STUDY UNIT FOURTEEN IT SECURITY AND CONTROLS Flashcards
Information technology cannot be viewed as a function distinct from other enterprise activities.
True. False.
True.
Your answer is correct.
COBIT 5 takes a comprehensive view of all of the enterprise’s functions and processes. Information technology pervades them all; it cannot be viewed as a function distinct from other enterprise activities.
Output controls are performed at the end of processing to ensure that most of the transactions the user expected to be processed were actually processed.
True.
False
False.
Your answer is correct.
Output controls are performed at the end of processing to ensure that all of the transactions the user expected to be processed were actually processed.
Systems programmers maintain and fine-tune the operating systems on the organization’s medium- and large-scale computers.
True.
False.
True.
Your answer is correct.
Systems programmers maintain and fine-tune the operating systems on the organization’s medium- and large-scale computers. The operating system is the core software that performs three of a computer’s four basic tasks, namely, input, output, and storage.
Able Co. uses an online sales order processing system to process its sales transactions. Able’s sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a
A List of all voided shipping documents.
B Printout of all user code numbers and passwords.
C Report of all missing sales invoices.
D File of all rejected sales transactions.
D File of all rejected sales transactions.
This answer is correct.
Edit checks are applied to transactions to test for completeness, reasonableness, validity, and other related issues prior to acceptance. Rejected transactions should be recorded in a file for evaluation, correction, and resubmission.
What is the primary objective of data security controls?
A To formalize standards, rules, and procedures to ensure the organization’s controls are properly executed.
B To ensure that storage media are subject to authorization prior to access, change, or destruction.
C To establish a framework for controlling the design, security, and use of computer programs throughout an organization.
D To monitor the use of system software to prevent unauthorized access to system software and computer programs.
B To ensure that storage media are subject to authorization prior to access, change, or destruction.
This answer is correct.
The primary objective of data security is to protect data. This includes ensuring that storage media are subject to authorization prior to access, change, or destruction.
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
A Adequately safeguard assets.
B Independently verify the transactions.
C Ensure proper authorization of transactions.
D Segregation of duties.
B Independently verify the transactions.
This answer is correct.
Independent verification is an important compensating control in the absence of segregation of duties and reduced individual authorization of transactions. A third party performs the verification to ensure that the transactions were appropriately processed.
A small client recently put its cash disbursements system on a server. About which of the following internal control features would an auditor most likely be concerned?
A Only one employee has the password to gain access to the cash disbursement system.
B The server is operated by employees who have cash custody responsibilities.
C There are restrictions on the amount of data that can be stored and on the length of time that data can be stored.
D Programming of the applications is in BASIC, although C++ is a more up-to-date, flexible programming language.
B The server is operated by employees who have cash custody responsibilities.
This answer is correct.
Segregation of duties is a basic category of control activities. Functions are incompatible if a person is in a position both to perpetrate and conceal fraud or errors. Hence, the duties of authorizing transactions, recording transactions, and custody of assets should be assigned to different people. Those employees that operate the server may be able to override the controls to change records to conceal a theft of cash.
The fixed assets and related depreciation of a company are currently tracked on a password-protected spreadsheet. The information technology governance committee is designing a new enterprise-wide system and needs to determine whether the current fixed asset process should be included because the current system seems to be working properly. What long-term solution should the committee recommend?
A Purchasing a stand-alone fixed asset program for managing the assets and related depreciation.
B Continuing to use the current spreadsheet process because there have been no issues in this area.
C Adopting the fixed-asset module of the new system for integration.
D Developing a new fixed-asset system to manage the assets and related depreciation.
C Adopting the fixed-asset module of the new system for integration. This answer is correct. Adopting a fully integrated fixed-asset module for the new system is the best long-term solution.
Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment?
A Data communications hardware and software.
B Computer operations.
C Systems analysis and applications programming.
D Operating systems and compilers.
D Operating systems and compilers.
This answer is correct.
Systems programmers write systems software. Systems software is usually purchased from vendors in machine or assembly language. It is necessary to facilitate the processing of application programs by the computer. It performs the fundamental tasks needed to manage computer resources, such as language translation, monitoring of data communications, job instruction, control of input and output, file management, data sorting, and access control. For example, the operating system mediates between the application programs and the computer hardware, and procedural languages may be translated into executable code (machine language) by compilers.
Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?
A Data entry errors.
B Collusion.
C Failure of server duplicating function.
D Firewall vulnerability
D Firewall vulnerability
This answer is correct.
A firewall separates an internal network from an external network (e.g., the Internet) and prevents passage of specific types of traffic. Authentication measures verify the identity of the user, thus ensuring that only the intended and authorized users gain access to the system. Most firewall systems provide authentication procedures. Access controls are the most common authentication procedures. Password use is a common access control.
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?
A Maintain custody of the billing program code and its documentation.
B Modify and adapt operating systems software.
C Correct detected data entry errors for the cash disbursement system.
D Code approved changes to a payroll program.
D Code approved changes to a payroll program.
This answer is correct.
Applications programmers design, write, test, and document computer programs according to specifications provided by the end users. The programmers are responsible for designing, building, and maintaining the organization’s applications. Under no circumstances should programmers be able to make changes directly to programs that are used in “live” production. A separate processing area devoted to development and testing should be set up and dedicated to the use of programmers.
Which of the following is considered an application input control? A Exception report. B Run control total. C Edit check. D Report distribution log.
C Edit check.
This answer is correct.
An edit (field) check is an application input control that prevents invalid characters from being accepted. Some data elements can only contain certain characters, and any transaction that attempts to use an invalid character is rejected.
A company began issuing handheld devices to key executives. Each of the following factors is a reason for requiring changes to the security policy except A Storage of sensitive data. B Vulnerability of the device. C Convenience of the device. D Portability of the device.
C Convenience of the device.
This answer is correct.
Convenience of the device is one of the benefits of handheld devices and would not require changes to the security policy.
View Subunit 14.3 Outline
Which of the following should not be the responsibility of a database administrator?
A. Monitor and improve the efficiency of the database.
B. Protect the database and its software.
C. Design the content and organization of the database.
D. Develop applications to access the database.
D. Develop applications to access the database.
Answer (D) is correct.
The database administrator (DBA) is the person who has overall responsibility for developing and maintaining the database. One primary responsibility is for designing the content of the database. Another responsibility of the DBA is to protect and control the database. A third responsibility is to monitor and improve the efficiency of the database. The responsibility of developing applications to access the database belongs to systems analysts and programmers.
(14.5.90)
Certain payroll transactions were posted to the payroll file but were not uploaded correctly to the general ledger file on the main server. The best control to detect this type of error would be
A. A standard method for uploading mainframe data files.
B. Balancing totals of critical fields.
C. A record or log of items rejected during processing.
D. An appropriate edit and validation of data.
B. Balancing totals of critical fields.
Answer (B) is correct.
Balancing totals should be used to ensure completeness and accuracy of processing. For example, comparing totals of critical fields generated before processing with output totals for those fields tests for missing or improper transactions.
(14.4.70)
