B4-2

Question 1

Which of the following statements best describes the importance of segregation of duties?

a.

Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud.

b.

The objective is to encourage any one person from having total control over all aspects of the transaction.

c.

Within the IT department, the duties of system analysts, computer programmers, computer operators, and security administrators should all be the responsibility of one individual.

d.

Segregation of duties is defined as dividing responsibilities for different portions of a transaction (authorization, recording, and custody) for those employees who are on probation.

Answer 1

Choice “a” is correct. Segregation of incompatible duties serves to prevent and detect errors or irregularities.

Choice “c” is incorrect. Within the IT department, the duties of system analysts, computer programmers, computer operators, and security administrators should be kept separate to the most practical degree.

Choice “d” is incorrect. Segregation of duties is defined as dividing responsibilities for different portions of a transaction (authorization, recording, and custody) among several different people or departments.

Choice “b” is incorrect. The objective of segregation of duties is to prevent any one person from having total control over all aspects of the transaction.

Question 2

All of the following are examples of a decision support system (DSS) except for a:

a.

Sensitivity analysis application.

b.

Financial modeling application.

c.

Database query application.

d.

Transaction processing system.

Answer 2

Choice “d” is correct. Decision support systems (DSS) are computer-based information systems that provide interactive support to managers or others during the decision-making process. Transaction processing systems process data resulting from business transactions (monthly, historical in nature; not predictive).

Choice “b” is incorrect. A financial modeling application is a DSS to assist management in evaluating financing alternatives.

Choice “c” is incorrect. Database query applications are a DSS that read and reorganize data to management’s specifications but do not allow alterations of the data.

Choice “a” is incorrect. Sensitivity analysis is a DSS that uses a “what if” technique that asks how a given outcome will change if the original estimates of the model are changed.

Question 3

Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals?

a.

Data entry and quality assurance.

b.

Data entry and antivirus management.

c.

Network maintenance and wireless access.

d.

Data entry and application programming.

Answer 3

Choice “d” is correct. Application programmers should not be allowed to enter data in production systems nor should they have unrestricted and uncontrolled access to application program change management systems. An application programmer is the person responsible for writing and/or maintaining application programs and should not be responsible for also controlling or handling data.

Choice “c” is incorrect. Network maintenance and wireless access are both responsibilities of the Network Administrator.

Choice “b” is incorrect. Data entry and antivirus management can safely be assigned to the same person, as they are not incompatible functions.

Choice “a” is incorrect. Data entry and quality assurance can safely be assigned to the same person, as they are not incompatible functions.

Question 4

An organization relied heavily on e-commerce for its transactions. Evidence of the organization’s security awareness manual would be an example of which of the following types of controls?

a.

Corrective.

b.

Detective.

c.

Preventive.

d.

Compliance

Answer 4

Choice “c” is correct. Preventive controls are controls that are designed to prevent potential problems from occurring. An organization that relied heavily on e-commerce would probably want as many preventive controls as possible because it might be difficult or impossible to correct errors after the fact.

Choice “b” is incorrect. An organization that relied heavily on e-commerce would probably want as many preventive controls as possible because it might be difficult or impossible to correct errors after the fact. Of course, detective controls should not be ignored because it is difficult to prevent all errors.

Choice “a” is incorrect. An organization that relied heavily on e-commerce would probably want as many preventive controls as possible because it might be difficult or impossible to correct errors after the fact. Of course, corrective controls should not be ignored, because, if errors are detected, they must be corrected properly.

Choice “d” is incorrect. Compliance controls appears to be a made-up term.

Question 5

Which of the seven distinct information criteria included within the Control Objectives for Information and Related Technology (COBIT) framework includes the idea that information must be accurate and complete?

a.

Integrity.

b.

Reliability.

c.

Efficiency.

d.

Effectiveness.

Answer 5

Choice “a” is correct. The integrity business requirement for information includes the criteria that information be accurate, complete and valid.

Choice “d” is incorrect. The effectiveness business requirement for information includes the criteria that information be relevant to a business process and delivered timely in correct, consistent and usable manner.

Choice “c” is incorrect. Efficiency within the context of business requirements for information concerns delivery of information through the optimal use of resources (e.g., low cost without compromising effectiveness).

Choice “b” is incorrect. The reliability business requirement for information includes the criteria that information be appropriate to operate the entity.

Question 6

What is the role of the systems analyst in an IT environment?

a.

Designing systems, preparing specifications for programmers, and serving as intermediary between users and programmers.

b.

Developing long-range plans and directing application development and computer operations.

c.

Selecting, implementing, and maintaining system software, including operating systems, network software, and the data base management system.

d.

Maintaining control over the completeness, accuracy, and distribution of input and output.

Answer 6

Choice “a” is correct. In an IT environment, a systems analyst is generally responsible for designing systems, preparing specifications for programmers, and serving as an intermediary between users and programmers. For internally developed systems, the analyst designs the overall application system but when the system is purchased, the analyst becomes a system integrator that adapts system design to processes.

Choice “b” is incorrect. Development of long-range plans and direction of application development and computer operations is undertaken by the Information Systems Steering Committee, not the systems analyst.

Choice “d” is incorrect. End users are typically responsible for maintaining control over the completeness, accuracy, and distribution of input and output, not the systems analyst.

Choice “c” is incorrect. System programmers would be involved in the selection of system software and would be responsible for maintaining system software, including operating systems, network software, and the data management system, not the systems analyst.

Question 7

Review of the audit log is an example of which of the following types of security control?

a.

Corrective.

b.

Preventive.

c.

Detective.

d.

Governance.

Answer 7

Choice “c” is correct. Audit logs are detective security controls. They are generally chronological records that provide documentary evidence of the sequence of activities that can be used to detect errors or irregularities.

Choice “d” is incorrect. Audit logs do not represent governance security controls. Governance controls typically involve strategic and organizational controls to enhance security.

Choice “b” is incorrect. Audit logs do not represent preventive security controls. The existence of a log does not prevent errors or irregularities, it provides the record necessary to detect errors or irregularities.

Choice “a” is incorrect. Audit logs do not represent corrective security controls. Corrective security controls represent procedures put in place to correct security weaknesses.

Question 8

What is the primary objective of data security controls?

a.

To formalize standards, rules, and procedures to ensure the organization’s controls are properly executed.

b.

To monitor the use of system software to prevent unauthorized access to system software and computer programs.

c.

To ensure that storage media are subject to authorization prior to access, change, or destruction.

d.

To establish a framework for controlling the design, security, and use of computer programs throughout an organization.

Answer 8

Choice “c” is correct. The objective of data security controls is to ensure that storage media are only accessed, changed, or deleted after appropriate authorization. The objective is to protect information.

Choice “d” is incorrect. Polices establish an overall approach to computer security and are sometimes referred to as the IT security strategy. Data security controls are designed to protect information, not to establish strategy or policy.

Choice “a” is incorrect. Policy support documents, such as procedures, formalize standards, rules, and procedures to ensure the organization’s controls are properly executed. Data security controls may be included in procedures, but development of procedures is not their objective.

Choice “b” is incorrect. Change management and related control activities anticipate monitoring the use of system software to prevent unauthorized access to system software and computer programs.

Question 9

Which one of the following terms best describes a Decision Support System (DSS)?

a.

Structured system.

b.

Management reporting system.

c.

Interactive system.

d.

Formalized system.

Answer 9

Choice “c” is correct. Decision support systems are computer-based information systems that provide interactive support to managers or others during the decision-making process.

Choice “b” is incorrect. Management reporting systems provide managers with the information needed for day-to-day decision making.

Choice “d” is incorrect. A formalized system is a generic term used to describe any system operating in proper or regular form.

Choice “a” is incorrect. A structured system is a system in which each program within a system is independent of other programs within the system. This enables programming teams to work independently on different programs within the same system.

Question 10

Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?

a.

Segregation of duties.

b.

Ensure proper authorization of transactions.

c.

System testing through independent verification of the transaction processing results.

d.

Adequately safeguard assets

Answer 10

Choice “c” is correct. System testing through independent verification of transaction processing results represents one of the most effective methods to reduce the risk of incorrect processing of transactions in a newly installed accounting system.

Choice “a” is incorrect. Although segregation of duties is a foundational control that helps ensure that transactions are not controlled by one individual from beginning to end, the separation of transaction authorization, recordkeeping and asset custodial duties does not reduce the risk of incorrect processing of transactions.

Choice “b” is incorrect. Authorization of transactions is a strong control over the validity or legitimacy of transactions, but does not necessarily reduce the risk of incorrect processing.

Choice “d” is incorrect. Asset safeguarding is an important security measure but does not provide effective reduction of the risk for incorrect processing.

Question 11

Which of the following statements is correct for application programs and application programmers?

a.

None of the listed statements are correct.

b.

Application programmers should be the only ones allowed to test programs before they are released to production.

c.

Application programmers should be given full write/update access to data in production systems so that data fixes (corrections to production data outside of the normal application programs) can be made quickly with the least amount of paperwork.

d.

If programs are developed internally, a small portion of the overall programming budget will normally be devoted to program maintenance. Program maintenance is quite simple if the programs are written using modern programming techniques.

Answer 11

Choice “a” is correct. None of the statements are correct, making this the only correct choice.

Choice “d” is incorrect. If programs are developed internally, a large portion of the overall programming budget will normally be devoted to program maintenance. Program maintenance is never simple, regardless of how the programs were written. Modern programming techniques may make program maintenance “simpler,” but they will not make it “simple.”

Choice “c” is incorrect. Application programmers should not be given full write/update access to data in production systems. Generally, programmers should only use test data and should not be allowed to modify programs in a production environment. The programmers deal with the programs, not the data.

Choice “b” is incorrect. Application programmers should be allowed to test the programs that they have written because testing is an integral part of program development. However, before a program is released to production, it should be tested by someone other than the programmer who developed it.

Question 12

Which of the following items would be most critical to include in a systems specification document for a financial report?

a.

Communication change management considerations.

b.

Data elements needed.

c.

Training requirements.

d.

Cost-benefit analysis.

Answer 12

Choice “b” is correct. Data elements should always be included in the system specification document for a financial report. Data elements define the building blocks of the information provided in a financial report.

Choice “d” is incorrect. Cost-benefit analysis would not be included in the system specification document. The determination that the benefits outweigh the costs of a particular system is determined before the development of specifications.

Choice “c” is incorrect. Training requirements would not be included in the systems specification document for a financial report. Training requirements associated with generating the report would be found in an implementation plan, but not in a systems specifications document.

Choice “a” is incorrect. Communication change management considerations would not be included in the specification document for a financial report. Change management contemplates the control monitoring procedures of the system, not the specifications of a financial report.

Question 13

Stratford Corporation uses a general ledger system that was developed internally in the mid-1970s. It is having more and more problems finding people who can support this system because the system was written in PL/1, a general-purpose language developed by IBM in the 1960s that was a mix of COBOL and FORTRAN and that was not widely used in commercial systems. In addition, the person who designed and wrote the system died of a heart attack in December of 1988. Which of the following statements is correct for Stratford to consider in determining whether/how to replace this system?

a.

If Stratford designs and writes a new general ledger system instead of purchasing a new system from an outside vendor, Stratford will be able to design the system to meet its own specific general ledger requirements.

b.

If Stratford designs and writes a new general ledger system instead of purchasing a new system from an outside vendor, it should purchase life insurance for the major system developers so that it will be protected from future heart attacks.

c.

If Stratford purchases a new general ledger system from an outside vendor, Stratford must rely on the vendor to maintain and support that system.

d.

If Stratford purchases a new general ledger system from an outside vendor, Stratford must customize that system to meet its own specific general ledger requirements.

Answer 13

Choice “a” is correct. If Stratford designs and writes a new general ledger system instead of purchasing a new system from an outside vendor, Stratford will be able to design the system to meet its own specific general ledger requirements, whatever those requirements might be. However, whether Stratford should design the system to meet those requirements is an entirely different question.

Choice “c” is incorrect. If Stratford purchases a new general ledger system from an outside vendor, Stratford may rely on the vendor to maintain and support that system. Note that maintenance and support are two different things. Maintenance is keeping the system “up to date” with new releases from time to time. Assuming that maintenance has been purchased from the vendor, the vendor normally maintains the system. Stratford may or may not even have access to the source code for the programs and thus may or may not be able to maintain it. Support is keeping the system up and running; support includes monitoring the system, determining that a problem has occurred, and fixing or getting around the problem. Support may be provided by the vendor or may be provided by the customer, especially when the system is running in the customer’s environment.

Choice “d” is incorrect. If Stratford purchases a new general ledger system from an outside vendor, Stratford may customize that system to meet its own specific general ledger requirements. However, there is a definite cost associated with such customization. Every time a new version of the purchased system is released, the customization will have to be done all over again. Such repeated work will become expensive over time and will almost certainly delay the installation of new versions. Stratford should really examine its “requirements” for a general ledger system and determine how many of those so-called requirements are actually required.

If there are some “real” specific requirements, these requirements should be considered when the various candidate systems are being investigated in the selection process. The intent, obviously, would be to select the system that comes closest to meeting those requirements. If there are some specific reporting requirements, for example, a reporting mechanism might be able to be added to the system without customizing the core system. So if everything else was equal, the system that should be selected is the system that best accommodates the addition of the reporting mechanism with the least change, and possibly no change, to the core system.

Choice “b” is incorrect. Even if Stratford purchased life insurance for the major system developers, it might be somewhat financially protected from future heart attacks of those developers, but it will not be protected from anything else. The people who design and write systems are often lost, but the cause is more often resigning or being transferred to other projects.

Question 14

COBIT defines the enterprise architecture for IT as a:

a.

Combination of hardware, networking and system software.

b.

Networking and hardware configuration unique to each installation.

c.

Programming structure that integrates applications.

d.

Combination of IT resources and defined processes.

Answer 14

Choice “d” is correct. IT resources (applications, information, infrastructure and people) along with will defined processes are referred to as the enterprise architecture for IT.

Choice “c” is incorrect. A programming structure that integrates applications is not defined within COBIT.

Choice “b” is incorrect. Networking and hardware configurations are a part of IT infrastructure.

Choice “a” is incorrect. Hardware, networking and system software are part of IT infrastructure.

Question 15

A fast-growing service company is developing its information technology internally. What is the first step in the company’s systems development life cycle?

a.

Testing.

b.

Analysis.

c.

Implementation.

d.

Design.

Answer 15

Choice “b” is correct. Systems analysis is the first step in the systems development life cycle.

Choice “c” is incorrect. Implementation is the actual installation and use of the system. It occurs near the end of the systems development life cycle.

Choice “a” is incorrect. Testing should occur after programming or purchase of a new system. It would not be the first step in the process.

Choice “d” is incorrect. Design should come after analysis.

Question 16

Network Solutions, Inc. (NSI) provides network services to large corporations in the banking industry. To perform these services, it relies on personnel performing various job functions. Which of the following statements is/are correct for Network Solutions, Inc.?

I.

NSI’s database administrator maintains and supports its database system(s).

II.

NSI’s network administrator supports its own internal network(s) by monitoring performance of those networks and troubleshooting any problems.

III.

NSI’s database administrator and network administrator can be the same person.

a.

III only is correct.

b.

II and III only are correct.

c.

I and II only are correct.

d.

I, II, and III are correct.

Answer 16

Choice “d” is correct. Statement I is correct. NSI’s database administrator maintains and supports its database system(s). Statement II is correct. NSI’s network administrator supports its own internal network(s) by monitoring performance of those networks and troubleshooting any problems. Statement III is correct. NSI’s database administrator and network administrator can be the same person, although that is not likely. Since the skillsets of database administrator and network administrator are both highly technical and very specialized, it is unlikely that one person will perform the two functions, other than possibly in a very small organization with some very talented people.

Choice “a” is incorrect. Other statements are also correct.

Choice “c” is incorrect. Another statement is also correct.

Choice “b” is incorrect. Another statement is also correct.

Question 17

Jose Para is an application programmer employed by the law firm of Am, Bulance, & Chasr. AB&C is a relatively small firm with a small number of application programmers for its mainframe computer system, so Jose also acts as the system programmer for that system. Which of the following statements is correct for AB&C?

a.

AB&C’s accounting system logs all transactions that are entered. This feature is a compensating strength for the weakness that Jose is both an application programmer and a system programmer and will provide sufficient security.

b.

Since Jose is the system programmer, Jose can more than likely override any system security and provide himself with unlimited access to application programs and data.

c.

AB&C’s accounting system logs all access attempts to application programs. This feature is a compensating strength for the weakness that Jose is both an application programmer and a system programmer and will provide sufficient security.

d.

Since Jose already has write access to application programs in his function as application programmer, his function as system programmer will more than likely provide him no additional access.

Answer 17

Choice “b” is correct. Since Jose is the system programmer, he can more than likely override any system security and provide himself with unlimited access to application programs and data and would likely be able to hide such access. One employee acting as both a system programmer and an application programmer is a serious internal control weakness that is very difficult to overcome.

Choice “d” is incorrect. Jose has write (update) access to application programs in his function as application programmer. However, his function as system programmer will more than likely allow him to hide such access if he were to choose to do so. One employee acting as both a system programmer and an application programmer is a serious internal control weakness that is very difficult to overcome.

Choice “a” is incorrect. AB&C’s accounting system may log all transactions that are entered. However, Jose’s access as a system programmer may allow him to bypass this transaction logging and change data in other ways (for example, by “data fixes”). This feature, while potentially a good idea, is not a compensating strength for the weakness that Jose is both an application programmer and a system programmer (although it may be a compensating strength for other weaknesses) and will probably not provide sufficient security. In addition, it is a fact of life that transaction logs are seldom actively monitored.

Choice “c” is incorrect. AB&C’s accounting system may log all access attempts to application programs. However, Jose’s access as a system programmer may allow him to bypass this access logging and change programs in other ways. This feature, while a good idea and a feature of all automated program security systems, is not a compensating strength for the weakness that Jose is both an application programmer and a system programmer (although it may be a compensating strength for other weaknesses) and will probably not provide sufficient security.

Question 18

Which of the following is considered an application input control?

a.

Edit check.

b.

Exception report.

c.

Run control total.

d.

Report distribution log.

Answer 18

Choice “a” is correct. An edit check is an application input control that validates data before the data is successfully input. Batches containing transactions with errors, incorrect batch totals, and batches where debits do not equal credits are written to a suspended transaction file. These transactions are then corrected and resubmitted. All transactions must be corrected and resubmitted before end-of-month processing can begin.

Choice “c” is incorrect. A run control total is not an application input control, it is an output control. It is used to compare manual and computer-generated batch totals. With batch processing, a batch total for a transaction file is manually calculated and then an automated or manual comparison to a computer-generated batch control total is made. Any difference between the two totals indicates an error in accuracy, completeness, or both.

Choice “d” is incorrect. A report distribution log is not an application input control. Logs are used for data outputs.

Choice “b” is incorrect. An exception report is not an application input control. Exception reports are produced when a specific condition or exception occurs as a data output.

Question 19

A company’s new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least?

a.

Recording of other employees’ hours.

b.

Fraudulent reporting of employees’ own hours.

c.

Inaccurate accounting of employees’ hours.

d.

Errors in employees’ overtime computation.

Answer 19

Choice “d” is correct. Controls over time and attendance will not be effective in preventing or detecting errors in the computation of employee overtime. Miscalculation of the wage or overtime premium amount could occur even if hours worked are accurately controlled and captured by the time and attendance system.

Choice “b” is incorrect. Controls over time and attendance systems would be designed to be effective in preventing fraudulent reporting of an employee’s own hours. The video image would be very helpful in this regard.

Choice “c” is incorrect. Controls over time and attendance systems would be designed to be effective in preventing inaccurate accounting for employees’ hours. The video image would be very helpful in this regard.

Choice “a” is incorrect. Controls over time and attendance systems would be designed to be effective in preventing recording of other employees’ hours. The video image would be very helpful in this regard.

Question 20

In a large firm, custody of an entity’s data is most appropriately maintained by which of the following personnel?

a.

Data librarian.

b.

Computer programmer.

c.

Systems analyst.

d.

Computer operator.

Answer 20

Choice “a” is correct. A data librarian is the most appropriate position to maintain custody of an entity’s data. As the name implies the librarian maintains custody of the “library” of data generated by an organization.

Choice “c” is incorrect. A systems analyst is the position that designs the overall application system. The systems analyst has, effectively, an authorization role that should be segregated from the custody role.

Choice “d” is incorrect. A computer operator is responsible for scheduling processing jobs, etc., and would not have actual custody of the data. Effectively the operator is in a recordkeeping function that should be segregated from custody.

Choice “b” is incorrect. A computer programmer may be either an application programmer responsible for writing or maintaining application programs or a system programmer responsible for installing supporting monitoring and maintaining the operating system. Programmers have a recordkeeping function that should be segregated from the librarian’s custody function.

Question 21

Which of the seven distinct information criteria included within the Control Objectives for Information and Related Technology (COBIT) framework includes the idea that information will be delivered timely in a correct, consistent and useful manner?

a.

Availability.

b.

Reliability.

c.

Effectiveness.

d.

Integrity.

Answer 21

Choice “c” is correct. The effectiveness business requirement for information includes the criteria that information be relevant to a business process and delivered timely in a correct, consistent and usable manner.

Choice “d” is incorrect. The integrity business requirement for information includes the criteria that information be accurate, complete and valid.

Choice “a” is incorrect. The availability business requirement for information includes the criteria that information be available currently and in the future, and that resources be safeguarded.

Choice “b” is incorrect. The reliability business requirement for information includes the criteria that information be appropriate to operate the entity.

Question 22

The Control Objectives for Information and Related Technology (COBIT) framework includes all of the following information criteria, except:

a.

Applications.

b.

Confidentiality.

c.

Compliance.

d.

Availability.

Answer 22

Choice “a” is correct. Applications is not one of the information criteria identified by COBIT; applications are identified as information resources. The COBIT framework identifies seven information criteria (ICE RACE) that include Integrity, Confidentiality, Efficiency, Reliability, Availability, Compliance and Effectiveness.

Choice “b” is incorrect. Confidentiality is one of the distinct information criteria identified by COBIT.

Choice “d” is incorrect. Availability is one of the distinct information criteria identified by COBIT.

Choice “c” is incorrect. Compliance is one of the distinct information criteria identified by COBIT.

Question 23

To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?

a.

Maintain custody of the billing program code and its documentation.

b.

Modify and adapt operating system software.

c.

Correct detected data entry errors for the cash disbursement system.

d.

Code approved changes to a payroll program

Answer 23

Choice “d” is correct. An application programmer would have the responsibility to code approved changes to a payroll program. A payroll program is an application program. Note that the changes have been previously “approved.”

Choice “b” is incorrect. An application programmer should never be assigned the responsibility to modify or adapt operating system software. Few application programmers would have the knowledge and experience to deal with operating system software anyway, but that would be way too much responsibility in one person/position.

Choice “c” is incorrect. An application programmer should never be assigned the responsibility to correct data entry errors for the cash disbursement (or any other) system. Application programmers should not have access to data (other than for very controlled situations, such as data fixes).

Choice “a” is incorrect. An application programmer should not have custody of billing (or any other application system) program code. Custody should be with a librarian (either a person or a system), and application programmers should only have controlled access to the program code. Program documentation should probably also be secured, but it is nowhere near as important.

Question 24

An advertisement in a local newspaper stated that a small local business required ‘‘someone who can get our new off-the-shelf production software to do what we want it to do so we can get on with running our business.’’ What type of computer professional is this business looking to recruit?

a.

A systems analyst.

b.

An IT supervisor.

c.

A network administrator.

d.

A computer programmer.

Answer 24

Choice ‘‘a’’ is correct. A systems analyst would take on the role of learning a purchased package and would have the job of integrating it into any existing software. The systems analyst would also take responsibility for training staff in its use. A systems analyst is sometimes referred to as a systems integrator with purchased systems since that individual is responsible for adapting or integrating the purchased system into the business.

Choice ‘‘c’’ is incorrect. A network administrator would manage the Local Area Networks (communications), but would not be responsible for leading the integration of purchased software into existing software and systems.

Choice ‘‘d’’ is incorrect. A programmer would be involved in writing new programs or maintaining existing programs, not integrating a purchased system with existing software.

Choice ‘‘b’’ is incorrect. An IT supervisor would manage part of the IT function but would not necessarily provide the “hands-on” integration effort contemplated by the employment advertisement.

Question 25

Which of the following is an advantage of a computer-based system for transaction processing over a manual system? A computer-based system:

a.

Eliminates the need to reconcile control accounts and subsidiary ledgers.

b.

Will be more efficient at producing financial statements.

c.

Will produce a more accurate set of financial statements.

d.

Does not require as stringent a set of internal controls.

Answer 25

Choice “b” is correct. A computer-based system will almost always be “more efficient” in doing something that has to be done multiple times. Thus, if multiple financial statements have to be produced, for example, at multiple times during the closing process, a computer-based system will normally be more efficient.

Choice “d” is incorrect. A computer-based system requires a set of internal controls that are just as stringent as a manual system. The controls will be different, but that does not mean they will be less stringent.

Choice “c” is incorrect. There is nothing about a computer-based system that guarantees increased accuracy. Garbage in = garbage out.

Choice “a” is incorrect. There is nothing about a computer-based system that eliminates the need to reconcile control accounts and subsidiary ledgers.

Question 26

Which of the following is a key difference in controls when changing from a manual system to a computer system?

a.

Methodologies for implementing controls change.

b.

Internal control objectives differ.

c.

Control objectives are more difficult to achieve.

d.

Internal control principles change.

Answer 26

Choice “a” is correct. When changing from a manual system to a computer system, the controls almost always are different. That does not mean that they are better or are worse, but they certainly are different.

Choice “d” is incorrect. When changing from a manual system to a computer system, internal control “principles” do not change. The principles remain the same; it is the implementation of the principles that is different.

Choice “b” is incorrect. When changing from a manual system to a computer system, internal control “objectives” do not change. The objectives remain the same.

Choice “c” is incorrect. When changing from a manual system to a computer system, control objectives are not necessarily more difficult to achieve. Some will be more difficult, and some will be easier. But, almost always, the specific controls will be different.

Question 27

Which of the following systems assists with non-routine decisions, serves strategic levels of the organization, and helps answer questions regarding what a company’s competitors are doing, as well as identifies new acquisitions that would protect the company from cyclical business swings?

a.

Management information system.

b.

Transaction processing system.

c.

Decision support system.

d.

Executive information system.

Answer 27

Choice “d” is correct. Executive information systems provide senior executives with immediate and easy access to internal and external information to assist the executives in strategic issues such as non routine decisions that may involve analysis of cyclical data, acquisitions and competitor behavior.

Choice “c” is incorrect. Decision support systems (DSS) provide interactive support for managers during decision making. DSS are expert systems that are not specifically designed for the strategic decisions made by executives.

Choice “b” is incorrect. Transaction processing systems are systems that process and record routine daily transactions necessary to conduct business. They do not provide strategic level information support.

Choice “a” is incorrect. A management information system provides managers and other users with reports that are typically predefined by management and used to make daily business decisions, not strategic decisions.

Question 28

Which of the following is the responsibility of an MIS steering committee?

a.

Steering committee must assess the operations of IT using system performance measurements. Common measurements include: throughput (output per unit of time), utilization (percentage of time the system is being productively used), and response time (how long it takes the system to respond).

b.

A steering committee must develop clear specifications. Before third parties bid on a project, clear specifications must be developed, including exact descriptions and definitions of the system, explicit deadlines, and precise acceptance criteria.

c.

A steering committee plan shows how a project will be completed, including the modules or tasks to be performed and who will perform them, the dates they should be completed, and project costs.

d.

A steering committee should be formed to guide and oversee systems development and acquisition.

Answer 28

Choice “d” is correct. A steering committee has broad objectives that include the oversight of systems development and acquisition after an assessment of data proceeding needs.

Choice “c” is incorrect. IT project planning and monitoring is the responsibility of the committee or group charged with project controls.

Choice “b” is incorrect. Development of specifications and acceptance criteria is the responsibility of the committee or group charged with post implementation review.

Choice “a” is incorrect. System Evaluating IT Performance using System Performance Measurements is the responsibility of managers involved in IT operations, not the direct responsibility of the MIS or EDP steering committee.

Question 29

Which of the following statements is/are correct with respect to segregation of duties in an IT environment?

a.

In general, segregation of duties is defined as dividing responsibilities for different portions of a transaction (authorization, recording, and custody) among several different people or departments.

b.

The IT department is a support group and normally does not initiate or authorize transactions.

c.

Segregation of duties in an IT environment normally revolves around granting and/or restricting access to production programs and to production data.

d.

All of the statements are correct.

Answer 29

Choice “d” is correct. All of the statements are correct.

The IT department is a support group and normally does not initiate or authorize transactions. When it does initiate or authorize transactions, those transactions normally are for such activities as leasing hardware, paying software license fees, and other IT-related activities.

In general, segregation of duties is defined as dividing responsibilities for different portions of a transaction (authorization, recording, and custody) among several different people or departments. This definition is true in an IT environment or with systems, but it is sometimes harder to accomplish in an IT environment since software may perform many of the functions.

Segregation of duties in an IT environment normally revolves around granting and/or restricting access to production programs and to production data.

Choices “b”, “a”, and “c” are incorrect, per the above explanation.

Question 30

Using processes defined by the COBIT framework, the domain category normally associated with the delivery of IT solutions to a business are referred to as:

a.

Acquire and Implement.

b.

Process and Organize.

c.

Monitor and Evaluate.

d.

Delivery and Support.

Answer 30

Choice “a” is correct. Under the COBIT framework, the acquire and implement domain addresses the delivery of IT solutions to users. The COBIT Framework includes four domains in the mnemonic PO AIDS ME:

Mnemonic
Domain
Purpose

PO

Process and Organize

Direct the IT Process

AI

Acquire and Implement

Deliver the IT Solution

DS

Deliver and Support

Deliver the IT Service

ME

Monitor and Evaluate

Ensure directions are followed

Choice “b” is incorrect. The process and organize domain results in direction of the IT process.

Choice “d” is incorrect. The deliver and support domain relates to the delivery of the IT service.

Choice “c” is incorrect. The monitor and evaluate domain relates to ensuring that directions are followed and providing feedback to information criteria.

Question 31

In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator?

a.

Developing application programs.

b.

Reviewing security policy.

c.

Installing operating system upgrades.

d.

Managing remote access.

Answer 31

Choice “d” is correct. In a large multinational organization (or even a medium sized national organization), managing remote access would be the responsibility of a network administrator. The question used the qualifiers “large” and “multinational” to distinguish this organization from that of a small organization, where many different job functions might be combined in a single individual. In a large organization, a network administrator would not perform any of these other functions (even assuming that the network administrator had the skillset to perform them). IT jobs often require a very specific skillset.

Choice “a” is incorrect. A network administrator would not develop application programs.

Choice “b” is incorrect. A network administrator would not review security policy.

Choice “c” is incorrect. A network administrator would not install operating system upgrades. Few network administrators would have the knowledge and/or training to install operating system upgrades other than possibly simple PC desktop operating systems.

Question 32

The duties and responsibilities of the database administration include:

I.

Design and control of a firm’s database. This responsibility includes ensuring application independence, back-up, and recovery procedures.

II.

Definition and control of the data in the data dictionary.

III.

Assignment of user codes and maintenance of other security measures.

IV.

Control of all changes in data structure and in programs that use the database.

a.

I, II, and III.

b.

I, II, III, and IV.

c.

I, II, and IV.

d.

I, III, and IV.

Answer 32

Choice “d” is correct. I, III, and IV are correct. A database administrator controls the database, not the data, and duties generally include design of the firm’s database, maintaining security measures, and controlling data structure.

Choices “a”, “c”, and “b” are incorrect. Item II is not correct because it refers to the definition and control of the data in the data dictionary. The data is the responsibility of the data administrator. A database administrator is responsible for the actual database software, while a data administrator is responsible for the definition, planning, and control of the data within a database or databases. The function of a database administrator is more technical, and the function of a data administrator is more administrative.

Question 33

Which of the following areas of responsibility would normally be assigned to a systems programmer in a computer system environment?

a.

Operating systems and compilers.

b.

Data communications hardware and software.

c.

Systems analysis and applications programming.

d.

Computer operations.

Answer 33

Choice “a” is correct. This is exactly what systems programmers do; they work with operating systems and compilers, etc.

Choice “c” is incorrect. System programmers seldom, if ever, write applications programs. The skill sets and mindsets of systems programmers and applications programmers are almost completely different, not to mention that systems programmers doing both would violate good internal control principles.

Choice “b” is incorrect because it is not the best answer. Systems programmers could be assigned the responsibility for data communications hardware and software. The data communications software could be part of the operating system, or an adjunct to the operating system. However, the question says “normally.”

Choice “d” is incorrect. Systems programmers are not normally responsible for computer operations personnel.

Question 34

Which of the following statements is not correct for segregation of duties in an IT environment?

a.

Segregation of duties in an IT environment normally revolves around granting and/or restricting access to production data and/or production programs.

b.

The IT department is a support group in that it normally does not initiate or authorize transactions.

c.

Segregation of duties in an IT environment is defined as dividing responsibilities for different portions of a transaction among several different people.

d.

The duties of system analysts and application programmers should never be combined.

Answer 34

Choice “d” is correct as it is the only incorrect statement. The duties of systemanalysts and application programmers can be, and often are, combined. The duties of system programmers and application programmers should not be combined.

Choice “b” is incorrect because the statement is true. The IT department is a support group that normally does not initiate or authorize transactions.

Choice “a” is incorrect because the statement is true. Segregation of duties normally revolves around granting and/or restricting access to production programs and/or production data.

Choice “c” is incorrect because the statement is true. Segregation of duties in an IT environment is defined as dividing responsibilities for different portions of a transaction among several different people.

Question 35

The COBIT framework identifies five focus areas for IT governance, including which of the following:

a.

Operations.

b.

Systems analysis.

c.

Programming.

d.

Value delivery.

Answer 35

Choice “d” is correct. Value delivery is one of the five focus areas identified by COBIT for IT governance. Value delivery anticipates execution of the IT value proposition throughout the delivery cycle such that IT services consistently satisfy customer requirements. Other areas of IT governance include:

Strategic alignment

Resource management

Risk management

Performance measurement

Choice “b” is incorrect. Systems analysis is an important IT activity, but it is not a focus area of IT governance identified in the COBIT framework.

Choice “c” is incorrect. Programming is an important IT activity, but it is not a focus area of IT governance identified in the COBIT framework.

Choice “a” is incorrect. Operations are an important IT activity, but it is not a focus area of IT governance identified in the COBIT framework.

Question 36

Which of the following is a person who enters data or uses the information processed by a system?

a.

Hardware Technician.

b.

User.

c.

Software Developer.

d.

Network Administrator.

Answer 36

Choice “b” is correct. Users are any workers who enter data into a system or who use the information processed by the system. Users could be secretaries, administrators, accountants, auditors, CEOs, and so on.

Choice “a” is incorrect. A hardware technician sets up and configures computers.

Choice “d” is incorrect. A network administrator sets up and configures a computer network so that multiple computers can share the same data and information.

Choice “c” is incorrect. A software developer designs and/or writes the systems and/or the programs to collect, process, store, transform and distribute the data and information that are entered by the end users.