CPA - IT

Question 1

COBIT focuses on IT controls and is intended for use by IT managers, IT professionals, and internal and external auditors

Question 2

Enterprise architecture

Answer 2

An organization’s enterprise architecture is its efforts to understand, manage, and plan for IT assets

Question 3

Enterprise-wide or Enterprise Resource Planning (ERP) systems

Answer 3

ERPs provide transaction processing, mgmt support, and decision-making support in a single, integrated, organization-wide package

Question 4

Goals of ERP systems

Answer 4

1. Global visibility
2. cost reductions
3. Employee empowerment (improved communcation and decison making)
4. “Best practices”

Question 5

An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems?

Answer 5

Modificaitons can be made to each module w/out affecting other modules

Question 6

Online transaction processing (OLTP) system

Answer 6

The modules comprising of core business functions: sales, production, purchasing, payroll, financial reporting etc -> think operational data for the eorganization

Question 7

Online analytical processing (OLAP) system

Answer 7

Incorporates data warehouse and data mining capabilities w/in the ERP

Question 8

Cloud Delivery Service Models

Answer 8

• Infrastructure as service (IaaS) - Use of the cloud to access a virtual data center of resrouces (e.g. AWS)
• Platform as service (PaaS) - A development environment for creating cloud-based software and program using cloud-based services (Salesforce.com)
• Software as service (SaaS) - Remote access to software (Office 365 etc.)

Question 9

Good internal control in a computer system requires that operators, programmers, and the library function be segregated.

Question 10

systems analyst is responsible for designing the computer system, including the goals of the system and means of achieving those goals, based upon the nature of the business and its information needs. The systems analyst also must outline the data processing system for the computer programmer with system flowcharts.

Question 11

systems programmers are given responsibility for maintaining system software, including operating systems and compilers.

Question 12

In relation to data management activities, the data owner’s primary role is __________, the data steward’s primary role is _____________, and the data custodian’s primary role is ____________________.

Answer 12

Answer: Accontability, responsible, responsible

Question 13

The Systems Development Life Cycle (SDLC) is the traditional methodology for developing information systems. In which phase of the SDLC would the activity of identifying the problem(s) that need to be solved most likely occur?

Answer 13

Answer: Planning

Planning is the first phase of the SDLC and this information is needed before most of the analysis phase activities can be initiated.

Question 14

The steps in the systems development life cycle are analysis, design, build, test, and implement.

Question 15

A direct changeover involves implementation of a new system without the possibility of reverting to the old system. It is often a risky strategy.

Question 16

Operational systems

Answer 16

support day-to-day activities of the business (i.e. purchasing of goods and services, manufacturing activities, sales t ocustomer, payroll etc.)

Question 17

Management Information Systems (MISs)

Answer 17

Systems designed to support routine management problems based primarily on data form transaction processing systems

Question 18

Order data elements by size

Answer 18

Files: are composed of

Records: are composed of

Fields: are composed of

Data values: are composed of

Bytes (characters): are composed of

Bits: the smallest storage element in a computer system

Question 19

A data mart is a type of data warehouse that is customized for an organization.

Question 20

An overall description of a database, including the names of data elements, their characteristics, and their relationship to one another, would be defined by using a

Answer 20

data definition language

Question 21

During the annual audit, it was learned from an interview with the controller that the accounting system was programmed to use a batch processing method and a detailed posting type. This would mean that individual transactions were

Answer 21

Assigned to groups before posting, and each transaction had its own line entry in the appropriate ledger

Question 22

A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies?

Answer 22

Establish a off-site mirrored website

Establishing an off-site mirrored Web server would provide for continuous duplication of data in geographically separated locations.

Question 23

Compared to online real-time processing, batch processing has which of the following disadvantages?

Answer 23

Stored data are current only after the update processes

Question 24

Business analytics

Answer 24

“the science and art of discovering and analyzing patterns, IDing anomalies, and extracting other useful info in data for application to a business issue or problem

Question 25

data lake

Answer 25

an unfiltered pool of big data

Question 26

data warehouse

Answer 26

structured, filtered data repository for solving business problems

Question 27

Common challenges in data governance

Answer 27

• It’s hard to quantify the benefits of data governance and management -> thus, underinvestment in these activities is common
• Unclear as to who is responsible for data ownership
• Complying w/increasing regulation of data ownership
• Too much data (data deluge)

Question 28

Data classification defines the privacy and security properties of data

Question 29

data taxanomy categorizes the data within the organization’s structure and hierarchy

Question 30

The data life cycle overviews the steps in managing and preserving data for use and reuse

Question 31

RACI acronym -> illustrates the data stewardship roles of the data owner, steward, and custodian across the data life cycle

Answer 31

Responsible - Does the work to complete the task

Accountable - Delegates the work and is the lats one to review the task or deliverable before completion

Consulted - Deliverables are strengthened by review and consultation from multiple team members

Informed - Informed of project progress

Question 32

data architecture

Answer 32

the structure and interaction of the major types and sources of data, logical data assets, physical data assets and data management resources of the enterprise

Question 33

Metadata

Answer 33

a set of data that describes and gives further detail about a dataset

Question 34

Criteria for describing data

Question 35

3 criteria for describing data

Answer 35

1. The description includes the dataset’s purpose
2. The desciption of the set of data is complete and accurate; it includes the 10 elements:

P(opulation)

U(nits)

R(ecords)

P(recision)

S(ample)

S(ources)

T(ime)

U(ncertainty)

F(ields)

F(ilters)

3. The data description identifies information that hasn’t been included within the set of data or description but is necessary to understand each data element and the population

Question 36

5 IT security principles specified by the AICPA Assurance Services Executive Committee (ASEC)

Answer 36

1. Security - A top mgmt issue. Security is the foundations of systems reliability
2. Availability - whether the system is operational and usable as specified in committments and agreements
3. Processing integrity - does the system of internal control help ensure taht the system processes info as intended w/out errors or manipulations?
4. Confidentiality - whether confidential info is proectected consistent w/organization’s commitments and agreements
5. Privacy - addresses whether the system’s collection, use, retention, disclosure, and disposal of personal info conforms to its own commitments and w/the criteria set forth in GAAP

Question 37

7 categories of assessing IT security principles

Answer 37

1. Organization and management
2. Communications
3. Risk management, and design and implementation of controsl
4. Control monitoring
5. Logical and physical access controls
6. System operations
7. Change Management

Question 38

Time based model of controls

Answer 38

The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationships among the 3 categories of controls:

1. time it takes an intruderto break through preventive controls
2. time it takes to detect that an attack is in progress
3. time to respond to the attack

Accordingly, if #1 is > #2 + #3, then security procedures are effective. Else, they are ineffective.

Question 39

One disadvantage of value-added network (VAN) is that they are expensive

Question 40

The primary advantage of using value-added network (VAN) is that it provides increased security for data transmissions

Question 41

Electronic data interchange involves

Answer 41

the electronic exchange of business transaction data in standard format from 1 entity’s computer to another entity’s computer

Question 42

Communication about cyber incidents to external parties should be selective and appropriate to their roles. For example, few banks publicly announce when they have lost money in a theft or cyber-hack.

Question 43

Distributed data processing system is useful when processing is done in multiple locations.

It enables processing of a large volume of transactions and fast access to data.

Question 44

IT policies are particularly valuable in _______ and _________ organizations.

Answer 44

Answer: Decentralized; geographically disbursed

These attributes make IT policies particularly valuable, since personnel are disbursed across multiple locations. IT policies are particularly valuable with disbursed units.

Question 45

A decentralized system is characterized by distributed processing and a lessened need for network resources.

Question 46

According to the framework for cybersecurity, protecting and securing the U.S. critical infrastructure requires a partnership between ___________ and __________.

Answer 46

public entities ; private entities

Question 47

XBRL

Answer 47

eXtensive Business Reporting Language

XBRL, or eXtensible Business Reporting Language, is an XML standard for tagging business and financial reports to increase the transparency and accessibility of business information by using a uniform format.

Question 48

A computer emergency response team (CERT) is a ______ control.

Answer 48

Corrective

A CERT is a corrective control since it is intended primarily to clean up the mess of a violation of the system’s integrity.

Question 49

a value-added network (VAN) is a system that routes data transactions between trading partners.

Question 50

Encryption

Answer 50

The process of converting a plaintext message into a secure-coded form (ciphertext)

Question 51

digital signature assures the recipient that the message came from a certain individual and it was not modified.

Question 52

Brownout is reduced voltage in the electrical system of an organization.

Question 53

Encryption protection is least likely to be used in which of the following situations?

Answer 53

When transactions are transmitted over local area networks (LAN)

This answer is correct. Various factors need to be considered. Encoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored. Although LANs may need encryption protection, the type of data and the described communication media make the other options appear more vulnerable.

Question 54

Organizational (Business) Continuity Planning

Answer 54

1. Create a BCM Policy and progrma
2. Understand and evaluate organizational risks
3. Determine Business Continuity Strategies
4. Develop and implement a BCM Response
5. Exercise, Maintain, and Review the Plan
6. Embed the BCM in the Organization’s culture

*BCM = Business Continuity Management

Question 55

Recovery point objective (RPO)

Answer 55

RPO = acceptable amount of data lost in an incident (usually stated in hours and defines the regularity of backups)

Question 56

Recovery Time Objective (RTO)

Answer 56

RTO => specifies the longest acceptable time for a system to be inoperable

Question 57

Cold site (empty shell)

Answer 57

An off-site location that has all the electrical connections and other physical requirements for data processing, but doesn’t have the actual equipment or files

Question 58

Warm site

Answer 58

A location where the business can relocate to after the disaster, that isalready stocked w/computer hardware similar to that of the original site, but doesn’t contain backed up copies of data and info

Question 59

Hot site

Answer 59

An off-site location completely equipped to quickly resume data processing

Question 60

System backup = good;

data redundancy = bad

Question 61

Checkpoint and restart

Answer 61

Common in batch processing systems - a checkpoint is a point in data processing where processing accuracy is verified

If there’s a problem, one returns to the previous checkpoint instead of the beginning of the transaction processing

Saves time and money

Question 62

DoS attacks

Answer 62

denial of service attacks -> criminal may use a computer to deny others the use or services of a computer system or network

Legitimate users are prevented from accessing the system

Question 63

In end-user computing, the user is responsible for the development and execution of the computer application that generates the information used by that same user.

Question 64

A zombie computer is used most frequently to perpetrate a _________ attack:

Answer 64

DoS

Question 65

Backup and recovery systems should be both _________ and ____________.

Answer 65

Off-site; redundant

Backup systems should include an off-site company and should include redundancy.

Question 66

Disaster recovery plan should provide for an alternative processing site, backup and off-site storage procedures, identification of critical applications, and test of the plan.

Question 67

Source program library management system (SPLMS)

Answer 67

The SPLMS manages the migration from the application development test environment to the active production library

The SPLMS ensures that only valid changes are made to the system by checking for all necessary authorizations and for program modifications by comparing the new source code to the old one

Only after verification does the program migrate to the SPL

Question 68

Application controls concern the accuracy, validity, and completeness of data processing in specific application programs

Question 69

3 categories of application controls

Answer 69

1. Input and origination controls - control over data entry and data origination process
2. Processing and file controls - controls over processing and files, including the master file update process
3. Output controls - control over the production of reports

Question 70

Procesing Controls

Answer 70

Controls designed to ensure that master file updates are completed accurately and completely

Processing controls also serve to detect unauthorized transactions entered into the system and maintain processing integrity

Question 71

a validity check is a check of an entered number to see if it is in valid form or a valid account number.

Question 72

The practice of authorizing changes, approving tests results, and copying developmental programs to a production library is program change control.

Question 73

In updating a computerized accounts receivable file, which one of the following would be used as a batch control to verify the accuracy of the total credit posting?

Answer 73

The sum of cash deposits + discounts taken by customers

Question 74

a validity check involves comparison of input to a list of valid items.

Question 75

a field check is a control that limits the types of characters accepted.

Question 76

a check digit is an extra reference number that follows an identification number and bears a mathematical relationship to the other digits.

The identification number can be subjected to an algorithm and compared to the check digit.

Question 77

An edit check is a check on the accuracy of data as it is inputted.

Question 78

In a daily computer run to update checking account balances and print out basic details on any customer’s account that was overdrawn, the overdrawn account of the computer programmer was never printed. Which of the following control procedures would have been most effective in detecting this fraud?

Answer 78

Answer: periodic recompling of programs from documented source files, and comparisons w/programs currently in use

This answer is correct because a periodic recompiling of the program from the original source files and comparison with the program currently in use would allow the auditor to detect the modification in the program that has permitted the fraud to occur.

Question 79

Smigly Construction builds large warehouses for many clients. Smigly is more likely than most other businesses to use _____________ in its revenue cycle billing processes.

Answer 79

remittance advice

Remittance advices help customers match payments with invoices. They are more likely to be used in complex businesses, such as construction and medical billing.

Question 80

Which of the following steps in the accounting cycle comes before posting entries to accounts?

Answer 80

Analyze transactions

Question 81

A purchase requisition is a formal document that orders goods. It is the best offered control related to the risk of ordering unneeded goods.

Question 82

Form 941 shows aggregate payroll tax withholdings and payments.

Question 83

Winifred, an internal auditor, wants to determine if employee pay rates are accurate. Her best strategy for accomplishing this goal is to

Answer 83

Review the cumulative earnings register

This review will enable Winifred to determine if employee pay rates are accurate. She can evaluate these over time, and across job descriptions and ranks.

Question 84

Adjusting journal entries are often the responsibility of

Answer 84

The controller

Adjusting entries are usually posted by the controller in the general ledger cycle.

Question 85

Quality (in th econtext of total quality management)

Answer 85

The concept of quality is how well the item meets its design specifications. Does it perform as it’s expected to perform?

Question 86

Quality of conformance

Answer 86

The degree to which a product meets its design specifications and/or customer expectations

Question 87

Quality addresses 2 perspectives in total quality management (TQM)

Answer 87

1. Failure to execute the product design as specified
2. Failure to design the product appropriately; quality of design is defined as meeting or exceeding the needs and wants of customer

Question 88

Cost of quality

Answer 88

The costs incurred by an organization to ensure that its products and/or services have a high quality of conformance

Question 89

4 components of cost of quality

Answer 89

1. Prevention cost - cost of any quality activity designed to help do the job right the 1st time
2. Appraisal cost - the cost of quality control including testing and inspection
3. Internal failure cost - the costs incurred when substandard products are produced but discovered before shipment to the customer
4. External failure cost - the cost incurred for products that don’t meet requirements of the customer and have reached the customer

Question 90

Backflush costing

Answer 90

The act of delaying journal entries until after the physical sequences have occurred

Often used in high-speed automated environments

Question 91

Six-sigma is a statistical measure expressing how close a product comes to its quality goal.

Six-sigma is 99.999997% perfect with a 3.4 defects per million parts.

Question 92

A Pareto chart ranks the causes of process variations by the degree of impact on quality.