Information Technology

Question 1

What is e-cash

Answer 1

Ecash is a system for use of cash to purchase items over the internet. Allows customers to pay for goods or services from a web site maintaining financial privacy.

Question 2

what is a cold site/ hot site, backup plans

Answer 2

cold - backup site that has not been stocked with equipment - involves processing at another site. Customer can provide and install equipment in the event of a disaster.
hot - one that is stocked and ready for operation - relies upon a commercial disaster recovery service that allows a business to continue in the event of computer disaster
RAID - designed to prevent loss of data in the event of equipment failure
off site mirrored web server - provides continuous duplication of data in different geographic locations

Question 3

When is a distributed data processing system useful?

Answer 3

When processing is done in multiple locations. It enables processing of a large volume of transactions and fast access to data.
Most appropriate when large volumes of data are generated and data is needed at remote locations.
Distributed processing is not appropriate to a centralized system.

Question 4

What is a reciprocal agreement

Answer 4

Involves agreement between two or more organizations to help each other in the event of disaster to one’s processing

Question 5

What is rollback

Answer 5

A checkpoint system for copying the database at certain points for backup support.

Question 6

What is a trojan horse

Answer 6

Computer program that appears to be legitimate but performs an illicit activity when it is run

Question 7

What is used as a batch control to verify the accuracy of the total credit posting in updating a computerized AR file?

Answer 7

AR will be credited for the amount of cash received plus discounts taken by customers. The control total should be the sum of the cash deposits plus the discounts taken by customers. It is NOT less the sales returns.

Question 8

What risk is minimized by requiring all employees accessing the information system to use passwords?

Answer 8

Firewall vulnerability - passwords can prevent unauthorized individuals from penetrating the firewall
NOT collusion, as it can still occur with passwords
Firewall prevents unauthorized users from accessing a network segment. “it separates or isolates a network segment from the main network which maintaining connection between networks”

Question 9

What should be the role of the computer librarian

Answer 9

Should maintain custody of program code, documentation, and instructions and detailed listings to strengthen controls in a computer system

Question 10

Computer operators

Answer 10

Computer operations
Should not have access to detailed program listings which would give them the opportunity to modify the programs
Good controls for computer operations dept includes periodic rotation and mandatory vacation to provide other personnel ability to detect operator problems. Controlled access and segregation of duties helps to separate incompatible functions.

Question 11

Control group

Answer 11

Should be responsible for the distribution of all computer output to strengthen controls in a computer system

Data control personnel correct detected data entry errors for the cash disbursement system.

Question 12

Computer/applications programmers

Answer 12

Computer programmer writes detailed programs based upon the work of the systems analyst.
Should write and debug programs which perform routines designed by the systems analyst in order to strengthen controls in a computer system
Code approved changes to a payroll program
Note difference between application programmer and systems programmer

Question 13

Systems analyst

Answer 13

Responsible for designing the computer system, including the goals of the system and means of achieving those goals, based upon the nature of the business and its info needs. The systems analyst must also outline the data processing system for the computer programmer with system flowcharts.
Reviews applications of data processing and maintains systems documentation

Question 14

Systems programmer

Answer 14

Given responsibility for maintaining system software, including operating systems and compilers.
Modify and adapt operating system software.
Should not maintain custody of output in a computerized system. At a minimum, the programming, operating, and library functions should be segregated.

Question 15

Control clerk

Answer 15

Establishes control over data received by the information systems departments and reconciles totals after processing.

Question 16

AP clerk

Answer 16

Prepares data for computer processing and enters the data into the system

Question 17

What is the benefit of an ERP system

Answer 17

Major aspect of an ARP system is the alignment of mgmt risk taking with shareholder risk appetite

Increases responsiveness and flexibility while aiding in the decision making process. ERP reduces data redundancy. ERP systems are typically more expensive to implement.

Question 18

Compare batch processing to online real time processing

Answer 18

Batch system often requires less personnel and takes less operating resources.
Batch processed data is not updated until the batch is processed.
Note that a greater level of control is necessary in an online real time system.
Batch system may process sequentially against a master file, keypunching is followed by machine processing, processed batches result in numerous printouts.

Question 19

What is a critical success factor in data mining a large data store?

Answer 19

Pattern recognition - the benefit of data mining is the confirmation and exploration of data relationships.
Note that data mining does not involve search engines.

Question 20

What are value added networks (VAN)

Answer 20

-Provide increased security over transactions because they use private networks (not public).
It is a system that routes data transactions between trading partners.
-VANs cost more than simply using the internet.
-VANs make it more difficult to collect data about transmissions.
-VAN is able to reduce communication and data protocol problems. Partners establish less point to point connections using VAN.
VAN is a privately owned network that routes EDI transactions and alleviates problems related to differences between various organizations’ hardware and software.
VAN is more costly and it results in communications to the value added network and then to the trading partner NOT direct communication between trading partners.

Question 21

What is a data flow diagram

Answer 21

Graphical notations that show the flow and transformation of data within a system or business area

Question 22

Action diagrams

Answer 22

Process logic notations that combine graphics and text to support the definition of technical rules

Question 23

Program structure charts

Answer 23

Graphical depictions of the hierarchy of modules or instructions in a program

Question 24

Conceptual data models

Answer 24

Independent definitions of the data requirements that are explained in terms of entities and relationships.

Question 25

In a client server, who is the client?

Answer 25

Client is the computer or workstation of the individual user. The server ordinarily provides most of the software and provides services to the client.

Question 26

What do the different tests check for - sequence test, completeness test, validity check, limit test, parity check, echo check

Answer 26

sequence test - to see if sequence is in right order
completeness test- test of completeness of records
validity check - check of an entered number to see if it is in valid form or a valid account number
limit test - test of reasonableness of a field based on specified limits
Batch control total - detects an error when clerk inputs 12.99 when actual is 122.99. Not to be confused with limit check as it would only work if amounts were reversed.
Parity check
Echo check - hardware control where data is transmitted back to its source and compared to the original data to verify the transmission correctness (echoing)
Parity - involves a special bit which is added to each character stored in memory and detects if the hardware loses a bit during the internal movement of the character.

Question 27

What are good internal controls in a computer system

Answer 27

Segregates operators, programmers, and library function. Machine operators should not have access to the systems manual. Operators should not have complete info on the operation and weaknesses of the overall system. Operators should (by nature of operating the system( have access to error messages and will distribute them to the control group.
Store backup files off premises will improve internal control. Reconstruction of files if necessary will be possible.

Question 28

What should be in a systems specifications document

Answer 28

Description of data elements needed

Question 29

Record, field, file,byte for collection of data for all vendors in a database

Answer 29

Byte - piece of a field
Field - element of a record
Record - info about one vendor
File - collection of data for all vendors

Question 30

Control figures, limit checks

Answer 30

Address the accuracy of info on a file, not the physical security of a program file.

Question 31

Crossfooting tests

Answer 31

Address the accuracy of info on a file, not the physical security of a program file

Question 32

External labels

Answer 32

Will prevent file destruction by properly identifying each file

Question 33

Stakeholder

Answer 33

Anyone that uses a system. Anyone in the organization who has a role in creating or using the documents and data stored on the computer or networks.

Question 34

International standards for the professional practice of internal auditing - what should chief audit executive do?

Answer 34

Establish a risk based approach to determine audit priorities

Question 35

SOX requirement

Answer 35

Must have an audit committee financial expert, if not, it must provide an explanation. Note that the financial expert does not need to have prior experience as an auditor

Requires an examination and report upon internal control as a part of a FS audit.
Statement identifying the framework used by mgmt to conduct assessment (eg COSO)
Statement that PA firm that audited FS attest to and report on internal control over financial reporting (for large corps).
CEO and the CFO (aka principal executive and financial officers) must disclose internal control deficiencies to both the auditors and the audit committee.
Requires mgmt to provide an assessment of the effectiveness of internal control.
Requires CEO and CFO to certify the FS filed with SEC, fairly present, in all material aspects, the financial condition and results of operations of the company
Does NOT require a certification by mgmt that it has violated no major laws.

Question 36

What are the internal control components

Answer 36

Control environment - mgmt philosophy, operating style - sets the tone of an organization, commitment to competence, integrity and ethical values
Risk assessment
Control activities
Info and communication - methods and records established to record, process, summarize and report entity transactions and to maintain accountability of the related assets and liabilities
Monitoring - ongoing activities and separate evaluations

Question 37

What are the objectives of internal control?

Answer 37

COSO:
Auditing standards include objectives to provide reasonable assurance regarding the achievement of objectives in the three categories:
1- reliability of financial reporting
2- effectiveness and efficiency of operations
3- compliance with applicable laws and regulations

Question 38

What is the purpose of corporate governance

Answer 38

to prevent mgmt from acting in its own interest at the expense of the shareholders
Audit committee of board of directors monitors

Question 39

International standards for the professional practice of internal auditing - what should the internal audit charter include?

Answer 39

set forth the purpose, authority, and responsibility of the internal audit activity
Authority of the activity is NOT included

Question 40

What are the voting rights with shares

Answer 40

Preferred shares and normal common - generally no voting rights / no influence on corp
Statutory voting rights - a shareholder gets one vote for each share owned
Cumulative voting rights - shareholder gets one vote for each director for each share of stock owned

Question 41

What are the stages of the monitoring for change continuum?

Answer 41

Control baseline - developing a supported understanding of existing controls
Change identification - identifying changes that are necessary
Change mgmt - evaluating the design and implementation of changes and establishing a new baseline
Control revalidation/update - periodically revalidating control operation

Question 42

What are the responses to risk identified by COSO

Answer 42

Avoidance, Reduction, Sharing, Acceptance

Question 43

What is required of the financial expert in the SEC rules regarding audit committees?

Answer 43

• understanding of internal controls and procedures for financial reporting
• understanding of audit committee functions
• understanding of GAAP
  NOT required to understand GAAS

Question 44

What is required by Dodd Frank Act

Answer 44

Disclosure of why or why not the chairman of the board is also the CEO

Question 45

What is the nominating/corporate governance committee responsible for

Answer 45

Overseeing CEO succession

Question 46

What is the starting point for control monitoring?

Answer 46

A baseline understanding of the system

NOT as assessment of the system

Question 47

What is typically included in a corporations articles of incorporation?

Answer 47

• name and address of each incorporator
• purpose of corp
• name of registered agent of the corp
  -number of authorized shares of stock
• powers of the corp
  NOTE how directors are elected are typically included in the corporate bylaws

Question 48

What is the NYSE requirement on director independence rules?

Answer 48

• A director is not independent if he received $120k in pmts (not including compensation for serving on the board) from the corp in a 12 month period in the last 3 years
• A director is not independent if he has been employed by the corp in the last 5 years
• A director is not independent if he was a former partner with the corp’s external audit firm in the last 5 years
  Note that a director can be independent even if he is an officer of a company that is a significant customer to the corp

Question 49

Microcomputers vs mainframe

Answer 49

Microcomputers are less controllable, less conducive to data integrity than mainframe use because less control over use is possible in microcomputer environments.
Mainframes are generally more reliable.
In cooperative processing, microcomputers are more cost effective than mainframes for data entry and presentation because microcomputers are better suited to frequent screen updating and GUIs.

Question 50

What can entity do to prevent unauthorized intruders from accessing proprietary info?

Answer 50

-password mgmt, data encryption, and digital certificate

Question 51

EDI system security

Answer 51

Encryption by physically secure hardware is ordinarily more secure but more costly than that performed by software.
Messages must be secured at the source or there is risk of unauthorized access.
Note message authentication only provides proof of the source of the message.

Question 52

Batch vs real time processing

Answer 52

Batch is easier to audit, more efficient and easier to implement.
Real time’s advantage is that info is available immediately. Real time is the best method for retail businesses whereas batch is old technology for retail.

Question 53

What are the responsibilities for computer operations, applications development, and systems programming, user departments

Answer 53

Computer operations - help desk, operational nature
Systems programming - implement and maintain system level software such as operating systems, access control software, and db systems software.
Application development - developing systems. After user acceptance, developers do not have daily contact with users.
User depts - interact with application systems as planned

Question 54

Network types - LAN, WAN, VAN, PBX

Answer 54

LAN-local area network -limited to short distances (2000 feet radius to the servers)
WAN-wide area network - connect many sites across a broad geographical distance
VAN - value added network - more expensive than a private network such as WAN for high volume communications
PBX - private branch exchange - electronic switch that transfers telephone calls

Question 55

Assessment types - risk , systems, DRP

Answer 55

Risk assessment - involves identifying whether the company has info unauthorized ppl want, how they could obtain info, value of info, and probability of unauthorized access.
Systems assessment - eval of the adequacy of a system in providing required info
Disaster recovery plan assessment - eval of he plan for recovery when the info system fails

Question 56

Interpreter/compiler/debugger/encrypter

Answer 56

Interpreter - edits source language statements for syntax errors and translates them into executable code, it does one statement at a time, not as a group as a compiler does
Compiler - program that edits a group of source language statements for syntax errors and translates them into an object program
Debugger - program that traces program execution or captures variables value for the purpose of helping the developer find program errors
Encrypter - program that converts ordinary text to encoded text that cannot be deciphered without access to the encryption key and procedure.

Question 57

System types

Answer 57

Database mgmt system - involves mgmt of the database and NOT to be confused if it just uses a database (ex payroll)
Transaction processing system - such as payroll system
Decision support system - provides info for decision making
Enterprise resource planning ERP system - software suite that maintains data and integrates multiple business processes and applications.

Question 58

COBIT info needs to conform to what criteria

Answer 58

Effectiveness
Confidentiality
Integrity

Question 59

Connector types

Answer 59

Gateway - They connect internet computers of dissimilar networks. Often implemented via software, translates between two or more different protocol families and makes connections between dissimilar networks possible.
Bridge - joins network segments so they appear to be one physical segment. Connects physically separate LANs.
Router - connects two or more network segments, such that the segments maintain their separate logical identities. Determines the best path for data.
Wiring connector - accepts twisted pair cabling from each of several PCs in the same LAN
Repeater - strengthen signal strength

Question 60

Hash total

Answer 60

It is a meaningless sum which normally has no use other than to prove the completeness with which a batch has been processed. For example, the summation of department numbers.

Question 61

TCP/IP - transmission control protocol and internet protocol

Answer 61

TCP/IP is used with all computers connected to the internet. Every site connected has a unique address.

Question 62

Types of controls

Answer 62

Application input - edit check
Processing control - run control total, exception report
Distribution - report distribution log

Question 63

Maturity models

Answer 63

Evaluate the sophistication of IT processes rated from a maturity level of non existent (0) to optimized (5).

Question 64

Data languages

Answer 64

Data manipulation language - maintenance and querying of db
Data definition language - original defining of a db, tables
Data control language - composed of commands used to control a language, including controlling which users have various privileges

Question 65

Internal auditor role

Answer 65

May review the systems design and program flowcharts, but is not responsible for their design

Question 66

Data processing manager role

Answer 66

Overall responsibility for the computer operations function (systems design, programming, operations, library, etc)

Question 67

COBIT: How does the IT group achieve its business objectives?

Answer 67

By establishing processes and employing the resources of applications, info, infrastructure, and people.

Question 68

What are hardware controls?

Answer 68

Automated equipment controls (hardware) are designed to detect, report or prevent operational errors within the computer. Hardware controls include, echo check, dual circuitry, boundary protection (prevent mixing of data on a magnetic memory disc and a core storage unit), interlock, file protection rings, etc

Question 69

Using a private key to encrypt data

Answer 69

The sender and receiver BOTH use the same key

Question 70

What AI info systems can learn from experience

Answer 70

Neural networks
Case based reasoning systems
Intelligent agents
Note that rule based expert systems cannot learn from experience as they follow rules

Question 71

EDI benefit of transmitting transactions

Answer 71

EDI involves the electronic exchange of business transaction data in a standard format from one entity’s computer to another entity’s computer. (can connect a company to its suppliers and customers electronically)
Transactions are communicated in standard format to help ensure completeness and accuracy
Note that EDI does not provide for auto protection of info - transmission controls must still exist.

Question 72

Benefit of using electronic funds transfer

Answer 72

Electronic funds transfer is customers’ funds related transactions are electronically transmitted and processed.
Electronic funds transfer systems minimize the need for entry of info and reduce the chance of entry errors.
Note that it does not improve the audit trail for cash transactions.

Question 73

Network connections

Answer 73

Telecommunications link - cabling that physically interconnects the nodes of the LAN
File server - provides files for users of the LAN
Network gateway - connects LAN to other networks
Client - workstation that is dedicated to a single user

Question 74

Database administrator

Answer 74

Only they should be able to add or update documented items in data dictionaries.
NOT to be confused with system librarian.
Read access however can be given to other parties such as applications development and maintenance.

Question 75

What is job control language

Answer 75

Is a command language that specifies priority/resource allocation, program size, and running sequence/scheduling and data retrieval for the operating system to perform.

Question 76

What is a master file

Answer 76

A master file is a file containing relatively permanent info used as a source of reference and periodically updated such as an inventory subsidiary file.
Transaction files are NOT master files.

Question 77

What are the three tiered architecture that most client/server applications operate on?

Answer 77

Desktop client, application server and database server

Question 78

What is considered when designing the physical layout of a data processing center?

Answer 78

• access controls
• adequate power and surge protection
• other uses of electricity in the area which could cause interference with the data processing
  NOTE that adequate physical layout space for the operating system is NOT considered as OS usually does not require physical space as it is software in a computer.

Question 79

What is a data warehouse

Answer 79

It is an approach to online analytical processing that combines data into a subject oriented, integrated collection of data used to support mgmt decision making process.
Note that online transaction processing involves day to day transaction processing operations.

Question 80

Network administrator

Answer 80

Responsible for maintaining the hardware and software aspects of a computer network.

Question 81

Relational databases

Answer 81

Store data in table form - NOT trees to store data (Hierarchical databases use tree structures to organize data)
Are flexible and useful for unplanned, ad hoc queries
Are maintained on direct access devices

Question 82

Digital signature

Answer 82

Assures the recipient that the msg came from a certain individual and it was not modified. It is used primarily to determine that a message is unaltered in transmission.
It does NOT assure that the msg is sent to the correct address and it could be intercepted.

Question 83

What are significant strategic issues for mgmt when they are expanding LAN to enhance customer service function?

Answer 83

• Long range business plans
• Support of daily business operations
• Measurement of plan fulfillment
• Payoff, or return on costs is important, NOT just cutting costs.

Question 84

What is a good control that can catch changes to the program?

Answer 84

Periodic recompiling of programs from documented source files and comparing them to the programs currently in use - can detect modifications that permit fraud to occur

Question 85

When would encryption be used and not used

Answer 85

Used in wire transfers between banks, when confidential info is sent by satellite transmissions, when financial data is sent over dedicated leased lines.
Encoding is important when confidential data is transmitted between geographically separated locations that can be electronically monitored.
LANs may need encryption protection, but less likely that the options above.

Question 86

DRP

Answer 86

Plan should provide for alternative processing site, backup and offsite storage procedures, identification of critical applications, and test of the plan.
Should include backup and downtime controls
Does NOT include data transmission controls or data input controls or data processing controls

Question 87

Computer language programs

Answer 87

Symbolic language program aka source program, readable by humans is translated into an object program which is machine readable
A wired program refers to a first generation computer, which require manual wiring of the CPU to perform desired operations.