Section 4A&E Flashcards
(43 cards)
Ensuring system reliability is a top management issue. To successfully implement systems reliability principles, management must do all of the following except:
design and employ appropriate and cost-beneficial control procedures to implement the policies.
develop and document a comprehensive set of control policies at the same time that specific control procedures are designed and implemented.
effectively communicate policies to all employees
customers, suppliers, and other authorized users.
monitor the system and take corrective action to maintain compliance with policies.
develop and document a comprehensive set of control policies at the same time that specific control procedures are designed and implemented.
To successfully implement systems reliability principles, a company must develop and document a comprehensive set of control policies before (not at the same time as) designing and implementing specific control procedures; effectively communicate policies to all employees, customers, suppliers, and other authorized users; design and employ appropriate and cost-beneficial control procedures to implement the policies; and monitor the system and take corrective action to maintain compliance with policies.
To successfully implement systems reliability principles, a company must:
- Develop and ocument a comprehensive set of ___ policies before designing and implementing control procedures
- Effectively ___policies to all employees, customers, suppliers, authorized users.
- ____appropriate and cost-beneficial control procedures to implement the policeis
- Monitor the system and take ___to maintain compliance w/ policies
RANDOM
To ensure system ___, companies must implement a set of preventive controls and supplement them with methods for detecting incidents and procedures for taking corrective remedial action.
A company must also employ multiple layers of controls so that if one control fails or is ___, another control will prevent, detect, or correct the reliability breakdown.
Control policies
communicate
Design and employ
corrective action
Reliability
circumvented
Which of the following statements is correct regarding information technology (IT) governance?
A primary goal of IT governance is to balance risk versus return over IT and its processes.
IT governance is an appropriate issue for organizations at the level of the board of directors only.
IT goals should be independent of strategic goals.
IT governance requires that the Control Objectives for Information and Related Technology (COBIT) framework be adopted and implemented.
A primary goal of IT governance is to balance risk versus return over IT and its processes.
By devising appropriate strategies (i.e., balancing risk versus reward) and making decisions on allocating its resources (e.g., staff and capital) to pursue those strategies, an organization’s IT governance can help ensure that the entity’s overall goals will be achieved.
RANDOM
One of management’s major responsibilities is to make sure a company’s information resources are secure and adequately controlled. T/F
True
The following five principles have been developed by the AICPA and CICA (Canadian Institute of Chartered Accountants) for use by practitioners in the performance of Trust Services engagements:
Security – system is protected against ___ physical and logical access
Availability - system is available for operation and use as agreed
Process Integrity - System processing is complet/accurate/timely/authorized
Confidentiality - Info. designated as confidential is protected as committed
Privacy - Personal info. is used in conformity w/ the commitments
Unauthorized
True to all
___is an organization’s formal process of defining its future course or direction.
Strategic planning
Companies can minimize IT control and security risks be taking proactive steps such as the following:
Hiring full-time ___
Making control problems and solutions a major part of _
Establishing formal __policies and enforcing them
Building controls into systems during the __rather than adding them after the fact
Establishing a __) which requires periodic backup of all data (not only sensitive data) to a safe and secure environment
security and control staff
employee training
information security
initial design stage
business continuity plan (i.e., disaster recovery
The accuracy, control, and efficiency of data input are improved by
- Using well designed ___documents
- __related data together
- Using good shading/borders to __data
- Using _source documents
- Providing __about data collected
- Using check-off boxes to present __
- Using ___turnaround documents
- Using source data automation devices (ATM/Bank Magnetic Ink, POS Scanners, Barcode Scanners) T/F
source Grouping separate prenumbered instructions avail options machine-readable True
Because an organization makes heavy use of client/server architecture, end users have much of its critical and sensitive information on their personal computers (PCs) and departmental file servers. The chief financial officer has asked the auditors for input for developing an end-user computing policy. The policy requires a long-range, end-user computing plan. Which of the following documents should most strongly influence the development of this plan?
The multi-year audit plan
The information security policy
The systems development methodology
The organization’s strategic operational plan
The organization’s strategic operational plan
Strategic goals outline how the organization will use information systems to create a competitive advantage, and the strategic operational plan is, therefore, one of the most important influences on the development of the end-user computing strategic plan.
An ___is part of the strategic plan and describes short-term methods of achieving milestones
operational plan
During a post-implementation review of an accounting information system (AIS), a CPA learned that an AIS with few customized features had been budgeted and scheduled to be installed over 9 months for $3 million (including hardware, software, and consulting fees). An in-house programmer was assigned as the project manager and had difficulty keeping the project on schedule. The implementation took 18 months, and actual costs were 30% over budget. Many features were added to the system on an ad-hoc basis, with the project manager’s authorization. The end users are very satisfied with the new system. The steering committee, however, is dissatisfied about the scope creep and would like a recommendation to consider before approving initiation of another large project. Based on those findings, the CPA should recommend implementing a:
change control system.
contract management system.
budgeting system.
project timekeeping system.
change control system.
Change control is the process of requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change
Change control procedures include the following:
Approval of the change by the ___; assign a __
The project leader ensures all required ___and authorities have been received for a given change.
Establish and assign ___and tasks for individuals involved in the project.
All personnel involved in the project vote to adhere to the assigned work. T/F
Test, approve, and implement the change. T/f
change control board, project leader.
project leader.
schedules
FALSE - they MUST adhere to the assigned work
true
In a large organization, the biggest risk in not having an adequately staffed information center help desk is:
increased difficulty in performing application audits.
inadequate documentation for application systems.
increased likelihood of use of unauthorized program code.
persistent errors in user interaction with systems.
persistent errors in user interaction with systems.
Information output is presented in three forms:
Document
Report
Queries
Information output is presented in three forms: Document, Report, Queries
DOCUMENTS are records/transactions of company data
- They can be printed/stored electronically T/F
- Some are meant for 3rd parties and others internally T/F
- Source doc are the beginning of a process
- ___ documents are generated at hte END of a transaction processing activity
REPORTS are prepped both externally and internally
- Employees use reports to control __ activities
- Managers use reports to ___ and develop ___
- External parties use reports to comply with ___
QUERIES
- Arise from problems & questions that need rapid __
- Queries find the info, retrieve it, and display as req.
- Users can have ___queries T/F
Companies are not allowed to let suppliers to query their databases so the suppliers can better meet their needs
T
T
T
Operational
Operational
make decisiions and develop biz strategies
laws and regulations
Action/answers
True
Predetermined
False - They are allowed
In a large organization, the biggest risk in not having an adequately staffed information center help desk is:
increased difficulty in performing application audits.
inadequate documentation for application systems.
increased likelihood of use of unauthorized program code.
persistent errors in user interaction with systems.
persistent errors in user interaction with systems.
Which of the following represents the procedure managers use to identify whether the company has information that unauthorized individuals want, how these individuals could obtain the information, the value of the information, and the probability of unauthorized access occurring?
Disaster recovery plan assessment
Systems assessment
Risk assessment
Test of controls
Risk Assessment
A risk assessment is the process by which management would get the information necessary to resolve the question of attractiveness of the information and the desire of unauthorized individuals to attempt access to it.
What should be examined to determine if an information system is operating according to prescribed procedures?
System capacity
System control
System complexity
Accessibility to system information
System Control
The system controls should be examined because they represent a device or set of devices to manage, command, direct, or regulate other devices or systems and thus would provide the information necessary to determine how an information system is operating with respect to its prescribed procedures.
Organizations face several IT strategic planning and budgeting threats related to information technology. These threats include all of the following, except:
T/F
the information system does not support business objectives or strategies.
IT resources are not used efficiently or effectively.
information needs are not met or are unaffordable.
the IT’s hot site is not adequately staffed.
True
True
true
FALSE
STRATEGIC PLANNING AND BUDGETING
Organizations face several strategic planning and budgeting threats related to information technology:
The information system does not support __
Resources are not used __.
Information needs are not met or are __
Controls to mitigate these threats
- ___strategic plan
- Establish _to assess how emerging tech impacts biz
- ___resources to support strategic plan
business strategies.
efficiently or effectively
unaffordable
Multiyear
R&D
Budget
The Assurance Services Executive Committee of the AICPA has introduced Trust Services, including SysTrust and WebTrust, which are defined as a set of attestation and advisory services based on a core set of principles and criteria that address the risks of IT-enabled systems and programs. Which of the following is not one of those core principles?
Security
Efficient communication
Availability
Processing integrity
Communication
DEVELOP A RELIABLE SYSTEM PLAN
- ___responsibility
- ___and update plan regularly
- Make ___w/ responsibilities aware of plan
- Req all new and exist employees to follow ___
- Detremine ___for info. resources
- Develop ____to train employees
- Document ___problems and analyze them
- Identify legal ___
- Log ___requested by users
- Assess system reliability ___
Assign Review All personnel Security Procedures Ownership Security awareness program Relaibility Requirements Changes risks
One reason some organizations cannot ensure IT system reliability is that IT governance failed to plan for this objective. Which of the following is not a step that an organization’s IT governance should implement?
Assign plan responsibility and accountability to a top-level IT manager
Require lower-level and new employees to follow all security procedures
Develop a security awareness program and use it to train employees
Determine ownership, custody, access, and maintenance responsibility for information resources
Require lower-level and new employees to follow all security procedures
A problem related to computer-based information systems in organizations is that end-users require technical support and assistance in the development of their own computer applications.
The best solution to this problem would be: communication protocol. database management system. information center and help desk. modem.
Info center and help desk
