18.2 Systems Controls and Information Security Flashcards
Which one of the following represents a lack of internal control in a computer-based system?
A. Any and all changes in applications programs have the authorization and approval of management
B. Provisions exist to ensure the accuracy and integrity of computer processing of all files and reports
C. Provision exist to protect data files from unauthorized access, modification, or destruction
D. Programmers have access to change programs and data files when an error is detected
D. Programmers have access to change programs and data files when an error is detected
A functional separation is necessary
Data processed by a computer system are usually transferred to some form of output medium for storage. However, the presence of computerized output does not, in and of itself, ensure the output’s accuracy, completeness, or authenticity. For this assurance, various controls are needed. The major types of controls for this area include
A. Physical controls, documentation controls, and print-out controls.
B. Activity listings, echo checks, and pre-numbered forms.
C. Disk output controls and printed output controls.
D. Input controls and output controls.
D. Input controls and output controls.
Input controls provide reasonable assurance that data received for processing have been properly authorized, converted into machine-sensible form, and identified, and that data have not been lost, suppressed, added, duplicated, or otherwise improperly changed. Input controls also relate to rejections, correction, and resubmission of data that were initially incorrect. Output controls provide assurance that the processing result is accurate and that only authorized personnel receive the output.
An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted the purchase order number. The best systems control to detect this error would be
A. Batch total.
B. Completeness test.
C. Sequence check.
D. Reasonableness test.
B. Completeness test
A completeness test checks that all data elements are entered before processing. An interactive system can be programmed to notify the user to enter the number before accepting the receiving report.
An example of an internal validation check is
A. Making sure that output is distributed to the proper people.
B. Monitoring the work of programmers.
C. Collecting accurate statistics of historical transactions while gathering data.
D. Recalculating an amount to ensure its accuracy.
D. Recalculating an amount to ensure its accuracy.
Arithmetic proof checks (recalculations) are performed by edit routines before data are processed. A simple example is comparing total debits and total credits or the vendor number with the number for an accounts payable payment.
A company employing an online computer system has terminals located in all operating departments for inquiry and updating purposes. Many of the company’s employees have access to and are required to use the terminals. A control the company should incorporate to prevent an employee from making an unauthorized change in computer records unrelated to that employee’s job is to
A. Restrict the physical access to terminals.
B. Establish user codes and passwords.
C. Use validity checks.
D. Apply logical controls to transactions or inquiries entered by the user.
D. Apply logical controls to transactions or inquiries entered by the user.
Logical controls are used to determine whether a code number is compatible with the use to be made of the information requested. For example, a user may be authorized to enter only certain kinds of transaction data, to gain access only to certain information, to have access to but not update files, or to use the system only during certain hours.
In entering the billing address for a new client in a company’s computerized database, a clerk erroneously entered a nonexistent zip code. As a result, the first month’s bill mailed to the new client was returned to the company. Which one of the following would most likely have led to discovery of the error at the time of entry into the company’s computerized database?
A. Limit test.
B. Validity test.
C. Parity test.
D. Record count test.
B. Validity test.
In validity tests, values entered into the system are compared against master files of valid data. In this case, a master file of all zip codes recognized in the U.S. is held in memory and each time a clerk enters data in the zip code field, the clerk’s entry is compared to the list of valid values. If the zip code entered does not match any entry in the master file, data entry is halted and the clerk is advised to reenter the data.
Which of the following is an indication that a computer virus is present?
A. Frequent power surges that harm computer equipment.
B. Unexplainable losses of or changes to data.
C. Inadequate backup, recovery, and contingency plans.
D. Numerous copyright violations due to unauthorized use of purchased software.
B. Unexplainable losses of or changes to data.
The effects of computer viruses range from harmless messages to complete destruction of all data within the system. A symptom of a virus would be the unexplained loss of or change to data.
Which one of the following is most likely considered a processing control for an entity’s accounting application system?
A. Spooling
B. Transaction log
C. Validity check
D. Check digit
B. Transaction log
Processing controls provide reasonable assurance that (1) all data submitted for processing are processed and (2) only approved data are processed. These controls are built into the application code by programmers during the systems development process. A transaction long would keep track of all transactions that occurred and make sure that they were properly processed.
The internal auditors of a company are assessing controls over network access. The best source of evidence to determine that terminated employees do not continue to have access to the company’s network is to
A. Discuss password removal procedures with the database administrator
B. Review computer logs for access attempts
C. Review access control software to determine whether the most current version is implemented
D. Reconcile current payroll lists with database access lists.
D. Reconcile current payroll lists with database access lists.
The internal auditor can examine whether terminated employees continue to access the network by finding employees who are listed on the database access lists but have been removed from current payroll lists.
Which one of the following is the most appropriate technique to restrict access to computer programs and databases to authorized personnel?
A. Develop unique account numbers for each user
B. Deploy electronic detectors
C. Provide color-coded employee identification badges
D. Conduct intrusion-prevention training
A. Develop unique account numbers for each user
Developing unique account numbers for each user will allow management to restrict specific users to specific types of access. Only authorized personnel will be able to view certain data.
The best preventive measure against a computer virus is to
A. Compare software in use with authorized versions of the software
B. Allow only authorized software from known sources to be used on the system
C. Prepare and test a plan for recovering from the incidence of a virus
D. Execute virus exterminator programs periodically on the system
B. Allow only authorized software from known sources to be used on the system
Preventive controls are designed to prevent errors before they occur. Detective and corrective controls attempt to identify and correct errors. Preventive controls are usually more cost beneficial than detective or corrective controls. Allowing only authorized software from known sources to be used on the system is a preventive measure. The authorized software from known sources is expected to be free of viruses.
In the organization of the information systems function, the most important segregation of duties is
A. Using different programming personnel to maintain utility programs from those who maintain the application programs
B. Not allowing the data librarian to assist in data processing operations
C. Assuring that those responsible for programming the system do not have access to data processing operations
D. Having a separate information officer at the top level of the organization outside of the accounting function
C. Assuring that those responsible for programming the system do not have access to data processing operations
Segregation of duties is a general control that is vital in a computerized environment. Some segregation of duties common in noncomputerized environments may not be feasible in a computer environment. However, certain tasks should not be combined. Systems analysts, for example, should be separate from programmers and computer operators. Programmers design, write, test, and document specific programs required by the system developed by the analysts. Both programmers and analysts may be able to modify programs, data files, and controls and should therefore have no access to computer equipment and files or to copies of programs used in production. Operators should not be assigned programming duties or responsibility for systems design and should have no opportunity to make changes in programs and systems.
What is the best course of action to take if a program takes longer than usual to load or execute?
A. Run antivirus software.
B. Reboot the system.
C. Back up the hard disk files.
D. Test the system by running a different application program.
A. Run antivirus software.
The described condition is a symptom of a virus. Many viruses will spread and cause additional damage. Use of an appropriate antivirus program may identify and even eliminate a viral infection. Ways to minimize computer virus risk in a networked system include restricted access, regularly updated passwords, periodic testing of systems with virus detection software, and the use of anti-virus software on all shareware prior to introducing it into the network.
Some of the more important controls that relate to automated accounting information systems are check digits, limit checks, field checks, and sign tests. These are classified as
A. Data access validation controls.
B. Hash totaling.
C. Control total validation controls.
D. Input controls.
D. Input controls.
Check digits, limit checks, field checks, and sign tests are all examples of input controls.
