Information Systems Part 1

Question 1

How can machine learning improve the performance of Accounting Information Systems?

Answer 1

• By AUTOMATING repetitive and manual tasks
• Ex: QuickBooks and the Bank Feed

Question 2

Why do organizations use Accounting Information Systems?

Answer 2

• To store, collect, and process financial data
• The AIS generates important reports that are part of decision making for managers and stakeholders.

Question 3

When an Accounting Information System is a module in an Enterprise Resource Planning system, what bad thing happens?

Answer 3

• The AIS relies on a single database that is accessible by every individual within the company
• Because of this, an improper segregation of duties can occur

Question 4

What is an Enterprise Resource Planning system?

Answer 4

• It is a business information system that automates business processes, share common data, and facilitate reporting in real-time, which improves flexibility and responsiveness
• Example: Microsoft Dynamics 365
• It integrates data from different functional areas, customers, and vendors

Question 5

What are common IT system changes?

Answer 5

• Upgrades
• Cloud transitions
• Additions/Deletions
• Configuration changes
• Code modifications
• Updates/Patches
• Data modifications

Question 6

How should policies and procedures for requesting, approving, implementing, and monitoring changes to IT resources be documented?

Answer 6

They should be documented in a written CHANGE MANAGEMENT PLAN that is repeatable and auditable

Question 7

Vendors and customers share responsibility for ____ of a SaaS cloud application?

Answer 7

SECURITY
- The customer manages their own settings and physical security at their location.
- The vendor manages the physical security and overall controls.

Question 8

What is IT architecture?

Answer 8

It is a FUNCTIONAL RISK AREA that focuses on an organization’s ability to develop systems that align corporate strategy, organizational objectives, and long-term technologies (hardware, software, data, procedures)

Question 9

What is public cloud?

Answer 9

• 3rd party service provider owns IT computing architecture
• Multiple public users can share access to public cloud resources
• This results in lower costs, scalability (ability to be changed in size/scale)

Question 10

What is hybrid cloud?

Answer 10

It uses a combo of public, private, and community cloud models

Question 11

What is a community cloud?

Answer 11

• It is a cloud that can be used by a specific group of organizations with a common purpose
• Ex: Hospital chain uses this cloud to share patient info

Question 12

What is CONTINUOUS INTEGRATION?

Answer 12

It is a change development practice where code changes are frequently and automatically integrated into a shared repository with the objective of catching bugs early in the development process

Question 13

What is automated testing?

Answer 13

It is the most common method of validating Continuous Integration Code changes before deployment

Question 14

What is the order of continuous integration?

Answer 14

• Unit
• Integration
• System
• Acceptance

Question 15

What are availability reports?

Answer 15

• They are reports that directly address system uptime and downtime durations.
• These reports measure compliance with service level agreements.

Question 16

What is a Service Level Agreement?

Answer 16

• Many organizations use these to define the details regarding the provision of an IT service (ex: networking services) from a 3rd party vendor.
• Service level agreements are important because they specify expectations of service availability, usage, performance, capacity, processing, storage requirements, responsibilities of each party, and penalties

Question 17

What is the correct sequence of activities in a patch management process?

Answer 17

1) Identification/creation
2) Scheduling
3) Testing
4) Deployment
5) Audit/Assessment

Question 18

What is patch management?

Answer 18

It is the process of identifying, testing, and applying software updates (patches) to fix vulnerabilities, enhance performance, and ensure the security of systems

Question 19

What is patch management important for?

Answer 19

It is important for hosting machines with operating systems because by regularly applying updates (patches) to the OS, the OS can get protection against security vulnerabilities.

Question 20

What are the COSO internal control components?

Answer 20

Control Environment
Risk Assessment
Information and Communication
Monitoring
Control Activities

Question 21

What does the control environment of COSO internal control - integrated framework encompass?

Answer 21

Tone at the top
Organizational structure
Ethical values

Question 22

Why are walkthroughs performed?

Answer 22

To obtain a qualitative understanding of a process

Question 23

What does testing the operating effectiveness of controls involve?

Answer 23

It involves QUANTITATIVE testing on a sample or general population

Question 24

What is a differential backup?

Answer 24

• It stores all the data since the last full backup
• Requires less storage than full backups
• Restoration time is long
• It requires more storage than incremental backups

Question 25

What is an incremental backup?

Answer 25

It stores data that is generated or changed since the last full or incremental backup

Question 26

What are the duties of a Cloud Computing Steering Committee?

Answer 26

They decide what processes, applications, or data should move to the cloud

Question 27

What is the Mean Time to Recover?

Answer 27

This tracks the average time it takes to restore a service or system after an outage

Question 28

What is a key purpose of the ANALYSIS phase of a business impact ANALYSIS?

Answer 28

To identify, score, and prioritize critical business functions

Question 29

What are the 5 phases of a business impact analysis?

Answer 29

• Prepare
• Gather information
• Analyze
• Write/Present BIA report
• Implement

Question 30

What is the business impact analysis?

Answer 30

It is a process for evaluating the consequences of a disruption to critical business functions

Question 31

What is a gantt chart?

Answer 31

It is a visual representation of project management timelines that are used for planning

Question 32

What are tabletop exercises?

Answer 32

• This is 1 method of testing existing Business Continuity Plans
• All personnel with BCP duties meet and walk through a potential disruption scenario to find and mitigate deficiencies

Question 33

What is the difference between phased and parallel installation processes?

Answer 33

A parallel approach involves running 2 systems simultaneously, but some users are on the new system while others are on the old system under the phased approach

Question 34

What is the phased approach?

Answer 34

It allows a company with multiple geographic locations to gradually implement new systems one location at a time, minimizing operation disruptions

Question 35

What is MIRRORING?

Answer 35

• It involves keeping at least 2 identical copies of a database on separate machines
• Only 1 copy (principal database) is available for use
• Updates to the principal database are copied to the mirrored database.

Question 36

What is REPLICATION?

Answer 36

It is multiple copies of data and database objects on different databases

Question 37

What is a distributed database?

Answer 37

• It is a database that can be replicated but not mirrored
• Replication of distributed systems allows applications to access remote databases in multiple locations
• Since distributed data is stored in multiple databases, rather than a centralized database, it would be impossible to create a single mirror of the entire database

Question 38

What are data interface controls?

Answer 38

• They are communication rules that may use middleware software configured with controls, which ensure prompt data transfers
• These controls address access, session lengths, protocols, and security

Question 39

What is a BLOCKCHAIN?

Answer 39

It is an APPEND-ONLY (add as a supplement) ledger, which is a sequential (following in a logical order) database maintained by a DECENTRALIZED network of users

Question 40

Are blockchain records IMMUTABLE (unable to be changed)?

Answer 40

YES
This means that the records are encrypted and cannot be changed

Question 41

What is the correct order of the flow of change environment?

Answer 41

1) Development
2) Testing
3) Staging
4) Production

Question 42

When does change to applications become available to all users?

Answer 42

PRODUCTION

Question 43

Infrastructure as a Service is responsible for

Answer 43

• Servers and storage
• Networks and security
• Infrastructure facility

Question 44

Platform as a Service is responsible for

Answer 44

• Database & analytical tools
• Operating systems
• Servers and storage
• Networks and security
• Infrastructure facility

Question 45

Software as a Service is responsible for

Answer 45

• Hosted apps
• Database and analytics tools
• Operating systems
• Servers and storage
• Networks and security
• Infrastructure facility

Question 46

What is Business Process as a Service?

Answer 46

It is an extension of SaaS and outsources entire business processes, such as payroll to a 3rd party who has cloud services

Question 47

What is a cool thing that a virtual server can do?

Answer 47

It can run its own operating system and applications and enable multiple operating systems to run on a single physical server

Question 48

What is cloud computing governance?

Answer 48

• It refers to oversight of an organization’s mission, vision, and core values.
• Good governance includes profitability, so the benefits of cloud usage should outweigh the risks.

Question 49

What is the Governance and culture component of the COSO ERM for Cloud Computing concerned with?

Answer 49

They are concerned with setting the TONE AT THE TOP to ensure cloud strategies are aligned with the company’s values, including its risk appetite for migration to the cloud

Question 50

What is the greatest threat to one’s financial statement?

Answer 50

It’s from a public blockchain’s underlying lack of internal controls because there may be no recourse in case of a dispute

Question 51

What is a router?

Answer 51

It is a device that receives data packets from 1 network and sends them to a different network using the most efficient path

Question 52

What is a switch?

Answer 52

It is something that connects all the devices within an entity’s computer network by moving data between the devices

Question 53

What is a proxy server?

Answer 53

• It is a server that CONCEALS an internet user’s real identity.
• It routes data packets indirectly but doesn’t make intelligent routing decisions like a router does.

Question 54

What is technology debt?

Answer 54

It is the cost of maintaining existing legacy systems plus the opportunity cost of not switching to modern systems.

Question 55

Technology debt arises from what?

Answer 55

• Heavily customized systems
• Short-term, not long-term solutions prevent an organization from focusing on long-term strategy
• Obsolete technology needs more maintenance

Question 56

What is a staging environment?

Answer 56

• It allows a sample group of END USERS the chance to evaluate changes to applications before going live.
• Staging environment would be the same as the live environment.

Question 57

When user entities outsource business functions, what happens?

Answer 57

They are still responsible for 3rd party vendor oversight

Question 58

What is the Systems Development Life Cycle?

Answer 58

It is a subset of an organization’s change management function.

Question 59

What system components are included in the Systems Development Life Cycle?

Answer 59

• Infrastructure
• Software
• Data
• Procedures and personnel needed to meet objectives

Question 60

What are the steps in the Systems Development Life Cycle?

Answer 60

1) Analysis
2) Design
3) Development
4) Testing
5) Implementation
6) Maintenance

Question 61

What is parallel testing?

Answer 61

• It is testing where processing is performed at the same time at both the primary and alternate site.
• The results are compared to ensure processing was correct and complete

Question 62

What is simulation testing?

Answer 62

• It is testing that is done before parallel testing
• It is performed only at the alternate site

Question 63

What is full interpretation testing?

Answer 63

• It is testing that is done after parallel testing.
• It has the GREATEST RISK of DISRUPTING ACTUAL OPERATIONS because all primary site processing is stopped and sent to the alternate site.

Question 64

What should a disaster recovery plan focus on?

Answer 64

It should focus on procedures that will help restore critical systems in the event of a disaster

Question 65

What would happen if a systems analyst quit his job?

Answer 65

His departure would be a significant risk because it could result in a knowledge gap within the development team

Question 66

What item can help the development team stay on schedule in the event a systems analyst quit his job?

Answer 66

Systems documentation can hep his team stay on schedule

Question 67

What is a grandfather-father-son retention system?

Answer 67

It is a backup control used for recovering transactional data (information that’s captured from business transactions) after system downtime

Question 68

What is the order of functional tests for a company that develops applications using the continuous integration/continuous deployment pipeline?

Answer 68

1) Unit Testing
2) Integration testing
3) System testing
4) Acceptance testing

Question 69

What are general controls?

Answer 69

They relate to the integrity of an information system

They are subdivided into:
- Access controls
- Change controls
- Operations controls
Ex: Systems documentation

Question 70

What are application controls?

Answer 70

• They are aimed at processes within a specific software program
• Ex: Field checks

Question 71

What are change controls?

Answer 71

They prevent, detect, and correct unauthorized changes to systems, applications, and data

Question 72

What is the change management process?

Answer 72

• Change requested
• Request evaluated
• Change implemented
• Change tested

Question 73

What is scope creep?

Answer 73

It is when a project’s requirements, deliverables, or objectives increase beyond the original agreement

Question 74

What needs to be done to test the operating effectiveness of the segregation of duties between change management team?

Answer 74

Service auditor needs to inspect management’s quarterly review of permissions to ensure that developers and migrators are in separate permission groups

Question 75

What is a baseline configuration?

Answer 75

• It is a document, formally reviewed, and agreed-upon system specification that serves as a basis for future builds, releases, or changes.
• It’s a record of the system components and architecture at a point in time.

Question 76

What are endpoint devices?

Answer 76

Computers, tablets, smartphones

Question 77

What is middleware?

Answer 77

It is a utility program that helps different software programs communicate with one another to improve the efficiency of a computer system

Question 78

What is a server?

Answer 78

They are powerful computers that store, process, and manage data

Question 79

How can the operating effectiveness of a business continuity plan be evaluated?

Answer 79

This can be done by reviewing the results from previous business continuity tests conducted by internal IT team

Question 80

What can an IoT device do that an endpoint device like a wireless camera cannot do?

Answer 80

IoT devices can connect to a security system, but a wireless camera cannot do that

Question 81

What are Input types of application controls?

Answer 81

• Validity checks
• Range (limit) checks
• Authorization checks
• Hash amounts
• Batch controls

Question 82

What are processing types of application controls?

Answer 82

• Data validation
• Sequence checks
• Completeness checks
• Duplication checks

Question 83

What are Output types of application controls?

Answer 83

• Distribution lists
• Printer security
• Storage controls
• Confidentiality controls

Question 84

What are the 3 types of application controls?

Answer 84

• Input
• Processing
• Output

Question 85

What is an important use for a patch?

Answer 85

• It is to respond to security risks, as out of date systems are vulnerable to incidents
• Ex: The Equifax breach affected millions of people because the company didn’t patch its network after being alerted to a critical security vulnerability

Question 86

Why is outsourcing helpful?

Answer 86

It is helpful because companies may find it hard to staff an internal department with the right knowledge

Question 87

What are the benefits of a shared database in an Enterprise Resource Planning System?

Answer 87

• A shared database improves data quality by reducing the opportunity for duplication and errors
• Information is entered into the ERP only 1x, so there is less risk of inconsistencies that are seen in multiple standalone systems

Question 88

Service availability formula

Answer 88

(Agreed service time - Downtime) / Agreed service time

Question 89

What is needed in a systems specification document?

Answer 89

• Writing this document is an important step in the analysis phase of systems development
• This document describes what the system will do and how it will operate
• It addresses end-user requirements, such as description of data elements

Question 90

What is the Resources, Events, and Agents data model?

Answer 90

• It is a model where RESOURCES are items of economic value
• EVENTS are business activities
• AGENTS are internal and external stakeholders who participate in events

Question 91

What is a Unified Modeling Language diagram?

Answer 91

• AKA “Entity Relationship Diagram”
• It is a visual representation of a conceptual data model that shows the tables in a database and the associations between them

Question 92

What is Recovery Time Objective?

Answer 92

• It is a target for the maximum amount of downtime a business can tolerate
• A baseline RTO is established during a business impact analysis to calculate the cost of downtime

Question 93

What is pseudo anonymity?

Answer 93

• It is being invisible and hiding your true identity in blockchain
• This risk can be mitigated (lessened) by developing a CODE OF CONDUCT

Question 94

Walkthroughs are performed to

Answer 94

Obtain a QUALITATIVE UNDERSTANDING of a process

Question 95

What is user acceptance testing?

Answer 95

It is a process where the sample group ensures that the changes meet predefined acceptance criteria