordinarily twisted-pair wire, coaxial cable, or optical fiber

LANs that are connected wirelessly are called WLANS or WiFi networks

218

Network interface cards (LAN hardware component)

connect workstation and transmission media

219

LAN control implications

1. general controls are often weak (controls over development and modification of programs, access and computer operations)
2. controls often rely upon end users, who may not be control conscious (people writing passwords)
3. often users may not be provided with adequate resources for problem resolution, troubleshooting and recovery support
4. controlling access and gaining accountability through logging of transactions enforces segregation of duties
5. good management controls are essential (access codes and passwords)
6. LAN software ordinarily does not provide security features available in larger scale environments

*test of controls may address whether controls related to the above are effective

220

LANs and audit techniques

LANs generally make possible the computer audit techniques that may be performed either by internal auditors or external auditors

221

microcomputers

personal computers (PCs) and laptop computers

a small business will probably use a PC to run a commercially purchased general ledger package (off the shelf software)

segregation of duties becomes especially difficult in such an environment because one individual may perform all recordkeeping (processing) as well as maintain other nonrecordkeeping responsibilities

a larger client may use a network of PCs that may or may not be linked to a large corporate mainframe computer

222

small company microcomputer control objectives

1. security
2. verification of processing
3. personnel

223

small company microcomputer security (control objective)

security over small computers, while still important, may not be as critical as security over the data and any in-house developed software

access to the hard drive must be restricted since anyone turning on the power switch can read the data stored on files

a control problem may exist because the computer operator often understands the system and also has access to the input data --> management may need to become more involved in supervision when lack of segregation of duties exist in data processing

224

small company microcomputer verification of processing (control objective)

periodically, an independent verification of applications being processed on the small computer system should be made to prevent the system from being used for personal projects

verification also helps prevent errors in internally developed software from going undetected

225

small company microcomputer personnel (control objective)

centralized authorization to purchase hardware and software should be required to ensure that appropriate purchasing decisions are made, including decisions that minimize software and hardware compatibility difficulties

software piracy and viruses may be controlled by prohibiting the loading of unauthorized software and data on company-owned computers

226

a small company may control possible software piracy (the use of unlicensed software) by employees by procedures such as...

1. establishing a corporate software policy
2. maintaining a log of all software purchases
3. auditing individual computers to identify installed software

227

End-User Computing (EUC)

the end user is responsible for the development and execution of the computer application that generates the information used by that same end user

user substantially eliminates many of the services offered by an MIS (management information system) department

overall physical access controls become more difficult when companies leave a controlled MIS environment and become more dependent upon individual users for controls

228

End-User Computing (EUC) risks

1. end-user applications are not always adequately tested before implemented
2. more client personnel need to understand control concepts
3. management often does not review the results of applications appropriately
4. old or existing applications may not be updated for current applicability and accuracy

229

End-user computing (EUC) control implications

1. require applications to be adequately tested before they are implemented
2. require adequate documentation
3. physical access controls
4. control access to appropriate users
5. control use of incorrect versions of data files (use control totals for batch processing of uploaded data)
6. require backup files
7. provide applications controls (edit checks, range tests, reasonableness checks)
8. support programmed or user reconciliations to provide assurance that processing is correct

230

Physical EUC (end-user computing) controls

1. clamps or chains to prevent removal of hard disks or internal boards
2. diskless workstations that require downloaded files
3. regular backup
4. security software to limit access to those who know user ID and password
5. control over access from outside
6. commitment to security matters written into job descriptions, employee contracts, and personnel evaluation procedures

231

EUC control access to appropriate users

1. passwords and user IDs
2. menus for EUC access to database
3. protect system by restricting user ability to load data
4. when user uploads data, require appropriate validation, authorization, and reporting control
5. independent review of transactions
6. record access to company databases by EUC applications

232

the controls for microcomputers and EUC are

similar

233

Electronic commerce

involves individuals and organizations engaging in a variety of electronic transactions with computers and telecommunication networks (internet or telephone)

234

Electronic commerce IT system risks (5)

1. security
2. availability
3. processing integrity
4. online privacy
5. confidentiality

some believe these risks are impairing the growth of the web

235

WebTrust Seal of Assurance

developed by the AICPA and the Canadian Institute of Chartered Accountants

a form of assurance that tells potential customers that the firm has evaluated a website's business practices and controls to determine whether the are in conformity with WebTrust principles

236

Digital Certificates (Digital IDs)

allows an individual to digitally sign a message so the recipient knows that it actually came from that individual and wasn't modified

237

Encryption

the conversion of data into a form called cipher text, that cannot be easily understood by unauthorized people

238

Decryption

the process of converting encrypted data back into its original form so it can be understood

the conversion is performed using an algorithm and key which only the users control

239

Algorithm

a detailed sequence of actions to perform to accomplish some task

240

Key (encryption)

in the content of encryption, a value that must be fed into the algorithm used to decode an encrypted message in order to reproduce the original plain text

241

Private key system

an encryption system in which both the sender and receiver have access to the electronic key, but do not allow others access

disadvantage: both parties must have the key

242

system overhead (encryption)

the machine instructions necessary to encrypt and decrypt data constitute system overhead, which slows down the rate of processing

243

to assure continuity in the event of a natural disaster, firms should establish..

off-site mirrored Web servers

244

Electronic funds transfer (EFT)

making cash payments between two or more organizations or individuals electronically rather than by using checks (or cash)

245

EFT risk

EFT (electronic funds transfer) are vulnerable to the risk of unauthorized access to proprietary data and to the risk of fraudulent fund transfers

246

EFT controls

1. control of physical access to network facilities
2. electronic ID should be required
3. passwords should control access
4. encryption should be used to secure stored data and data being transmitted

247

Electronic Data Interchange (EDI)

the electronic exchange of business transactions, in a standard format, from one entity's computer to another's through an electronic communications network

248

EDI (electronic data interchange) risks

1. commonly used for sales and purchasing, and related accounts; the speed transactions occur often reduces receivables due to electronic processing of receipts
2. preventive controls, instead of detective controls, are usually used
3. no paper trail; some electronic copies are only kept for a certain period of time, which affect audits

249

Methods of communications between trading partners

1. point-to-point
2. value-added network (VAN)
3. public networks
4. proprietary networks

250

Point-to-Point communication between trading partners

a direct computer to computer private network link

automakers and governments traditionally use this method

251

point to point communication advantages

1. no reliance on third parties for computer processing
2. organization controls who has access to the network
3. organization can enforce proprietary (its own) software standard in dealings with all trading partners
4. timeliness of delivery may be improved since no third party is involved

252

point to point communication disadvantages

1. must establish connection with each trading partner
2. high initial cost
3. computer scheduling issues
4. need for common protocols between partners
5. need for hardware and software compatibility

253

Value-added network (VAN) communication between trading partners

a privately owned network that routes the EDI (electronic data interchanges) transactions between trading partners and in many cases provides translation, storage, and other processing

it alleviates problems related to interorganizational communication that results from the use of differing hardware and software

a VAN receives data from sender, determines intended recipient, and places data in the recipient's electronic mailbox

254

VAN (value-added network) communication advantages

1. reduces communication and data protocol problems since VANs can deal with differing protocols (eliminating need for trading partners to agree on them)
2. partners do not have to establish the numerous point-to-point connections
3. reduces scheduling problems since receiver can request delivery of transactions when it wishes
4. VAN translates application to a standard format the partner does not have to reformat
5. VAN can provide increased security

255

VAN (value-added network) communication disadvantages

1. cost (expensive)
2. dependence upon VAN's systems and controls
3. possible loss of data confidentiality

256

Public networks (communication between trading partners)

example: the internet-based commerce solutions described earlier (EFT, EDI)

257

public network communication advantages

1. avoids cost of proprietary lines
2. avoids cost of VAN
3. directly communicates transactions to trading partners
4. software is being developed which allows communication between differing systems

258

public network communication disadvantages

1. possible loss of data confidentiality
2. computer or transmission disruption
3. hackers and viruses
4. attempted electronic frauds

259

proprietary networks (communication between trading partners)

in some circumstances (health care, banking) organizations have developed their own network for their own transactions

costly to develop and operate (because of proprietary lines) although they are often extremely reliable

260

Controls required for other network systems are required for EDI systems

controls:

1. authentication-controls over the origin, proper submission, and proper delivery of EDI communications (have proof of this)
2. packets- a block of data that is transmitted from one computer to another (contains data and authentication info)
3. encryption- conversion of plain text into cipher text data used by an algorithm and key which only the users control

261

Benefits of EDI

1. quick response and access to info
2. cost efficiency
3. reduced paperwork
4. accuracy and reduced errors and error-correction costs
5. better communications and customer service
6. necessary to remain competitive

262

Exposures of EDI

1. total dependence upon computer system for operation
2. possible loss of confidentiality of sensitive info
3. increased opportunity for unayuthorized transactions and fraud
4. concentration of control among a few people involved in EDI
5. reliance on third parties (trading partners, VAN)
6. data processing, application and communication errors
7. potential legal liability due to errors
8. potential loss of audit trails and information needed by management due to limited retention policies
9. reliance on trading partner's system

263

Telecommunications

the electronic transmission of info by raido, wire, fiber optic, coaxial cable, microwave, laser, or other electromagnetic system

information transmitted: voice, data, video, fax, other

264

Telecommunications hardware

1. computers
2. transmission facilities (copper wire, fiber optic cables, microwave stations, communcations satellites)
3. modems

265

Software does what?

controls and monitors the hardware, formats information, adds appropriate control info, performs switching operations, provides security, and supports the managment of communications

266

Telecommunications enables the following technologies:

aka if we did not have telecommuncations, we would not have:

1. EDI (electronic data interchanges)
2. EFT (electronic funds transfers)
3. point of sale (POS) system
4. commercial databases
5. airline reservation systems

267

controls needed for telecommunications:

1. system integrity at remote sites
2. data entry
3. central computer security
4. dial-in security
5. transmission accuracy and completeness
6. physical security over telecommunications facilities
7. encryption during transmissions

268

Computer service organizations (bureaus, centers)

these orgs record and process data for companies

269

COBIT 5** (Control Objectives for Information and Related Technology)

a framework developed by the Information Systems Audit and Control Association to assist enterprises in achieving their objectives for governance and management of enterprise IT

it is business-oriented in that it provides a systematic way of integrating IT with business strategy and governance

270

COBIT 5 Principals**

1. meeting shareholders needs
2. covering the enterprise end-to-end
3. applying a single integrated framework
4. enabling a holistic approach
5. separating governance from management

271

COBIT 5 Enablers**

factors that individually and collectively influence whether something will work in an organization

1. processes (an organized set of practices and activities to achieve certain objectives)
2. organizational structures (the key decision-making entities in an organization)
3. culture, ethics, and behavior of individuals and the org
4. principals, policies and frameworks (the vehicle to translate the desired behavior into guidance for day-to-day management)
5. information produced and used by the enterprise
6. services, infrastructure, and applications (the infrastructure, technology, and applications that provide the enterprise with information technology processing and services)
7. people, skills, and competencies required for successful completion of all activities and for making correct decisions

272

processes (COBIT enabler)

an organized set of practices and activities to achieve certain objectives

273

organizational structures (COBIT enabler)

the key decision-making entities in an organization

274

principals, policies and frameworks (COBIT enabler)

the vehicle to translate the desired behavior into guidance for day-to-day management

275

services, infrastructure, and applications (COBIT enabler)

the infrastructure, technology, and applications that provide the enterprise with information technology processing and services

276

Principals of a reliable system

one that is capable of operating without material error, fault, or failure during a specified period in a specified environment

5 AICPA TrustServices reliable principals:
1. security
2. availability
3. processing integrity
4. online privacy
5. confidentiality

277

Security (reliable principal)

the system is protected against unauthorized access (physical and logical)

lock doors and prevent access to data

278

Availability (reliable principal)

the system is available for operation and use as committed or agreed

the system is available for operation and use in conformity with the entity's availability policies

system failure results in interruption of business operations and loss of data

279

Processing integrity (reliable principal)

system processing is complete, accurate, timely, and authorized

invalid, incomplete or inaccurate processing can affect input data, data processing, updating of master files, and creation of output

280

Online privacy (reliable principal)

personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed

risks include disclosure of customer info such as SS #s, CC #s, credit rating, and medical conditions

281

Confidentiality (reliable principal)

information designated as confidential is protected as committed or agreed

examples of confidential data that might be disclosed:
transaction details
engineering details of products
business plans
banking info
legal documents
inventory/ other account info
customer lists
confidential details of operations

282

Segregation controls (org structure)

segregate functions between information systems department and user departments

do not allow information systems department to initiate or authorize transactions

at a minimum, segregate:
1. programming
2. data entry
3. operations
4. library function within the information systems department

283

user departments

are the other departments of the company that utilize the data prepared by the information systems department

284

Systems analysis (information systems department)

systems development manager

the system analyst analyzes the present user environment and requirements and may:
1. recommend specific changes
2. recommend the purchase of a new system
3. design a new information system

285

Systems programming (information systems department)

responsible for implementing, modifying, and debugging the software necessary for making the hardware work

286

Applications programming (information systems department)

responsible for writing, testing and debugging the application programs from specifications provided by the systems analyst

287

Database administration (information systems department)

responsible for maintain the database and restricting access to the database to authorized personnel

288

Data preparation (information systems department)

data may be prepared by user departments and input by key to storage devices

289

Operations (information systems department)

the operator is responsible for the daily computer operations of both the hard ware and the software

supervises operations on the operator's console, accepts any required input, and distributes any generated output

operator should have adequate documentation to run the program (a run manual), but should not have detailed program info

*help desks are usually a responsibility of the operators because of the operational nature of their functions (ex. assisting users with systems problems and obtaining technical support)

290

Data library (information systems department)

librarian is responsible for custody of the removable media (i.e. magnetic tape or disks) and for the maintenance of program and system documentation

in many systems the library function is maintained and performed electronically by the computer

291

Data control (information systems department)

the control group acts as a liaison between users and the processing center

this group records input data in a control log, follows the progress of processing, distributes output, and ensures compliance with control totals

*ideally, in a large system, the above key functions are segregated but in a smaller co. many are concentrated to a small number of employees

***at a minimum an attempt should be made to segregate programming, operating, and library functions

292

Information and Communication (IT)

the computerized accounting system is affected by whether the company uses small computers and/or a complex mainframe system

Small systems can use off the shelf software:
1. controls within the software may be well known
2. analysis of exception reports generated during processing is important to determine that exceptions are properly handled

for complex mainframe systems, software is usually developed internally:
1. controls are unknown to auditor prior to testing
2. analysis of exception reports is important

293

Monitoring (IT)

a common method for monitoring for inappropriate access is review of system-access log (who has access0

IT can also facilitate monitoring: continuously evaluate data/trax and capture samples of items

294

Control Activities-overall (IT)

in which a computer is involved may be segregated into:
1. computer general control activities
2. application control activities
3. programmed application controls
4. manual follow-up of computer exception reports
5. user control activities to test the completeness and accuracy of computer processed controls

295

Computer general control activities

control program development, program changes, computer operations, and access to programs and data

296

Computer application control activities

programmed control activities: relate to specific computer applications and are embedded in the comp program

manual follow-up of comp. exception reports: involves employee follow up of items listed on the comp exception reports

297

user control activities to test the completeness and accuracy of computer processed transactions

represent manual checks of computer output against source document or other input, and thus provide assurance that programmed aspects of the accounting system and control activities have operated effectively

298

computer general control activities

1. developing new programs and systems
2. changing existing programs and systems
3. controlling access to programs and data
4. controlling computer operations

299

segregation controls (developing new programs and systems-general computer control activities)

1. user departments participate in systems design
2. both users and information systems personnel test new systems
3. management, users, and information systems personnel approve new systems before they are placed into operation
4. all master and transaction file conversion should be controlled to prevent unauthorized changes and to verify the accuracy of the results
5. programs and systems should be properly documented

300

computer hardware is extremely reliable because

of chip technology and controls built into the hardware

controls include:
1. parity check
2. echo check
3. diagnostic routines
4. boundary protection
5. periodic maintenance

301

parity check

a special bit is added to each character that can be detected if the hardware loses a bit during the internal movement of a character

302

echo check

primarily used in telecommunications transmissions

during the sending and receiving of characters, the receiving hardware repeats back to the sending hardware what it received and the sending hardware automatically resends any characters that were received incorrectly

303

diagnostic routines

hardware or software supplied by the manufacturer to check the internal operations and devices within the computer system

304

boundary protection

must CPUs have multiple jobs running simultaneously (multiprogramming environment)

boundary controls do not allow one job to change the allocated memory of another job

305

periodic maintenance

the system should be examined periodically (often weekly) by a qualified service technician

306

documentation

systems and programs should be adequately documented

system specification documents should detail such matters as performance levels, reliability, security and privacy, constraints and limitations, functional capabilities, and data structure elements

307

changing existing programs and systems

should be documented in a change request log

308

change control procedures (modification controls)

1. information systems manager should review all changes
2. modified program should be appropriately tested
3. details of all changes should be documented
4. a code comparison program may be used to compare source and/or object codes of a controlled copy of a program with the program currently being used to process data (will identify unauthorized changes)

309

segregation controls (controlling access to programs and data- general computer control activity)

1. access to program documentation should be limited to those who require it in the performance of their duties
2. access to data files and programs should be limited to those authorized to process data
3. access to computer hardware should be limited to authorized individuals (computer operators and their supervisors)

310

limited physical access to computer facility

the physical facility that houses the computer equipment, files, and documentation should have controls to limit access only to authorized individuals

controls: guard, key card, manual key locks, fingerprint and palmprint access granting devices

311

visitor entry log (access to computer facility)

use visitor logs to document those who have had access to the area

312

access control software

(user identification)

the most used control is a combination of a unique identification code and a confidential password

313

call back (hardware and software access controls)

a specialized form of user ID in which the user dials the system, identifies themselves, and is disconnected from the system

then either manually or computer finds authorized phone number and calls back

314

encryption as access control

data is coded when stored in computer files and/or before transmission to or from remote locations

protects data since unauthorized users not only have to obtain data, they also have to decode it

315

segregation of controls to control computer operations

1. operators should have access to an operations manual that contains the instructions for processing programs and solving routine operational program issues, but not with detailed program documentation
2. the control group should monitor the operators activities and jobs should be scheduled

316

other controls for controlling computer operations

1. backup recovery
2. contingency processing
3. internal and external labels

317

contingency processing (as a form of controlling computer operations)

detailed contingency processing plans should be developed to prepare for system failures

responsibilities of individuals, as well as the alternate processing sites that should be utilized

318

internal and external labels (controlling computer operations)

external labels are gummed-paper labels attached to storage media which identify the file

internal labels perform the same function through the use of machine readable information in the first record of the file

use of labels allows the computer operator to determine whether the correct file has been selected for processing (file protection ring makes it read only)

319

programmed application controls

apply to a specific application

operate to assure the proper input and processing of data

320

overall programmed application controls

1. inputs should be authorized and approved
2. system should verify all significant data fields used to record info
3. conversion of data into machine-readable form should be controlled and verified for accuracy

321

input validation (edit) controls

1. preprinted form
2. check digit
3. control, batch, or proof total
4. hash total
5. record count
6. limit (reasonable test)
7. menu driven input
8. field check
9. validity check
10. missing data check
11. field size check
12. logic check
13. redundant data check
14. closed-loop verification

322

preprinted form

info is pre-assigned a place and a format on the input form

323

check digit

an extra digit added to an ID number to detect certain types of data transmission errors

324

control, batch, proof total

a total of one numerical field for all the records of a batch that would normally be added (total sales dollars)

325

hash total

a control total where the total is meaningless for financial purposes

326

record count

a control total of the total records processed

327

limit (reasonable) test

test of the reasonableness of a field of data, given a predetermined upper and/or lower limit

example: limit for auditing scores would be 100

328

menu driven input

what score did you get on the auditing section of the CPA exam? 75-100?

you must enter a number between 75 and 100

329

field check

control that limits the types of characters accepted into a specific data field

ex. pay rate should only include numerical data

330

validity check

a control that allows only "valid" transactions or data to be entered into the system (female is 1 and male is 2- anything else would not be valid)

331

missing data check

a control that searches for blanks inappropriately existing in input data (required fields in a form online)

332

field size check

a control of an exact number of characters to be input (EIN has to be 9 digits)

333

logic check

ensures that illogical combinations of input are not accepted

334

redundant data check

uses two identifiers in each transaction record to confirm that the correct master file record is being updated (duplicate profile entries- it notifies me when its already in the system)

335

closed loop verification

a control that allows data entry personnel to check the accuracy of input data

336

processing application controls

when the input has been accepted by the computer, it usually is processed through multiple steps

337

application controls- manual follow-up of computer exception reports

these controls involve employee (operator and/ or control group) follow-up of items listed on computer exception reports

their effectiveness depends on the effectiveness of both the programmed control activities that produce the reports and the manual follow-up activities

338

user control activities to test the completeness and accuracy of computer-processed controls

1. checks of computer output against source documents, control totals, or other input to provide assurance that programmed aspects of the f/r system and control activities have operated effectively
2. reviewing computer processing logs to determine that all correct computer jobs were executed properly
3. maintaining proper procedures and communications specifying authorized recipients of output (did the right person get the output?)

339

**Disaster recovery and business continuity

a plan should allow the firm to:
1. minimize the extent of disruption, damage, and loss
2. establish an alternate (temporary) method for processing info
3. resume normal operations as quickly as possible
4. train and familiarize personnel to perform emergency operations

a plan should include priorities, insurance, backup approaches, specific assignment, period testing and updating, and documentation

340

backup approaches for disaster recovery and business continuity

1. batch systems
2. online databases and master file systems

341

backup batch systems

three forms of the file saved, 1, 2, and 3

if one is destroyed, two recovers it and so on

342

backup online databases and master file systems

1. checkpoint
2. rollback
3. backup facilities

343

checkpoint

system makes copies of the system at certain "checkpoints"

if files are destroyed, the last checkpoint saved will restore the destroyed file

344

rollback

as a part of recovery, to undo changes made to a database to a point at which it was functioning properly

345

backup facilities

1. reciprocal agreement
2. hot site
3. cold site
4. internal site
5. mirrored web server

346

reciprocal agreement- backup facilities

an agreement btwn two or more organizations to aid each other with their data processing needs in the event of a disaster (mutual aid pact)

347

hot site- backup facilities

a commercial disaster recovery service that allows a business to continue computer operations in the event of a computer disaster

example: if a co's data processing center becomes inoperable, that enterprise can move all processing to a hot site that has all the equipment needed to continue operation (recovery operations center ROC)

costly

348

cold site-backup facilities

similar to hot site, but the customer provides and installs the equipment needed to continue operations

less expensive, but takes longer to get into full operation after a disaster (empty shell)

349

internal site- backup facilities

large organizations with multiple data processing centers sometimes rely upon their own sites for backup in the event of a disaster

350

mirrored web server- backup facilities

an exact copy of a website which is the best way to back up the website