Business Process & IT Missed Questions

Question 1

Which network configuration is distinguished by the possibility of spreading the cost of ownership among multiple organizations?

A. Local area network
B. Wide area network
C. Baseband network
D. Value-added network

Answer 1

B. Wide area network

Wide area networks consist of a conglomerate of local area networks (LANs) over widely separated locations. The key aspect here is that a WAN can be either publicly or privately owned.

Question 2

The primary objective of data security controls is?

A. To establish a framework for controlling the design, security, and use of computer programs throughout an organization.
B. To monitor the use of system software to prevent unauthorized access to system software and computer programs.
C. To formalize standards, rules, and procedures to ensure the organization’s controls are properly executed.
D. To ensure that storage media are subject to authorization prior to access, change, or destruction.

Answer 2

D. To ensure that storage media are subject to authorization prior to access, change, or destruction.

The primary objective of data security is to protect data. This includes ensuring that storage media are subject to authorization prior to access, change, or destruction.

Question 3

Which of the following statements is true concerning internal control in an electronic data interchange (EDI) system?

A. Preventive controls generally are more important than detective controls in EDI systems.
B. Internal controls in EDI systems rarely permit control risk to be assessed at below the maximum.
C. Internal controls related to the segregation of duties generally are the most important controls in EDI systems.
D. Control objectives for EDI systems generally are different from the objectives for other information systems.

Answer 3

A. Preventive controls generally are more important than detective controls in EDI systems.

Preventive controls are more important than detective controls because the benefits typically outweigh the costs. In electronic processing, once a transaction is accepted, there is often little opportunity to apply detective controls. Thus, it is important to prevent errors or frauds before they happen.

Question 4

The description of a data attribute reads, “This forecast is prepared with the aid of a financial expert.” To which of the following elements regarding the completeness and accuracy criterion provided by the Assurance Services Executive Committee (ASEC) to define a dataset does the above statement relate?

A. Accuracy, correctness, or precision.
B. Nature of the data element.
C. Source of data.
D. Uncertainty.

Answer 4

D. Uncertainty.

The uncertainty or confidence interval refers to the potential deviation of an estimate and the person determining the estimate. The statement suggests both the fact of an estimate (forecast) and the person determining the estimate (with the aid of a financial expert).

Question 5

After reviewing the end-user computing (EUC) policy of an organization, an internal auditor audits the actuarial function and notices that some minimum control requirements are missing. Which of the following is a risk of using potentially incorrect end-user developed files?

A. Management is unable to respond to competitive pressures quickly.
B. Management receives limited information for decision making due to a lack of flexibility in EUC files.
C. Management continues to incur additional cost because it takes more hours to do the tasks using EUC.
D. Management places the same degree of reliance on the files as they do on files generated from mainframe systems.

Answer 5

D. Management places the same degree of reliance on the files as they do on files generated from mainframe systems.

End-user developed applications may not be subject to an independent outside review by systems analysts and are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications.

Question 6

A local area network (LAN) is best described as a(n)

A. Method to offer specialized software, hardware, and data-handling techniques that improve effectiveness and reduce costs.
B. System to allow computer users to meet and share ideas and information.
C. Computer system that connects computers of all sizes, workstations, terminals, and other devices within a limited proximity.
D. Electronic library containing millions of items of data that can be reviewed, retrieved, and analyzed.

Answer 6

C. Computer system that connects computers of all sizes, workstations, terminals, and other devices within a limited proximity.

A LAN is a local distributed computer system, often housed within a single building. Computers, communication devices, and other equipment are linked by cable. Special software facilitates efficient data communication among the hardware devices.

Question 7

A threat to an information system with a total potential dollar loss impact of $7 million has been discovered. The risk of loss to the identified threat is currently 10%. The following four proposed controls are under consideration to mitigate the risk of loss:

Based on a cost-benefit analysis, which control provides the greatest net benefit?

A. Control Y
B. Control Z
C. Control X
D. Control W

Answer 7

A. Control Y

Question 8

One of the data definition criteria identified by the Assurance Services Executive Committee (ASEC) is that the description identifies information that has not been included in the data set but is necessary for understanding the data. Which of the following is not an example of this criterion?

A. A description of the grading scale used by a gemstone company.
B. The regression model used when only the independent variable is presented.
C. The formula used to convert a measurement to different scales.
D. The analyst report from which the data are retrieved.

Answer 8

D. The analyst report from which the data are retrieved.

The source of the data is included in the data description to help users understand where and how the data are collected and how they are transformed.

Question 9

Cryptocurrency transactions are recorded on a(n)

A. General ledger
B. Distributed ledger
C. Private blockchain ledger
D. Encryption ledger

Answer 9

B. Distributed ledger

Blockchain ledgers are encrypted, public, and shared among participants.

Question 10

Which of the following is considered an application input control?

A. Run control total
B. Exception report
C. Report distribution log
D. Edit check

Answer 10

D. Edit check

An edit (field) check is an application input control that prevents invalid characters from being accepted. Some data elements can only contain certain characters, and any transaction that attempts to use an invalid character is rejected.

Question 11

The most accurate statement regarding the differences between LANs and WANs is?

A. LANs experience more congestion than WANs.
B. WANs are more difficult to secure than LANs.
C. Organizations that use WANs will incur lower setup costs than those that use LANs.
D. WANs are easier to maintain than LANs.

Answer 11

B. WANs are more difficult to secure than LANs.

WANs consist of a conglomerate of LANs over widely separated locations, making the transmission of information more vulnerable to information interception and other security risks.

Question 12

An online data entry program is used for original entry of vendor invoices. A batch check-writing program occasionally prepares a check for a vendor not yet included in the vendor file. Checks for such vendors contain nonsense characters in the payee field. The most effective programmed control to prevent this kind of error is to perform

A. A batch control total check on vendor payments.
B. A completeness test on fields in the check-writing program.
C. A record lookup for vendors during data entry.
D. A verification of vendors in the check-writing program.

Answer 12

C. A record lookup for vendors during data entry.

Verifying valid vendors at the point of entry is the most cost-effective means of preventing incorrect data from entering the system.

Question 13

A distributed processing environment is most beneficial in which of the following situations?

A. Large volumes of data are generated at many locations and fast access is required.
B. Large volumes of data are generated centrally and fast access is not required.
C. Small volumes of data are generated centrally, fast access is required, and summaries are needed monthly at many locations.
D. Small volumes of data are generated at many locations, fast access is required, and summaries of the data are needed promptly at a central site.

Answer 13

A. Large volumes of data are generated at many locations and fast access is required.

Distributed processing involves decentralizing processing tasks and data storage and assigning these functions to multiple computers, often in separate locations. Therefore, a situation in which large volumes of data are generated at many locations, with fast access being a necessity, would be benefited by a distributed processing environment.

Question 14

In a traditional ERP system, the receipt of a customer order may result in:
I. Customer tracking of the order’s progress
II. Automatic replenishment of inventory by a supplier
III. Hiring or reassigning of employees
IV. Automatic adjustment of output schedules

A. I and III only.
B. I, II, and IV only.
C. I, II, III, and IV.
D. III and IV only.

Answer 14

D. III and IV only.

The traditional ERP system is one in which subsystems share data and coordinate their activities. Thus, if sales receives an order, it can quickly verify that inventory is sufficient to notify shipping to process the order. Otherwise, production is notified to manufacture more of the product, with a consequent automatic adjustment of output schedules. If materials are inadequate for this purpose, the system will issue a purchase order. If more labor is needed, human resources will be instructed to reassign or hire employees. However, the subsystems in a traditional ERP system are internal to the organization. Hence, they are often called back-office functions. The information produced is principally (but not exclusively) intended for internal use by the organization’s managers.
The current generation of ERP software (ERP II) has added front-office functions. Consequently, ERP II (but not traditional ERP) is capable of customer tracking of the order’s progress and automatic replenishment of inventory by a supplier.

Question 15

Which of the following statements regarding decision support systems is generally true?

A. Decision support systems facilitate solving relatively unstructured problems.
B. Decision support systems are usually developed most successfully by using a system development life cycle approach.
C. A decision support system should be designed to provide specific answers and a predefined sequence of analysis.
D. A decision support system best supports very structured applications.

Answer 15

A. Decision support systems facilitate solving relatively unstructured problems.

The decision support system (DSS) assists a decision maker by allowing him or her to access data and to test different solutions to the problem. This system only supplies support and should not take the place of the decision maker’s insights and judgment.

Question 16

Auditors often make use of computer programs that perform routine processing functions, such as sorting and merging. These programs are made available by computer companies and others and are specifically referred to as

A. User programs.
B. Utility programs.
C. Compiler programs.
D. Supervisory programs.

Answer 16

B. Utility programs.

Utility programs are provided by manufacturers of equipment to perform routine processing tasks required by both clients and auditors, such as extracting data, sorting, merging, and copying. Utility programs are pretested, are independent of the client’s own programming efforts, and furnish useful information without the trouble of writing special programs for the engagement.

Question 17

Which one of the following input validation routines is not likely to be appropriate in a real-time operation?

A. Sequence check.
B. Sign check.
C. Reasonableness check.
D. Field check.

Answer 17

A. Sequence check.

A sequence check tests to determine that records are in proper order. For example, a payroll input file can be sorted into Social Security number order. A sequence check can then be performed to verify record order. This control would not apply in a real-time operation because records are not processed sequentially.

Question 18

Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment?

A. Operating systems and compilers.
B. Data communications hardware and software.
C. Systems analysis and applications programming.
D. Computer operations.

Answer 18

A. Operating systems and compilers.

Systems programmers write systems software. Systems software is usually purchased from vendors in machine or assembly language. It is necessary to facilitate the processing of application programs by the computer. It performs the fundamental tasks needed to manage computer resources, such as language translation, monitoring of data communications, job instruction, control of input and output, file management, data sorting, and access control. For example, the operating system mediates between the application programs and the computer hardware, and procedural languages may be translated into executable code (machine language) by compilers.

Question 19

Which of the following errors most likely would be detected by batch financial totals?

A. Malfeasance resulting from a receivable clerk’s pocketing of a customer’s payment and altering of the related records.
B. A transposition error on one employee’s paycheck on a weekly payroll run.
C. A missing digit in an invoice number in a batch of daily sales.
D. A purchase order mistakenly entered into two different batches.

Answer 19

B. A transposition error on one employee’s paycheck on a weekly payroll run.

Batch financial totals compare the sum of the dollar amounts of the individual items as reported by the system, with the amount calculated by the user. Thus, batch financial totals would most likely detect a transposition error on an employee’s paycheck.

Question 20

Certain payroll transactions were posted to the payroll file but were not uploaded correctly to the general ledger file on the main server. The best control to detect this type of error would be

A. A standard method for uploading mainframe data files.
B. An appropriate edit and validation of data.
C. Balancing totals of critical fields.
D. A record or log of items rejected during processing.

Answer 20

C. Balancing totals of critical fields.

Balancing totals should be used to ensure completeness and accuracy of processing. For example, comparing totals of critical fields generated before processing with output totals for those fields tests for missing or improper transactions.

Question 21

CASE (computer-aided software engineering) is the use of the computer to aid in the development of computer-based information systems. Which of the following could not be automatically generated with CASE tools and techniques?

A. Program logic design.
B. Information requirements determination.
C. Computer program code.
D. Program documentation.

Answer 21

B. Information requirements determination.

CASE applies the computer to software design and development. It maintains on the computer a library of standard program modules and all of the system documentation, e.g., data flow diagrams, data dictionaries, and pseudocode (structured English); permits development of executable input and output screens; and generates program code in at least skeletal form. Thus, CASE facilitates the creation, organization, and maintenance of documentation and permits some automation of the coding process. However, information requirements must be determined prior to using CASE.

Question 22

Engaging in traditional electronic data interchange (EDI) provides which of the following benefits?

A. Reduced likelihood of stock-out costs.
B. Enhanced audit trails.
C. Guaranteed payments from customers.
D. Added flexibility to entice new partners.

Answer 22

A. Reduced likelihood of stock-out costs.

Stock-out costs are the opportunity cost of missing a customer order. EDI systems reduce the business cycle by eliminating delays and help prevent stock-outs.

Question 23

What are stock-out costs?

Answer 23

The opportunity cost of missing a customer order. An electronic data interchange (EDI) eliminate delays and prevent stock-outs.

Question 24

The most distinguishing feature of the use of a client-server processing model over an old mainframe configuration is

A. Digital processing over analog.
B. Decentralization over centralization.
C. Ability to connect remote locations.
D. Less need for data backup.

Answer 24

B. Decentralization over centralization.

Mainframes were arranged so that all processing and data storage were done in a single, central location. Improvements in technology have led to increasing decentralization of information processing. The most cost-effective and easy-to-administer arrangement for local area networks (LANs) uses the client-server model.

Question 25

All of the following are correct statements regarding business information systems (IS) strategy and business information technology (IT) except

A. Business IT strategy is focused on determining what technology and technological systems development are needed to accomplish the business IS strategy.
B. Business IT strategy is focused on developing and explaining the information architecture that will provide the best return for the organization.
C. Business IT strategy concentrates on how to provide the information.
D. Business IS strategy is focused on determining what IS must be provided to accomplish the goals of the business strategy.

Answer 25

D. Business IS strategy is focused on determining what IS must be provided to accomplish the goals of the business strategy.

Business IS strategy is focused on determining what IT must be provided to accomplish the goals of the business strategy.

Question 26

Which of the following procedures should be included in the disaster recovery plan for an Information Technology department?

A. Replacement of personal computers for user departments.
B. Cross-training of operating personnel.
C. Physical security of warehouse facilities.
D. Identification of critical applications.

Answer 26

D. Identification of critical applications.

The first step in preparing a business continuity/disaster recovery plan is to identify and prioritize the entity’s critical applications.

Question 27

In traditional information systems, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of

A. User management.
B. Data librarians.
C. Systems programmers.
D. Data entry clerks.

Answer 27

A. User management.

In distributed or cooperative systems, the responsibility for ensuring that adequate backups are taken is the responsibility of user management. The systems are under the control of users, not a central information processing department.

Question 28

Which of the following is a correct statement regarding combinatorial test design?

A. Seeks to verify the interfaces between components against a software design.
B. Determines whether the system meets the organization’s needs and is ready for release.
C. Tests a completely integrated system to verify that the system meets its requirements.
D. Identifies the number of tests needed to get the coverage developers want.

Answer 28

D. Identifies the number of tests needed to get the coverage developers want.

Although the number of possible tests to apply is almost limitless, developers can’t test everything. All testing uses strategy to select tests that are feasible for the available time and resources. Combinatorial test design identifies the number of tests needed to get the coverage developers want.

Question 29

A company builds awareness of cyber risks at all levels of the organization and proactively communicates with its suppliers and customers regarding any incidents of cybersecurity breaches. Which cybersecurity framework management process tier does the company belong to?

A. Tier 2.
B. Tier 3.
C. Tier 4.
D. Tier 1.

Answer 29

C. Tier 4.

Under CSF management Tier 4, cybersecurity management policies are constantly improving to respond to risks promptly, awareness of current and evolving cyber risks is incorporated into the organization’s culture, and the information is shared continuously within the organization. The organization also collaborates with other entities proactively in real time.

Question 30

Which of the following is a network security system that is used to control network traffic and to set up a boundary that prevents traffic from one segment from crossing over to another?

A. Heuristic.
B. Firewall.
C. Router.
D. Gateway.

Answer 30

B. Firewall.

A firewall separates an internal from an external network (e.g., the Internet) and prevents passage of specific types of traffic. It identifies names, Internet Protocol (IP) addresses, applications, etc., and compares them with programmed access rules.

Question 31

Which of the following should be reviewed before designing any system elements in a top-down approach to new systems development?

A. Types of processing systems used by competitors.
B. Computer equipment needed by the system.
C. Controls in place over the current system.
D. Information needs of managers for planning and control.

Answer 31

D. Information needs of managers for planning and control.

The functionality that the system will provide to the end users is always the first consideration.

Question 32

Which of the following statements best characterizes the function of a physical access control?

A. Separates unauthorized individuals from computer resources.
B. Protects systems from the transmission of Trojan horses.
C. Minimizes the risk of incurring a power or hardware failure.
D. Provides authentication of users attempting to log into the system.

Answer 32

A. Separates unauthorized individuals from computer resources.

Physical security controls limit physical access and protect against environmental risks and natural catastrophes, such as fire and flood. For example, keypad devices and magnetic card readers can be used to deny unauthorized persons access to the computer center.