Ch. 4

Question 1

Which areas should be included in cybersecurity risk assessment?

Answer 1

1. identity management
2. end-user education
3. disaster recovery/business continuity planning

Malware protection, along with next-generation firewalls, DNS (domain name system) filtering, antivirus software, and email security solutions, is an example of technology used to protect against the risk of cyber attacks.

Question 2

What are examples of technology used to protect against the risk of cyber attacks?

Answer 2

1. malware protection
2. firewalls
3. domain name system (DNS) filtering
4. antivirus software
5. email security solutions

Question 3

Users should have update access for production ____.

Answer 3

data

Question 4

Application programmers and users should not be able to change production _____?

Answer 4

programs

Question 5

Application programmers should NEVER have update access to production ______.

Answer 5

data

Question 6

Who submits change to the change control unit to update programs?

Answer 6

Application programmers submit change to the change control unit

Question 7

What is one-for-one checking?

Answer 7

involves retaining copies of all unnumbered documents submitted for processing and checking them off individually against a report of transactions processed.

Question 8

What type of control do batch totals require?

Answer 8

numerical control

Question 9

Computer sequence checks require that transactions be _______.

Answer 9

numbered

Question 10

Computer matching is performed by the program or user?

Answer 10

program

Question 11

What is a smart card?

Answer 11

A smart card continuously generates new and unique passwords, helping to minimize the risk of unauthorized access.

Question 12

Who are the intended users of SOC 1 reports?

Answer 12

management of the service organization, user entities, and user auditors

Question 13

Who are the intended users of SOC 2 reports?

Answer 13

Parties that are knowledgeable about the nature of the service provided by the service organization. Restricted.

Question 14

Who are the intended users of SOC 3 reports?

Answer 14

no restrictions and can be distributed to anyone

Question 15

Who is responsible to plan and provide oversight to the information systems function?

Answer 15

information systems steering committee

Question 16

What is fail-soft protection?

Answer 16

The capability to continue processing at all sites except a nonfunctioning one

Question 17

What is an example of strategic information system?

Answer 17

computer system that converts the inputs into data that allows management to make unstructured decisions concerning the company’s future

Question 18

What is Customer relationship management (CRM)?

Answer 18

1. cloud-based system
2. stores customer and prospect contact information, accounts, leads and sales opportunities
3. stored in one central database
4. CRM refers to practices, strategies, and technologies that businesses use to interact, analyze, forecast, and manage customer relationships, trends, and behaviors.

Question 19

What system assists with nonroutine decisions, serves strategic levels of the organization, and helps answer questions regarding what a company’s competitors are doing, as well as identifies new acquisitions that would protect the company from cyclical business swings?

Answer 19

Executive support system

The word “strategic” tells you this system provides information at a high level, the executive level.

Question 20

In a microcomputer system, the place where parts of the operating system program and language translator program are permanently stored is _____?

Answer 20

read-only memory (ROM)

ROM may only be read from to prevent these important programs from being accidentally altered or deleted.

Question 21

What is the central element of a Management Information System (MIS)?

The use of what?

Answer 21

The use of decision models to organize data

Question 22

What are the 5 Trust Services criteria? (aka principles)

Answer 22

Security
Availability
Processing Integrity
Privacy
Confidentiality

Question 23

What are disk and magnetic tapes?

What is a bar coding device?

What is magnetic ink character recognition?

Answer 23

Storage devices

Data entry device used with an optical character reader

Most often used by banks to read the magnetic ink on checks and deposit slips

Question 24

To minimize the likelihood of computer viruses infecting any of its systems, the company should also do what when installing software?

Answer 24

test all new software on a stand-alone PC before installing it on networked computers in the system.

Question 25

What is a digital signature primarily used to determine?

Answer 25

that a message is unaltered in transmission.

allows the creator of a message to digitally “sign” the data and provides proof of authorization

Question 26

What position performs following: Developing, coding, and testing computer programs

Answer 26

systems analysts

Question 27

An advantage of decentralizing data processing facilities is:

Answer 27

that system failure is of lesser significance.

Question 28

What are all of the components of the data processing cycle?

Answer 28

Collection, refinement, processing, maintenance, output

The usual definition of the data processing cycle (DPC) is “input-processing-output.” The correct answer substitutes the term “collection” for “input.” Refinement refers to classifying and/or batching. Maintenance refers to processing-related operations such as calculation and storage.

Question 29

The concept of a management information system (MIS) continues to evolve over time. Which of the following is generally understood to be a central element of an MIS?

Answer 29

Processing of data items is based on decision models.

Question 30

An information system should fulfill all of the following functions

Answer 30

1. safeguard an organization’s assets and data.
2. insure that the information produced was reliable and accurate.
3. collect and store data.

Question 31

Text-mining technology

Answer 31

(not data mining) enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified. Text mining uses machine learning or natural language processing technology to comb through documents such as emails, blogs, and Twitter feeds to analyze large amounts of information and discover new topics and term relationships. Data mining technology helps examine large amounts of data to discover patterns.

Question 32

Hadoop:

Answer 32

a free, open-source software framework that stores large amounts of data

Question 33

Predictive analytics technology:

Answer 33

uses data, statistical algorithms, and machine-learning techniques to identify the likelihood of future outcomes based on historical data

Question 34

Big data:

Answer 34

a term that describes the large volume of diverse and complex data available to businesses on a day-to-day basis

Question 35

In terms of the overall success of the internal control system, human resource policies can be said to:

Answer 35

be relevant to the internal control system’s goal of employee satisfaction.

The human resources department allows employees to make some payroll-related changes, such as new withholdings, changes in retirement allocations, and name changes. This empowers employees and increases morale and employee satisfaction.

Question 36

Statement of Financial Accounting Concepts (SFAC) 1, paragraph 34, Objectives of Financial Reporting by Business Enterprises, states:

Answer 36

“Financial reporting should provide information that is useful to present and potential investors and creditors and other users in making rational investment, credit, and similar decisions.” Thus, the objectives of financial reporting are based on user needs.

Question 37

To develop and implement a systems reliability plan, an organization’s IT governance should assign plan responsibility and accountability to who?

Answer 37

top-level IT manager

Question 38

What are the five Trust Services criteria?

Answer 38

Security, 
availability, 
processing integrity, 
privacy
confidentiality,

SAPPC

Question 39

COBIT helps to do what 3 things?

Answer 39

1. balance risk and controls information systems,
2. provides assurance that security and IT controls are adequate, and
3. guides auditors and internal controls.

Question 40

Business processes are comprised of which of the following items?

Answer 40

1. input(s),
2. actor(s) (either automated, like a computer, or an actual person),
3. the actual activity or process that transforms the input(s), and
4. output(s) (the final result)

Question 41

What is the difference between systems?

strategic information system

Transaction processing system

office automation system

Decision support systems

Answer 41

strategic information system provides information that may allow an organization to make strategic, competitive decisions. It converts the inputs into data that allows management to make unstructured decisions concerning the company’s future

Transaction processing systems support basic routine business functions.

office automation system is used by clerical personnel to process existing information.

Decision support systems process semi-structured and unstructured problems.

Question 42

Which of the following lists best describes the probable control activities likely to be employed at the cash register/sales counter level in these cases?

Answer 42

1. Proper authorization of transactions,
2. design and use of documents, and
3. independent checks on performance

Question 43

Risk of a distributed database, in which data about individuals would reside on computers at local offices but would be accessible to managers worldwide, has what risks?

Answer 43

Database integrity might not be preserved during a network or computer failure because of the complexity of updates, the time delays when multiple sites are involved, and the number of nodes to be coordinated.

Both the centralized and distributed systems permitted access to all data, so if access security is maintained at the same levels, there should be no difference in the vulnerability of the database to outsiders.

Question 44

In terms of the overall success of the internal control system, human resource policies can be said to:

Answer 44

be relevant to the internal control system’s goal of employee satisfaction.

Question 45

If certain data elements were not defined in the online database expansion, the following problem could result:

Answer 45

Incomplete transaction processing

Question 46

In an accounting information system, which of the following types of computer files most likely would be a master file?

Answer 46

Inventory subsidiary

A master file is used in electronic data processing and contains relatively permanent information used for reference and updated periodically. An inventory file lists the inventory on hand at a point in time. It is an asset, a balance sheet account.

Question 47

When should system librarian accept program into production?

Answer 47

The system librarian should only accept a modified program that has been properly tested by someone independent of the programmer to make sure that no unauthorized changes have been made.

Question 48

Who studies the existing information system?

Answer 48

Studying the existing information system is a task typically assigned to a systems analyst in the operational and maintenance phase of the system development life cycle; it is not an example of change control.

Question 49

What 3 things does managing the information system function include?

Answer 49

1. charging user departments for computer services,
2. project development planning (e.g., using Gantt charts), and
3. responsibility accounting principles.

Question 50

What type of review determines if the project’s anticipated benefits were achieved, and to encourage accurate and objective initial cost and benefit estimates?

Answer 50

POST-implementation reviews

Question 51

Password protection for a screensaver program can be

Answer 51

easily bypassed.

Setting up a password for the screensaver program on the notebook computer would provide the least security for sensitive data stored on a notebook computer

Question 52

The best control technique to detect paying a terminated employee using employee identification numbers would be a:

Answer 52

hash total.

Question 53

To assist in maintaining control over such access, many systems use tests that are maintained through an internal access control matrix which consists of:

Answer 53

authorized user code numbers,
passwords,
lists of all files and programs, and
a record of the type of access each user is entitled to have for each file and program.

Question 54

A systems program manipulates:

Answer 54

application programs.

By definition, systems software consists of programs that act on the instructions provided in application programs. Stated another way, a systems program manipulates application programs.

Question 55

Name 3 computer machine language

Answer 55

1. on/off electrical switches
2. internal binary code is usually arranged as a
3. hexadecimal (base 16) code.

Question 56

Identifying inputs and outputs would occur at what stage?

Answer 56

systems design and development phase, preceding implementation.

Question 57

Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data?

Answer 57

Validity check

Question 58

A reasonableness check or test would compare

Answer 58

the data entry to the database to make sure that the input was logically correct, not valid. In other words, does the entry make sense in light of the data required?

Question 59

A field check makes sure that the entry is

Answer 59

the correct type for the field (numeric or alphanumeric). Any letters would satisfy this requirement, whether or not they were a valid state abbreviation.

Question 60

A check digit verification uses

Answer 60

redundant digits to detect errors in data transcription. This check would not prevent an incorrect state abbreviation from being accepted as legitimate data.

Question 61

One of the steps companies should not take is

Answer 61

to outsource computer control and security staff.

Question 62

If the system must be available on a continuous basis, there is an important need for what?

Answer 62

Maintain redundant systems for instant availability to assure the flow of transactions

Data backups will enable reconstruction of lost information, but do not affect availability of the system to users.

Question 63

Only the program librarian should be allowed to

Answer 63

make changes to the production library.

Question 64

A system where several minicomputers are connected for communication and data transmission purposes, but where each computer can also process its own data, is known as a:

Answer 64

distributed data processing network.

Question 65

An advantage of having a computer maintain an automated error log in conjunction with computer edit programs is that:

Answer 65

reports can be developed that summarize the errors by type, cause, and person responsible.

Question 66

Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment?

Answer 66

Operating systems and compilers

Systems programmers use the design developed by the analysts to develop an information system and write the computer programs. It follows, therefore, that the programmers would be concerned with the operating system and how it will handle various applications, as well as with compilers (computer programs that convert a source program into an object program, reducing the programming effort).

Question 67

The purpose of a software monitor is to:

Answer 67

collect data on the use of various hardware components during a computer run.

Question 68

Routines that utilize the computer to check the validity and accuracy of transaction data during input are called:

Answer 68

edit programs.

Edit programs may be used to examine selected fields of input data and to reject those transactions (or other types of data input) whose data fields do not meet preestablished standards of data quality.

Question 69

Which of the following transaction processing modes provides the most accurate and complete informa­tion for decision making?

Answer 69

Online

Question 70

Which of the following is responsible for authorizing and recording transactions and for correcting errors?

Answer 70

Users

The data control group logs data inputs, processing, and outputs, and makes sure that transactions have been authorized. They do not authorize or record transactions themselves.
Computer operators maintain and run daily computer operations.
Security management is responsible for preventing unauthorized physical and logical access to the system.

Question 71

Which of the following describes infrastructure as a service (IaaS)?

Answer 71

IaaS provides the basic building blocks for cloud IT and typically provides access to IT assets from a cloud provider who charges on a pay-as-you-go basis.

Question 72

All of the following are classifications of controls used to make systems more secure except:

Answer 72

nonphysical access controls.

The five classifications of controls used to make systems more secure are

1. segregation of duties,
2. physical access controls,
3. logical access controls,
4. personal computers and client/server network protection, and
5. internet and telecommunications controls.

Question 73

Which of the following is a network node that is used to set up as a boundary that prevents traffic from one segment to cross over to another?

Answer 73

firewall

A firewall is a method used to isolate the company computers behind a device that acts as a gatekeeper. This gatekeeper prevents traffic from one segment from crossing over to another.

Question 74

The use of message encryption software:

Answer 74

increases system overhead.

The machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down.

Question 75

To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?

Answer 75

Code approved changes to a payroll program

Question 76

Which of the following database controls would be most effective in maintaining a segregation of duties appropriate to the users’ reporting structure within an organization?

Answer 76

Access security features

Access security features restrict users to functions and data compatible with organizational structure.

Question 77

Software change control procedures provide controls over what?

Answer 77

provide controls over software changes for application development functions.

Question 78

Dependency checks provide controls over what?

Answer 78

form and type of data entered by users.

Question 79

Backup and recovery procedures provide controls over what?

Answer 79

continued availability of data resources to users.

Question 80

An EDP control used to assure that paychecks had been written for all employees for a pay period would be the use of a:

Answer 80

hash total on employee Social Security numbers.

Record count simply calculates the number of records. It may be effective for the number of checks, but not validate the correct employees.

Question 81

Because of the sensitivity of its data, an online system for developing estimates and generating proposals was implemented with several layers of access control. Control over users’ initial log-in is a function of the:

Answer 81

operating system.

Initial log-in to a system is a function of the operating system–level access control software.

• An integrated test facility is an audit approach to validating processing.
• Database subschema authorizations control access to specific views of fields in a database.
• Access to applications and their data is a function of application level software.