IS and Comm B - Systems Design and Other Elements Flashcards
An employee mistaken enters 4/31 in the date field. The best programmed edit check to detect this error is
reasonableness
Expert systems have ______ that represent the facts and inferences it knows
knowledge bases
Features in Traditional programs that are not in an Expert system include
- sequential control structures
- distinct input/output variables
- passive data elements
In a large database system maintained on a mainframe computer, the most common medium for data files for the database is
hard disk
When implemented, the control ______ would best assist in meeting the control objective that a system have the capability to hold users accountable for functions performed
activity logging
The following task would be included in a document flowchart for processing cash receipts:
compare control and remittance totals
Routines that utilize the computer to check the validity and accuracy of transaction data during input are called
edit programs
Operating system is
a software program that controls the overall operation of a computer system
A compiler is
a computer program that converts a source program into an object program
Compatibility check/test is
a procedure for checking a password to determine if its user is authorized to initiate the type of transaction or inquiry he or she is attempting to initiate
A checkpoint/restart procedure is primarily designed to recover from
hardware failure
Internal checks are
- limit check
- identification
- sequence check
- error log
- transaction log
- arithmetic proof
Limit check is
a check to identify if data have a value higher or lower than a predetermined amount
Identification is
a check to determine if data is valid
Sequence check is
a check on the sequencing of info
Error log is
an up-to-date log of all identified errors
Transaction log is
a detailed record of every transaction entered in a system through data entry and provides the basic audit trail
Arithmetic proof is
a check to compute the calculation and validate the result
Characteristics of computer machine language include
- internal binary code
- hexadecimal code
- on/off electrical switches
Assembly language is
a programming language in which each machine language instruction is represented by mnemonic characters (symbolic language)
Many companies and government organizations would like to convert to open systems in order to
use less expensive computing equipment
In general, running open systems:
- increases # of available vendors
- decreases the average purchase from one vendor
- decreases volume discounts
- reduce economies of scale
- reduce reliance on proprietary components
The purpose of a software monitor is to
collect data on the use of various hardware components during a computer run
Specialized programs that are made available to users of computer system to perform routine and repetitive functions are referred to as
service “canned” programs
Relationship between source, object, and compiler programs
A source program “source code” is a computer program written in a source language which is translated into the object program by using a translation program like a compiler
A decision table indicates the
alternative logic conditions and actions to be taken in a program
Example of a decision table is
a chart that indicates shipping costs based on total purchase price
Purch. Ship
$ 1-$50 $4
$50-$100 $5
$101-$250 $7
An ERP system has the following advantages over multiple independent functional systems:
increased responsiveness and flexibility while aiding in the decision making process
The _______ transaction processing mode provides the most accurate and complete information for decision making
online
An application is
a computer program for performing a specific function ex. payroll program
Batch processing is
a method where items to be processed are collected in groups to permit fast and convenient processing
Distributed data processing is
a network or interdependent computers where certain functions are centralized, other functions are decentralized, and processing is shared among two or more computers
_______ could be used to reduce the cost of preparing and updating flowcharts
Flowcharting software
The batch processing of business transactions can be the appropriate mode when
economy of scale can be gained because of high volumes of transactions
A disk storage unit is preferred over a magnetic tape drive because the disk storage unit
offers random access to data files
Real time system is characterized by
- online files
- prompt input from users
- an extensive communication network
- random access
- immediate update
- low level language
Decision tables differ from program flowcharts in that decision tables emphasize
logical relationships among conditions and actions
A flowchart is
a graphic depiction using symbols to show the control flow, primary actions, and interrelationships of a task or a set of tasks
Compared to online, real-time processing, batch processing has the disadvantage of
stored data only being current after the update process
The implementation phase of an accounting software application would include
- obtaining and installing hardware
- documenting user procedures
- training users
- entering and verifying test data
Identifying inputs and outputs would occur in the ________ phase which _______ implementation
systems design and development phase; precedes
The best depiction of the path of data as it moves through an IS is
system flowcharts
A data dictionary is
an organized description of the data items stored in a database and their meaning
Source code application is
a description of record layouts used by application programs
Data control language is
a way to describe the privileges and security rules governing database users
Database recovery log file is
a record of the before and after images of updated records in a database
A characteristic common to companies that have converted to a database system is that before conversion the companies had
redundant data fields
A tool useful in conducting a preliminary analysis of internal controls in an organization or organizational unit is
flowcharting
CCI developed a mgmt reporting software package that enables members interactively to query a data warehouse and drill down into transaction and trend information via various network set-ups. This is known as
an online analytical processing system
A key difference in controls when changing from a manual system to a computer system is
the methodology for implementing controls change
A primary function of a database mgmt system (DBMS) is
the capability to create and modify the database
A fundamental purpose of a DBMS is to
reduce data redundancy
Master file is
where cumulative info about an organization is stored and is similar to a ledger in a manual system
Transaction file is
where data about transaction that occur during a specific period of time is contained and similar to a journal in a manual system
A new policy on e-mail would not include
erasing EE email immediately upon terminiation
Prompting is
an online data entry control that uses the computer to control the data entry process
An online data entry technique that can be employed when inexperienced personnel input data is the use of
prompting
An advantage of a computer-based system for transaction processing over a manual system is that
the computer-based system will be more efficient at producing F/S
A type of flowchart representing areas of responsibility (such as depts.) as columns is called horizontal or _______ flowcharts
document
A control designed to catch errors at the point of data entry is
a self-checking digit
If a database has integrity, this means that the
database has only consistent data
A modem is a device that
allows computer signals to be sent over a telephone line
Devices that used only to perform sequential file processing will not permit
data to be edited on a real-time basis
Sequential file processing is
a system where files are arranged serially, one after another, and the program must start at the first record and read all succeeding records until the required record is found or until the end of the file reached
A systems program
manipulates application programs
An AP clerk is accused of making unauthorized changes to previous payments to a vendor. Proof could be uncovered in
transaction logs
ROM (read only memory) is
a memory component for the storage of elementary software info that cannot be modified by the user of the system or program
RAM (random access memory) is
a temporary read-write memory component of a computer that can be accessed at any point in time without accessing other info
In a microcomputer system, the place where parts of the operating system program and language translator program are permanently stored is
ROM
A central element of mgmt IS is
the processing of data items is based on decision models
Phases of System Development Life Cycle (SDLC) are
PAD-ID-TIM
1 system Planning 2 system Analysis 3 system Design 4 Implementation and Deployment 5 Testing and Integration 6 system Maintenance
The type of control plan particular to a specific process or subsystem, rather than related to timing of occurrence is
application controls
Operational Risk controls can be broken down into the 3 types:
preventive
detective
corrective
A value added network (VAN) is a privately owned network that performs the function of
routing data transactions between trading partners
An input validation routine not appropriate in a real-time operation is
sequence check
Input validation checks and controls that should be performed in a real-time operation include
field check, sign check, and redundant data check
Check digit is
an input control consisting of a single digit at the end of an id code that is computed from the other digits in a field. If the id code is mis-keyed, a formula will reveal that the check digit is not correct and the field will not accept the entry
Field check is
an edit check in which the characters in a field are examined to ensure they are of the correct field type
ex. # in # field
Redundant data check is
an edit check that requires the inclusion of 2 identifiers in each input record and if these values do not match those on record, the record will not be updated
Sign check is
an edit check that verifies that the data in a field has the appropriate arithmetic sign
During the ______ phase of the SDLC is when training would occur
implementation
The greatest financial threat to an organization that implemented the financial accounting module of an ERP system from a major vendor exists from errors detected during
implementation
In the systems development cycle, coding is
part of the detailed design phase
An integrated group of programs that supervises and supports the operations of a computer system as it executes user’s application programs is
an operating system
The data processing cycle (DPC) includes
collection (input), refinement, processing, maintenance, and output
Multiprocessing is
the simultaneous execution of 2 or more tasks usually by using 2 or more processing units that are part of the same system
Multiprogramming is
the appearance of simultaneous execution of 2 programs as a single processing unit switches back and forth between the programs
*it does not allow multiple programs to be executed at exactly the same time
In the business information systems, the term “stakeholder” refers to
anyone in the organization who has a role in creating or using the documents and data stored on the computers or networks
Change control is
the process of modifying application software, including requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change
Mgmt of company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in
change control
In a continuous improvement environment, automated monitoring of controls is
optional
*helpful but not necessary
Manual monitoring of controls can also help in a
continuous improvement environment
The strategy a CPA would most likely consider in auditing an entity that processes most of its financial data only in electronic form is
continuous monitoring and analysis of transaction processing with an embedded audit module
An advantage of having a computer maintain an automated error log in conjunction with computer edit programs is that
reports can be developed that summarize the errors by type, cause, and person responsible
Change mgmt control policies
put into place the proper processes and approval channels to make changes to an organization’s systems
At a minimum, change mgmt control policies should include
- formal channels for requesting and approving changes
- preventing unauthorized changes
- ensuring that any changes made do not impair or negatively impact the other system functions
- ensuring that viability of the whole system is not impaired
- requiring appropriate testing of all changes before implementation to production environments occur
Six Sigma, TQM, and other process improvement methodologies all follow the same basic steps which are:
- identify what the issue is
- understand more about the issue
- determine what is causing the issue
- remediate the issue
- implement monitoring and control capabilities
Record count is
a total of the # of input documents to a process or the # of records processed in a run
The procedure managers use to identify whether the company has info that unauthorized individuals want, how they could obtain the info, the value of the info, and the probability of unauthorized access occurring is
Risk Assessment
Disaster recovery plan is
the process, policies, and procedures of restoring operations critical to the resumption of business
An AP clerk is accused of making unauthorized changes to previous payments to a vendor. Proof could be uncovered in
the transaction logs
A risk of using test library programs in emergency situations is that
the programs may not be further tested before being placed in production permanently
In a large organization, the biggest risk in not having an adequately staffed information center help desk is
persistent errors in user interaction with systems
In traditional IS, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of
user management
Embedded audit modules enable
continuous monitoring of transaction processing
An edit of individual transactions in a direct access file processing system usually
takes place in an online mode as transactions are entered
General controls are
applied to all applications processed by the computerized system
An example of a general control for a computerized system is
restricting access to the computer center by use of biometric devices
Application controls are
specific to an application and ensure the completeness and accuracy of the records and the validity of the entries made
Application controls consist of 3 types:
- input controls
- processing controls
- output controls
Examples of application controls are
- limiting entry of sales transactions to only valid credit customers
- creating hash totals from SSN for the weekly payroll
- restricting entry of AP transaction to only authorized users
A national retailer required more detailed data to help stock its stores with the right products and to increase its turnover. Such data amounted to several gigabytes per data from each store. A new high-speed company-wide network was needed to transmit and analyze the data. Management recognized the need to prepare the company for changes resulting from the enhanced network services. For this purpose, the appropriate management action would be to
optimize in-house networks to avoid bottlenecks that would limit the benefits offered by the telecommunications provider
To mitigate the risk of system development personnel being tempted to make unauthorized changes to the software or system to meet user needs, mgmt should implement
change mgmt controls
One purpose of an embedded audit module is
to enable continuous monitoring of transaction processing
Some of the more important controls that relate to automated AIS are validity checks, limit checks, field checks, and sign tests. These are classified as
input validation routines
A preventive control is one that is designed to discover and eliminate problems before they occur. Examples of preventive controls include:
- access control software
- hiring well-qualified personnel and training them well
- segregating EE duties
- controlling physical access to facilities and info
Image processing system have the potential to reduce the volume of paper circulated throughout an organization. To reduce the likelihood of users relying on the wrong images, mgmt should ensure that appropriate controls exist to maintain the
integrity of index data
The identification of users who have permission to access data elements in a database is found in the
database schema
Schema is
a description of the types of data elements that are in the DB, the relationship among the data elements, and the structure or overall logical model used to organize and describe the data
The ________ computer assisted auditing technique allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process
integrated test facility
Both _____ and _____ are processing controls designed to ensure the reliability and accuracy of data processing
validity checks and limit tests
______ authorize and record transaction and correct errors
Users
Data control group is
responsible for logging data inputs, processing, and outputs and makes sure that transactions have been authorized
Computer operator is
responsible for maintaining and running daily computer operations
Security mgmt is
responsible for preventing unauthorized physical and logical access to the system
The internal control procedures that would prevent an EE from being paid an inappropriate hourly wage is
limiting access to EE master files to authorized EEs in the personnel dept
When a company authorizes EE access only to data required for accomplishing their jobs, the approach is known as
access on a need-to-know basis
Individual accountability is
individuals with access to data are responsible for the use and security of data obtained via their access privileges
Mgmt-by-exception is
spending mgmt time on exception conditions vs spending time of things operating as normal
To maintain effective segregation of duties within the IT function, an application programmer should have the responsibility of
coding approved changes to a payroll system
Programmers
- use the design developed by the analysts to develop an IS
- write computer programs
Users should have update access for
production data
Application programmers should not have
update or change access for production data or production programs
Examples of good internal control in an IT system include
- design and implementation is performed in accordance with mgmt specific authorization
- provisions exist to ensure the accuracy and integrity of computer processing of all files and reports
- provisions exist to protect data files from unauthorized access, modification, or destruction
In a large firm, custody of an entity’s data is most appropriately maintained by
data librarians
System analysts
design the system
Application programmers
code the specific application programs
Computer operators
ensure data is entered and processed and proper output is produced
Data librarians
control actual data
The functions of a database administrator are
database design, database operation, and database security
An organization’s computer help-desk function is usually a responsibility of the
computer operations unit
Certain utility software may have privileged access to software and data. Tom compensate for the risk of unauthorized use of privileged software IS mgmt can
limit the use of privileged software
System analysts
analyze info needs and design systems that meet those needs
The role of the systems analyst in an IT environment is
designing systems, preparing specs for programmers, and serving as an intermediary between users and programmers
Long range plans and the direction of app development and computer ops are performed by
system administrators
The completeness, accuracy, and distribution of input and output is performed by the
data control group
The selection and maintenance of system software, including operating systems, network software, and the DB mgmt system is performed by
database and network managers
In the organization of the IS function, the most important segregation of duties is
assuring that those responsible for programming the system do not have access to data processing operations
Your firm recently converted its purchasing cycle from a manual process to an online computer system. A probably result associated with conversion to the new automated system is
that traditional duties are less segregated
Conversion to an automated data processing system usually
- reduces processing errors
- has little to no effect on risk exposure
- reduces processing time
Systems analysts are the personnel within an organization who are responsible for the development of the company’s IS. The least likely function they are to perform is
developing, coding, and testing computer programs
Systems analysts typically perform the
- design of computer applications
- prep of specs for computer programming
- examining user info requirements
The system librarian maintains segregation of duties by
only accepting properly tested and approved programs into the production library
For sound controls over computer program libraries
only the program librarian should be allowed to make changes to the production library —-this appropriately restricts access to the program modules that are running
Programmers should be restricted from
accessing the production library
Programmers should be responsible for update access for
making program changes
Users should be responsible for
testing the changes
If a computer operator had access to both the production library and source code library then
the operator would be in a position to make unauthorized and undetected changes to the computer programs
The IT dept responsibilities of ______ and ______ should be delegated to separate individuals
data entry and application programming
System programmers are normally assigned
operating systems and compilers
Ryan Company has an AIS that operates in a client/server environment. The least likely situation to provide an appropriate security environment is
placing complete systems application controls under one individual
In a client/server environment, useful security procedures include
- use of application passwords
- power-on passwords for personal computers
- installation of anti-virus programs
A systems analyst is least like to perform the function
develop and code computer programs
A systems analyst would
- analyze the present system
- prepare computer program specs
- design computer apps
The following is an example of proper segregation of duties within the IT function:
a computer operator must request needed files and programs from the data librarian to process transactions
Violation of segregation of duties? A programmer is allowed to make minor changes in the current production version of the program that updates customer accounts
Yes, violoation
Violation of segregation of duties? The IS librarian also fills in as a programmer when projects must be completed quickly
Yes, violation
Violation of segregation of duties? Systems analysts also work as computer operators when needed
Yes, violation
A control to incorporate to prevent an EE from making an unauthorized change to computer records unrelated to that EE’s job would be to
apply a compatibility test to transactions or inquiries entered by the user
At a remote computer center, mgmt installed an automated scheduling system to load data files and execute programs at specific times during the day. The best approach for verifying that the scheduling system performs as intended is to
audit job accounting data for file accesses and job initiation/termination messages
A problem related to computer-based IS in organizations is that end-users require technical support and assistance in the development of their own computer apps. The best solution to this problem would be
information center and help desk
The _______ is responsible for making sure that the IS operates efficiently and effectively
Systems administrator
An Information Security officer should not
maintain and update a list of user passwords
Appropriate duties of the Information Security Officer include
- developing an info security policy
- commenting on security controls in new apps
- monitoring and investigating unsuccessful access attempts
The following function should prevent a programmer from altering a program and then using that program in a production run
the IS librarian secures production programs and data
When a business implements an online gift registry system for customers such as those about to be married, the system should have the following restrictions on access:
customers have read privileges and salespeople have update privileges
In a large multinational organization, the network administrator should have the responsibility of
managing remote access
A company planned a major change to its accounting system. The system analyst interviewed users and managers and designed the new system to meet their needs. The analyst then wrote the computer programs to implement the needed modifications. The programs were thoroughly tested by change mgmt based on the criteria of the revised system design. The action that violated segregation of duties was
Systems analyst acted as a programmer
Fact or Fiction? The system librarian accepting a program into the production library after it had been tested by the programmer is a violation of segregation of duties?
Yes, fact
*someone independent should have tested it
Managing the IS function is likely to involve
- a system for charging user dept for computer services
- project development plans
- responsibility accounting principles
The ______ is responsible for ensuring that transactions are processed correctly and that input and output are reconciled
data control group
The data control group makes sure that:
- a log is kept of all inputs, data processing ops, stored data, and system output
- source data have been properly approved
- transactions are processed correctly
- input and output are reconciled
- records of input errors are maintained so they can be corrected and resubmitted
- data-related errors are sent to the users who originated the transaction for correction
- system output is distributed to the intended and proper user
- there is adequate rotation of operator duties
The database control that would be most effective in maintaining a segregation of duties appropriate to the users’ reporting structure within an org is
access security features
An EDP control used to assure that paychecks were written for all EE for a pay period would be the use of
hash totals on EE SSN
Adle Supply Company recently installed an integrated order-entry and invoicing system. The basic inputs to the system consist of one record for each line on the customers’ orders, the inventory master file, and the customer master file. Individual items ordered by the customer may be rejected at the computer entry audit or when the items are validated by comparing them with data in the inventory master file. Complete orders may be rejected when data from the orders are compared with data in the customer master file. All orders that are found to be valid are posted to the inventory and customer files. For data control personnel to account for all inventory items and customer orders processed, the system should include:
run-to-run control totals and error lists
A control procedure that could be used in an online system to provide an immediate check on whether an account number has been entered on a terminal accurately is
self-checking digit
When evaluating internal control of an entity that processes sales transactions on the internet, an auditor would be most concerned about the
potential for computer disruptions in recording sales
Compared to batch processing, real-time processing has the advantage of
timeliness of info
An input clerk enters an EE number and the computer responds with the message “EE # is not assigned to an active EE. Please reenter.” The technique being used is
existence check
Range checking
reduces the risk of reprocessing ledger transactions of an earlier month by checking a number in a transaction (such as a date) to determine whether that number falls within a specified range
In reviewing data in excel a brand manager suspected that several days of POS data from one grocery chain was missing. The best approach for detecting missing rows in the data would be to
compare product id codes by store for consecutive periods
An update program for bank account balances calculates check digits for account numbers. This is an example of
an input control
An online database mgmt system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation. To prevent unauthorized access to specific data elements, the database mgmt system should contain
password specs for each data file or element
Preventative controls generally are _____ important than detective controls in EDI systems
more
COBIT stands for
Control Objs for Information and Related Technology
COBIT applies to
information technology
Edit checks in a computerized accounting system
should be performed on transactions prior to updating a master file
Using standard procedures developed by information center personnel, staff members download specific subsets of financial and operating data as they need it. The staff members analyze the data on their own personal computers (PCs) and share results with each other. Over time, the staff members learn to modify the standard procedures to get subsets of financial and operating data that were not accessible through the original procedures. The greatest risk associated with this situation is that:
the data obtained might be incomplete or lack currency
A customer order was never filled due to transposition error. The _______ control would most likely have detected the transposition
validity check
The linked list form of file organization is characterized by
pointer field
Examine ________ to determine if an IS is operating according to prescribed procedures
system control
Online access controls are critical for the successful operation of today’s computer systems. To assist in maintaining control over such access, many systems use tests that are maintained through an internet access control matrix which consists of:
authorized user code #, passwords, lists of all files and programs, and a record of the type of access each user is entitled to have for each file and program
The situation that would most likely provide the best way to secure data integrity for a personal computer environment is
all computers linked to a LAN
An organization relied heavily on e-commerce for its transactions. Evidence of the organization’s security awareness manual would be an example of
preventive controls
The input control to prevent an incorrect state abbreviation from being accepted as legitimate data is
validity check
A digital signature is used primarily to determine that a message is
unaltered in transmission
A validation check used to determine if a quantity ordered field contains only numbers is an example of
an input control
In order to assure the accuracy of computerized output, it is necessary to have controls related to
input, processing/storage, and output
EDP accounting control procedures are referred to as general controls or application controls. The primary objective of application controls in a computer environment is to
maintain the accuracy of the input, files, and outputs for specific applications
A company’s labor distribution report requires extensive corrections each month because of labor hours charged to inactive jobs. The data processing input control that appears to be missing is
a validity test
To ensure the completeness of update in an online system, separate totals are accumulated for all transactions processed throughout the day. The computer then agrees these totals to the total of items accepted for processing. This is an example of
run-to-run controls
The most important control objective in the audit of an online order entry system that maintains information critical to mgmt decisions is
data integrity
The EDP control used to assure that hours an individual worked in one week do not exceed a designated maximum is
a limit check
EE numbers have all numeric characters. To prevent the input of alphabetic characters, the technique to use is
a field check
Erroneous mgmt decisions might be the result of incomplete information. The best control to detect a failure to process all valid transactions is
user review of selected output and transactions rejected by edit checks
To avoid invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This techniques is known as
a check digit
An example of how specific internal controls in a database environment may differ from controls in a nondatabase environment is
controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access
Data input validation routines include
hash totals
To ensure the completeness of a file update, the user department retains copies of all unnumbered documents submitted for processing and checks these off individually against a report of transactions processed. This is an example of the use of
one-for-one checking
In an automated payroll processing environment, a department manager substituted the time card for a terminated EE with a time card for a fictitious EE. The fictitious EE had the same pay rate and hours worked as the terminated EE. The best control technique to detect this action using EE id number would be
hash total
A retail entity uses EDI in executing and recording most of its purchase transactions. The entity’s auditor recognizes that the documentation of the transactions will be retained for only a short period of time. To compensate for this limitation, the auditor most likely would
perform tests several times during the year, rather than only at year end
In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system should have adequate controls. The best set of controls for a payroll system includes
batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup of activity and master files
A new AR clerk, working for a wholesaler, noticed that a customer had apparently changed addresses. The clerk had accessed the customer’s computer file and revised all addresses. One week later the customer complained that goods were being sent to the wrong address. The primary control to prevent this occurrence is
database security
An access control matrix consists of
- a list of all authorized user code numbers and passwords
- a list of all files and programs maintained on the system
- a record of the type of access to which each user is entitled
The most effective computerized control procedure to ensure data uploaded from a PC to a mainframe are complete and that no additional data are added is
batch control totals, including control totals and hash totals
Program documentation is a control designed primarily to ensure that
programs are kept up to data and perform as intended
A control activity to take to reduce the risk of incorrect processing in a newly installed computerized accounting system is to
independently verify the transactions
A bank wants to reject erroneous checking account numbers to avoid invalid input. The auditors recommended adding another number at the end of the account numbers. The computer would subject the other numbers to an algorithm and compare it to the extra number. This technique recommended by the auditors is
check digit
