IT Flashcards
Which of the following represents a lack of internal control in a computer-based system?
A. The design and implementation is performed in accordance with management’s specific authorization.
B. Provisions exist to ensure the accuracy and integrity of computer processing of all files and reports.
C. Provisions exist to protect data files from unauthorized access, modification, or destruction.
D. Programmers have access to change programs and data files when an error is detected.
D. Programmers have access to change programs and data files when an error is detected.
A situation in which programmers have access to change programs and data files when an error is detected is an example of inadequate separation of duties, which constitutes a lack of internal control. Computer programmers should write programs designed by analysts and should work in a development environment that is separate from the production system.
Which of the following is responsible for authorizing and recording transactions and for correcting errors?
A. Data control group
B. Computer operators
C. Security management
D. Users
D. Users
Users authorize and record transactions, use system output, and are responsible for correcting errors.
The data control group logs data inputs, processing, and outputs, and makes sure that transactions have been authorized. They do not authorize or record transactions themselves.
Computer operators maintain and run daily computer operations.
Security management is responsible for preventing unauthorized physical and logical access to the system.
The batch processing of business transactions can be the appropriate mode when:
A. unique hardware features are available.
B. timeliness is a major issue.
C. a single handling of the data is desired.
D. economy of scale can be gained because of high volumes of transactions.
D. economy of scale can be gained because of high volumes of transactions.
Batch processing means “that transactions are accumulated for some period of time.” Its use depends on the requirements of the users. When a high volume of transactions exists, economies of scale can be gained by utilizing batch processing since many transactions are processed in the same run.
Which of the following structures refers to the collection of data for all vendors in a relational data base?
A. Record
B. Field
C. File
D. Byte
C. File
A byte is a part of a field. A field is a part of a record. A record is a set of logically related data items that describes specific attributes of an entity, such as all payroll data relating to a single employee. Multiple records make up a file, so a collection of data from all vendors would be a file.
To obtain evidence that online access controls are properly functioning, an auditor most likely would:
A. create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system.
B. examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction.
C. enter invalid identification numbers or passwords to ascertain whether the system rejects them.
D. vouch a random sample of processed transactions to assure proper authorization.
C. enter invalid identification numbers or passwords to ascertain whether the system rejects them.
Evidence that online access controls are properly functioning can be obtained by entering a series of identification numbers and passwords, some correct and some incorrect, and determining that the system allows access to the correct data but rejects the rest.
“Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system” is incorrect because a checkpoint is a place in a computer program where its status can be recorded or its information saved (dumped) and later execution can be resumed from that point rather than from the beginning of the program. It would not detect unauthorized access to the system.
“Examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction” is incorrect because a transaction log is a detailed record of every transaction entered in a system through data entry. It would not disclose unauthorized access to the system.
“Vouch a random sample of processed transactions to assure proper authorization” is incorrect because vouching source documents for processed transactions would not indicate whether the system allows access to unauthorized users.
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
A. Segregation of duties
B. Ensure proper authorization of transactions
C. Adequately safeguard assets
D. Independently verify the transactions
D. Independently verify the transactions
Key verification is having another employee independently re-enter transactions, then programming the software to compare the inputs, looking for errors. Check digit verification uses an extra character in numbers such as account numbers and part numbers. The software recomputes the extra character and flags incorrect numbers. Either type of verification will reduce the risk of incorrect processing.
The other answer choices are incorrect because they are general controls that regulate the computer activity rather than the application processing. Segregation of duties, proper authorization of transactions, and safeguarding assets will not prevent errors in processing by the software.
A control procedure that could be used in an online system to provide an immediate check on whether an account number has been entered on a terminal accurately is a:
A. compatibility test.
B. hash total.
C. record count.
D. self-checking digit.
D. self-checking digit.
A self-checking digit is generated when the data element is inputted. A prescribed arithmetic operation is automatically done and stored on this element. This same operation is then performed later on, which would “ensure that the number has not been recorded incorrectly.”
A compatibility test validates the data within the field.
A hash total is the total of a non-quantitative field such as account number to be sure all records are processed.
A record count summarizes the number of records processed.
Which of the following best defines electronic data interchange (EDI) transactions?
A. Electronic business information is exchanged between two or more businesses.
B. Customers’ funds-related transactions are electronically transmitted and processed.
C. Entered sales data are electronically transmitted via a centralized network to a central processor.
D. Products sold on central web servers can be accessed by users at any time.
A. Electronic business information is exchanged between two or more businesses.
Electronic data interchange (EDI) is defined as the use of computerized communication to exchange data electronically in order to process transactions between and within computers and computer networks of various organizations.
A value-added network (VAN) is a privately owned network that performs which of the following functions?
A. Routes data transactions between trading partners
B. Routes data within a company’s multiple networks
C. Provides additional accuracy for data transmissions
D. Provides services to send marketing data to customers
A. Routes data transactions between trading partners
A value-added network (VAN) provides specialized hardware, software, and long-distance communications to private networks so that they can exchange data. A VAN adds value to the basic data communications process by handling the difficult task of interfacing with multiple types of hardware and software used by different parties.
A distributed processing environment would be most beneficial in which of the following situations?
A. Large volumes of data are generated at many locations and fast access is required.
B. Large volumes of data are generated centrally and fast access is not required.
C. Small volumes of data are generated at many locations, fast access is required, and summaries of the data are needed promptly at a central site.
D. Small volumes of data are generated centrally, fast access is required, and summaries are needed monthly at many locations.
A. Large volumes of data are generated at many locations and fast access is required.
A distributed/decentralized processing environment works best when significant volumes of data are generated at many remote locations and the user requires near-immediate access to the data. This type of processing environment will allow for quick access to the data as opposed to having that information generated at many locations and processed at a centralized location.
Company A has numerous personal computers (PCs) with full processing capabilities linked into an integrated local area network with a file server which in turn is fully connected to the central mainframe computer. Data entry, comprehensive processing, and inquiry routines are possible at all nodes in the network.
A control feature designed to negate the use of utility programs to read files which contain all authorized access user codes for the network is:
A. internally encrypted passwords.
B. a password hierarchy.
C. log-on passwords.
D. a peer-to-peer network.
A. internally encrypted passwords.
Internally encrypted passwords are a form of access control designed to prevent unauthorized access by use of a utility program to identify passwords.
Password hierarchy is a system of passwords designed in such a manner as to allow differing degrees of access to file manipulation activities.
Log-on passwords are the familiar passwords commonly used to gain initial access to a system or network.
A peer-to-peer network has all processing done at the same level (by PCs in this case) with no dedicated file server or mainframe.
Franklin, Inc., is a medium-size manufacturer of toys that makes 25% of its sales to Mega Company, a major national discount retailing firm. Mega will be requiring Franklin and other suppliers to use electronic data interchange (EDI) for inventory replenishment and trade payment transactions as opposed to the paper-based systems previously used. Franklin would consider all of the following to be advantages for using EDI in its dealings with Mega, except:
A. access to Mega’s inventory balances of Franklin’s products.
B. savings in the Accounts Receivable Department.
C. better status tracking of deliveries and payments.
D. compatibility with Franklin’s other procedures and systems.
D. compatibility with Franklin’s other procedures and systems.
Supplier/purchaser relationships where one firm requires another firm to use electronic data interchange (EDI) and trade payment transactions typically create benefits for the supplying firm, including access to inventory balances of their products at the purchaser, savings in Accounts Receivable, better tracking of deliveries and payments, and reduction in payment float. A result of such a required implementation of an outside system, however, may not be considered an advantage when there are compatibility issues with the supplier’s existing procedures and systems.
Which of the following activities would most likely detect computer-related fraud?
A. Using data encryption
B. Performing validity checks
C. Conducting fraud-awareness training
D. Reviewing the systems-access log
D. Reviewing the systems-access log
The question asks about fraud detection, not fraud prevention. Data encryption and fraud-awareness training are preventive measures. Validity checks ensure that data entry input is correct (for instance, that a general ledger account exists for each journal entry account number). Validity checks, while an important internal control over financial reporting, are not a method to detect fraud. Of all the answers, reviewing the systems-access log is the best choice. It would help discover if unauthorized access to the system has been allowed.
It is important to maintain proper segregation of duties in a computer environment. Which of the following access setups is appropriate?
A. Users have update access for production data
B. Users have update access for production data and application programmers have update access for production programs
C. Application programmers have update access for production data and users have update access for production programs
D. Users have update access for production data and application programmers have update access for both production data and programs
A. Users have update access for production data
Users need to update data through applications programs.
Application programmers should not be able to change production programs. They should submit changes to the change control unit.
Application programmers should never have update access to production data. Users have no need to change production programs.
An online data entry technique that can be employed when inexperienced personnel input data is the use of:
A. prompting.
B. written job descriptions.
C. compatibility tests.
D. checkpoints.
A. prompting.
Some software assists users in data entry by prompting (the use of questions and predetermined input formats). Prompting is very helpful in avoiding input errors by inexperienced personnel.
A company has an online order processing system. The company is in the process of determining the dollar amount of loss from user error. The company estimates the probability of occurrence of user error to be 90%, with evenly distributed losses ranging from $1,000 to $30,000. What is the expected annual loss from user error?
A. $13,050
B. $13,500
C. $13,950
D. $14,400
C. $13,950
Errors are be evenly distributed between $1,000 and $30,000. The average of this range is ($30,000 + $1,000) ÷ 2, or $15,500. The probability of error is 90%, so the expected value of the annual loss is 90% × $15,500, or $13,950.
Which of the following represents an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment?
A. Redundant data checks are needed to verify that individual EDI transactions are not recorded twice.
B. Internal audit work is needed because the potential for random data entry errors is increased.
C. Translation software is needed to convert transactions from the entity’s internal format to a standard EDI format.
D. More supervisory personnel are needed because the amount of data entry is greater in an EDI system.
C. Translation software is needed to convert transactions from the entity’s internal format to a standard EDI format.
Electronic data interchange is used to electronically transfer information between and within organization computers. However, it comes at a cost. The service is standardized, so translation is needed to convert data from the usual format to that acceptable to the EDI system.
“Redundant data checks are needed to verify that individual EDI transactions are not recorded twice” is incorrect because checks on the accuracy of the data are included in the EDI system, not added on.
“Internal audit work is needed because the potential for random data entry errors is increased” is incorrect because the potential for data entry errors is reduced by the EDI system.
“More supervisory personnel are needed because the amount of data entry is greater in an EDI system” is incorrect because the EDI does not change the data entry, only the further processing after data entry. These incorrect answer choices all refer to data entry rather than data transmission.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
A. Removable drives that can be locked up at night provide adequate security when the confidentiality of data is the primary risk.
B. Message authentication in EDI systems performs the same function as segregation of duties in other information systems.
C. Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
D. Security at the transaction phase in EDI systems is not necessary because problems at that level will be identified by the service provider.
C. Encryption performed by a physically secure hardware device is more secure than encryption performed by software.
Electronic data interchange, or EDI, is the use of computerized communication to exchange business data electronically in order to process transactions. Encryption is transforming data into unreadable gibberish to be sent electronically. This data is then decrypted and read at its destination.
When data is transferred electronically, security is an issue. Software applications that encrypt data are more vulnerable to security risks than a hardware device performing the same function.
Removable drives will not prevent unauthorized access to electronic data, since the data could be intercepted en route. Message authentication, or being able to determine who sent a message, is a not a substitute for segregation of duties. Instead, authentication assists with allowing only authorized messages access to the information system. Most EDI systems now do not have a third-party provider transmitting electronic data, due to the advent of the Internet.
In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system should have adequate controls. The best set of controls for a payroll system includes:
A. batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup copies of activity and master files.
B. employee supervision, batch totals, record counts of each run, and payments by check.
C. passwords and user codes, batch totals, employee supervision, and record counts of each run.
D. sign test, limit tests, passwords, and user codes, online edit checks, and payments by check.
A. batch and hash total, record counts of each run, proper separation of duties, passwords and user codes, and backup copies of activity and master files.
The quality of a set of controls is best gauged by their ability to prevent unwanted actions from occurring or to cause desired actions to occur. The question offers several collections of various controls but the best set of controls includes input controls (batch and hash totals, record counts of each run), preventive controls (proper separation of duties, passwords and user codes), and recovery methods (backup copies of activity and master files).
Management reporting systems:
A. rely on internally generated data.
B. rely on both internally generated and externally generated data.
C. rely on externally generated data.
D. gather operating data but do not capture financial data.
B. rely on both internally generated and externally generated data
Management reporting systems rely on a mix of internal and external data. They also combine financial and operational data so that managers have flexibility in determining the information that they will use for decision making.
Which of the following best depicts the path of data as it moves through an information system?
A. Program flow-charts
B. System flow-charts
C. Decision table
D. HIPO chart
B. System flow-charts
A system flowchart provides the overall view of the inputs, processes, and outputs of an information system. The flowchart is designed to portray the path of data as it moves through an information system.
Which of the following is a primary function of a database management system?
A. Report customization
B. Capability to create and modify the database
C. Financial transactions input
D. Database access authorizations
B. Capability to create and modify the database
A database management system (DBMS) is a specialized computer program that manages and controls data and the interface between data and the application programs. Such a system is designed to make it easier to develop new applications and allows users to change the way they view data without changing how the data are stored physically.
The other answer choices (report customization, financial transactions input, and database access authorizations) are all performed by the system user rather than the DBMS.
A disk storage unit is preferred over a magnetic tape drive because the disk storage unit:
A. has nine tracks.
B. offers sequential access to data files.
C. offers random access to data files.
D. is a cheaper medium for data storage.
C. offers random access to data files.
Access to data takes less time with disk storage than with magnetic tape storage.
Consider how data is stored on magnetic tape. Blocks of data files are arranged linearly along the entire length of the tape. In order to move from a read location at or near the beginning of the tape to a read location near the end of the tape, it is necessary to travel over all tape between the two read locations.
On the other hand, if disk storage is used, it is possible to jump directly from one read location to another. This is possible because disk storage offers random access to data files.
Compared to online, real-time processing, batch processing has which of the following disadvantages?
A. A greater level of control is necessary.
B. Additional computing resources are required.
C. Additional personnel are required.
D. Stored data are current only after the update process.
Batch processing is updating master files periodically to reflect all transactions that occurred during a given time period. The only time the master file is current with batch processing is immediately after an update occurs. When using online, real-time processing, the computer captures data electronically, edits it for accuracy and completeness, and then updates the master file as each transaction occurs.
Which of the following audit tests should be performed by an internal auditor who is reviewing controls over user authentication procedures?
A. Verify password masking at data terminals.
B. Review how proper separation of duties is established using access control software.
C. Review procedures concerning revocation of inactive users.
D. Review password procedures.
A. Verify password masking at data terminals.
User authentication basically seeks to determine if the person seeking access is who they say they are. Password masking is a part of this process. Password masking is the technique of either hiding the password as it is typed or displaying other characters so that observers cannot see what characters the user is actually entering.
Separation of duties relates to access to certain application areas.
Reviewing procedures concerning revocation is an identification issue designed to deny access to inactive users.
Encryption protection is least likely to be used in which of the following situations?
A. When transactions are transmitted over local area networks
B. When wire transfers are made between banks
C. When confidential data are sent by satellite transmission
D. When financial data are sent over dedicated, leased lines
A. When transactions are transmitted over local area networks
Encryption protection is least likely to be used when transactions are transmitted over local area networks. Such protection makes it difficult for intercepted transmissions to be understood or modified. Encoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored. Although LANs may need encryption protection, the type of data and the described communication media make the other options appear more vulnerable.
Encryption is often used when wire transfers are made between banks, confidential data are sent by satellite transmission, and financial data are sent over dedicated leased lines.
Risk assessments, recovery plans for data systems, and implementation of safeguards are all components of:
A. a control flowchart.
B. a database.
C. a disaster recovery plan.
D. an insurance claim form.
C. a disaster recovery plan.
A disaster recovery plan should include a risk assessment, recommendation (and implementation) of safeguards, and recovery plans.
Which of the following tasks is least likely to be undertaken in the implementation phase of an accounting software application?
A. Obtain and install hardware.
B. Enter and verify test data.
C. Identify inputs and outputs.
D. Document user procedures.
C. Identify inputs and outputs.
The implementation phase of an accounting software application would include obtaining and installing hardware, documenting user procedures, training users, and entering and verifying test data.
Identifying inputs and outputs would occur in the systems design and development phase, preceding implementation.
Data access security related to applications may be enforced through all the following, except:
A. user identification and authentication functions incorporated in the application.
B. utility software functions.
C. user identification and authentication functions in access control software.
D. security functions provided by a database management system.
B. utility software functions.
Data access security related to applications cannot be enforced through utility software functions. Utility programs are one of the more serious “holes” in data access security since some of them can actually bypass normal access controls.
Data access security related to applications may be enforced through user identification and authentication functions incorporated in the application. Although there is a migration of control of this type away from applications to other software, most of these controls still reside in application software.
Data access security related to applications may be enforced through user identification and authentication functions in access control software. Access control software has as one of its primary objectives improving data access security for all data on the system.
Data access security related to applications may be enforced through security functions provided by a database management system. In fact, most database management systems provide for improved data access security while they are running.
Adle Supply Company recently installed an integrated order-entry and invoicing system. The basic inputs to the system consist of one record for each line on the customers’ orders, the inventory master file, and the customer master file. Individual items ordered by the customer may be rejected at the computer entry audit or when the items are validated by comparing them with data in the inventory master file. Complete orders may be rejected when data from the orders are compared with data in the customer master file. All orders that are found to be valid are posted to the inventory and customer files. For data control personnel to account for all inventory items and customer orders processed, the system should include:
A. echo checks.
B. run-to-run control totals and error lists.
C. manual processing of invalid transactions.
D. printing the status of the master records before and after processing the applications.
B. run-to-run control totals and error lists.
Use of control totals ensure that all transactions affecting inventories are accounted for and all valid orders processed accurately. The error lists are used to reconcile any differences in control totals.
An organization’s computer help-desk function is usually a responsibility of the:
A. applications development unit.
B. systems programming unit.
C. computer operations unit.
D. user departments.
C. computer operations unit.
Help desks are usually a responsibility of computer operations because of the operational nature of their functions, e.g., assisting users with systems problems involving prioritization and obtaining technical support/vendor assistance.
Applications development is responsible for developing systems. After formal acceptance by users, developers typically cease having day-to-day contact with a system’s users.
The responsibility of systems programming is to implement and maintain system-level software such as operating systems, access control software, and database systems software.
The responsibility of user departments is to interact with application systems as planned. User departments typically do not have the expertise necessary to solve their own systems problems.
All of the following are characteristic of computer machine language, except:
A. internal binary code.
B. hexadecimal code.
C. assembly language.
D. on/off electrical switches.
C. assembly language.
All of the answer choices except assembly language are characteristic of computer machine language.
Assembly language is a programming language in which each machine language instruction is represented by mnemonic characters; it is a symbolic language, an English-like and understandable alternative to basic machine language.
Machine language is the binary code (the on/off electrical switches: zero and one) that can be interpreted by the internal circuitry of the CPU. The binary code is usually arranged as a hexadecimal (base 16) code. It is a very time-consuming, error-prone programming process.
The use of technology in e-commerce has created the need for increased security. E-commerce security measures include all of the following, except:
A. encryption.
B. firewalls.
C. simulation.
D. user account management.
C. simulation.
Simulation is used as an auditing tool in testing transaction processing systems. It is not used directly as a security measure in E-commerce.
The other answer choices are direct security measures used in e-commerce.
Compatibility tests are sometimes employed to determine whether an acceptable user is allowed to proceed. In order to perform compatibility tests, the system must maintain an access control matrix. The one item that is not part of an access control matrix is a:
A. list of all authorized user code numbers and passwords.
B. list of all files maintained on the system.
C. record of the type of access to which each user is entitled.
D. limit on the number of transaction inquiries that can be made by each user in a specified time period.
D. limit on the number of transaction inquiries that can be made by each user in a specified time period.
A limit on transaction totals and frequency is not part of the access control matrix. An access control matrix consists of:
a list of all authorized user code numbers and passwords,
a list of all files and programs maintained on the system, and
a record of the type of access to which each user is entitled.
Terms
Authorized
Compatibility Check (Compatibility Test)
Matrix
References
Five brand managers in a consumer food products company met regularly to figure out what price points were being lowered by their competitors and how well coupon promotions did. The data they needed to analyze consisted of about 50 gigabytes of daily point-of-sale (POS) data from major grocery chains for each month. The brand managers are competent users of spreadsheet and database software on personal computers (PCs). They considered several alternative software options to access and manipulate data to answer their questions.
Another brand manager suspected that several days of the POS data from one grocery chain were missing. The best approach for detecting missing rows in the data would be to:
A. sort on product identification code and identify missing product identification codes.
B. sort on store identification code and identify missing product identification codes.
C. compare product identification codes for consecutive periods.
D. compare product identification codes by store for consecutive periods.
D. compare product identification codes by store for consecutive periods.
Comparison of product identification codes by store for consecutive periods could reveal periods in which some products had no sales, a possible indication of missing data.
Unless product identification codes are consecutive, missing data would not be evident. This is not likely.
A sort of store identification codes would produce all product identification codes and related data for each store. This would not be useful.
Comparison of product identification codes for consecutive periods would not permit detection of missing rows of data.
Managers of local offices of an international consulting firm need better access to human resource data for their offices’ employees than they have now from the consolidated database at the firm’s headquarters. A distributed database, in which data about individuals would reside on computers at local offices but would be accessible to managers worldwide, has been proposed. A risk of the proposed arrangement is that:
A. segregation of incompatible duties might not be maintained at the firm’s headquarters.
B. the data might not be updated as quickly as with the centralized system.
C. database integrity might not be preserved during a network or computer failure.
D. the data are more vulnerable to outsiders than with the centralized system.
C. database integrity might not be preserved during a network or computer failure.
Database integrity might not be preserved during a network or computer failure because of the complexity of updates, the time delays when multiple sites are involved, and the number of nodes to be coordinated.
Segregation of incompatible duties at the headquarters is independent of and imposes no risk on distributing the database.
Since the database would be distributed to the local offices, it is likely that data would be updated more quickly than before.
Both the centralized and distributed systems permitted access to all data, so if access security is maintained at the same levels, there should be no difference in the vulnerability of the database to outsiders.
Image processing systems have the potential to reduce the volume of paper circulated throughout an organization. To reduce the likelihood of users relying on the wrong images, management should ensure that appropriate controls exist to maintain the:
A. legibility of image data.
B. accuracy of image data.
C. integrity of index data.
D. initial sequence of index data.
C. integrity of index data.
If index data for image processing systems are corrupted, users will likely be relying on the wrong images.
Legibility and accuracy of image data are important to its use, but are independent of using the wrong image.
Maintaining the initial sequence of index data may not be possible as the image data is modified and images are added/dropped.
Which of the following internal control procedures would prevent an employee from being paid an inappropriate hourly wage?
A. Having the supervisor of the data-entry clerk verify that each employee’s hours worked are correctly entered into the system
B. Using real-time posting of payroll so there can be no after-the-fact data manipulation of the payroll register
C. Giving payroll data-entry clerks the ability to change any suspicious hourly pay rates to a reasonable rate
D. Limiting access to employee master files to authorized employees in the personnel department
D. Limiting access to employee master files to authorized employees in the personnel department
The employee master file contains all of the personal wage rates, applicable deductions, fringe benefits, withholding criteria, etc., as well as other information unique to that individual that is necessary to process payroll. Thus, an internal control process that limits access to this file would prevent an employee from being paid an inappropriate hourly wage rate. An additional control would be to have someone other than the person recommending a payroll master file change review and approve the change.
A customer’s order was never filled because an order entry clerk transposed the customer identification number while entering the sales transaction into the system. Which of the following controls would most likely have detected the transposition?
A. Sequence test
B. Completeness test
C. Validity check
D. Limit test
C. Validity check
A validity check is an edit test in which an identification number or transaction code is compared with a table of valid identification numbers or codes maintained in computer memory. A validity check on a customer number would have determined if the entry represented a valid customer. If not, the entry clerk would have been prompted to repeat the entry.
A sequence check is an edit check that determines if a batch of input data is in the proper numerical or alphabetical sequence. This check would not compare the entry to all valid entries and notify the clerk of an error.
A completeness test is an online data entry control in which the computer checks if all data required for a particular transaction has been entered by the user. The entry clerk in the question entered a customer identification number, and a completeness test would have accepted the entry even though it was not valid.
A limit check ensures that a numerical amount in a record does not exceed some predetermined amount. As long as the entry clerk’s customer identification number had the correct number of digits, a limit check would have allowed it to pass.
Which of the following allows customers to pay for goods or services from a website while maintaining financial privacy?
A. Credit card
B. Site draft
C. E-cash
D. Electronic check
C. E-cash
E-cash currencies, such as bitcoins, are anonymous and allow payment for purchases from websites.
A credit card, a sight draft (one that promises immediate payment to the holder of the draft), and an electronic check (such as created when a debit card is used for a purchase) are not anonymous.
When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the:
A. lack of sales invoice documents as an audit trail.
B. potential for computer disruptions in recording sales.
C inability to establish an integrated test facility.
D. frequency of archiving and data retention.
B. potential for computer disruptions in recording sales.
As transactions travel through the Internet, they are subject to a variety of disruptions, at the sending computer, the receiving computer, during various processing steps, translations, and store-and-forward processes. These activities introduce risks such as unintentional errors, lost transactions, and duplication of transactions. Therefore, the auditor would be very concerned about completeness and accuracy controls over sale transactions processed via the Internet. Methods have been developed to replace the paper audit trail in all aspects of electronic commerce. While it may necessitate that the auditor test transactions throughout the financial statement period, the lack of paper sales invoices to audit can be overcome. The lack of a test facility or ability has internal control implications beyond just the processing of sales transactions. The frequency of archiving and data retention may affect when the auditor must test the internal controls over sales transactions, but with proper planning, testing can be done while the evidence of the electronic transaction is still available.
In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control technique to detect this action using employee identification numbers would be a:
A. batch total.
B. record count.
C. hash total.
D. subsequent check.
C. hash total.
Assuming that the substitution takes place after the time cards have been batched for processing, the best control technique listed would be the hash total. The hash total is a type of batch control total. It is the summation of a quantitative but non-informational data field; for example, check numbers, purchase order numbers, and employee identification numbers.
An update program for bank account balances calculates check digits for account numbers. This is an example of:
A. an input control.
B. a file management control.
C. access control.
D. an output control.
A. an input control.
Check digit verification is an example of an input control. The check digit is a number calculated based on a calculation using all but the last digit, which is the check digit. If the calculation returns the check digit, the number is accepted as valid. If the calculation returns a number other than the check digit, the input is rejected as invalid.
Which of the following is not true? Relational databases:
A. are flexible and useful for unplanned, ad hoc queries.
B. store data in table form.
C. use trees to store data in a hierarchical structure.
D. are maintained on direct access devices.
C. use trees to store data in a hierarchical structure.
Hierarchical databases use tree structures to organize data; relational databases use tables.
Relational databases are flexible and useful for unplanned, ad hoc queries, do store data in table form, and are maintained on direct access devices.
Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?
A. Change control
B. Management override
C. Data integrity
D. Computer operations
A. Change control
Change control is the process of modifying application software, including requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change. Since programmers can implement application code changes without approval, there is a weakness in control over changes to application programs.
Management override refers to management not following controls that are properly designed and in force.
Data integrity refers to accuracy of data entered into the program or processing of that data rather than the software itself.
Computer operations refer to the management of the computer system running the application rather than the steps programmed into the software.
A user noticed that the accounts receivable update program was not providing a listing of outstanding accounts. The user asked a programmer to modify the program so that the report would be generated with each run and had the request authorized by change management. The programmer obtained a copy of the program and made the required changes. She then tested the program in the test environment and was satisfied that it worked correctly. The programmer returned the program to the system librarian to return it to the production library. Which aspect of this process violated a proper segregation of duties?
A. A user made a suggestion for a program change.
B. The system librarian released a copy of the program to the programmer.
C. The programmer tested the changes in a test environment.
D. The system librarian accepted the program into the production library after it had been tested by the programmer.
D. The system librarian accepted the program into the production library after it had been tested by the programmer.
The system librarian should only accept a modified program that has been properly tested by someone independent of the programmer to make sure that no unauthorized changes have been made.
The use of message encryption software:
A. guarantees the secrecy of data.
B. requires manual distribution of keys.
C. increases system overhead.
D. reduces the need for periodic password changes.
C. increases system overhead.
The machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down.
No encryption approach absolutely guarantees the secrecy of data in transmission although encryption approaches are considered to be less amenable to being broken than others.
Keys may be distributed manually, but they may also be distributed electronically via secure key transporters.
Using encryption software does not reduce the need for periodic password changes because passwords are the typical means of validating users’ access to unencrypted data.
Which of the following is usually a benefit of using electronic funds transfer for international cash transactions?
A. Improvement of the audit trail for cash receipts and disbursements
B. Creation of self-monitoring access controls
C. Reduction of the frequency of data-entry errors
D. Off-site storage of source documents for cash transactions
C. Reduction of the frequency of data-entry errors
Since electronic funds transfer (EFT) allows transactions to take place more directly and with fewer intervening steps, there is less chance of human error. This can result in a reduction in the frequency of data-entry errors. EFT actually reduces the paper audit trail, although there are methods of monitoring and auditing such transactions at the time they occur. EFT may actually require stronger access controls due to the fact that fewer controls and reviews take place during the electronic processing of the transaction.
Which of the following is an objective of logical security controls for information systems?
A. To ensure complete and accurate recording of data
B. To ensure complete and accurate processing of data
C. To restrict access to specific data and resources
D. To provide an audit trail of the results of processing
C. To restrict access to specific data and resources
Logical security controls for information systems are used to restrict access to specific data and resources.
Input controls ensure complete and accurate recording of data.
Processing controls ensure complete and accurate processing of data.
Output controls provide an audit trail of results of processing.
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?
A. Modify and adapt operating system software
B. Correct detected data-entry errors for the cash disbursement system
C. Code approved changes to a payroll program
D. Maintain custody of the billing program code and its documentation
C. Code approved changes to a payroll program
In highly integrated systems, a person with unrestricted access to the computer, its programs, and live data might be able to perpetuate and conceal fraud. Functions such as changing systems software, finding and correcting data-entry errors, and maintaining programming code and documentation are segregated to prevent fraud. For example, an applications programmer uses designs developed by analysts to develop the information system and write the code for a computer program.
Many organizations have developed decision support system (DSS), a class of information systems that addresses the relationships between management decisions and information. Which of the following best describes the objective of a DSS?
A. To automate a manager’s problem-solving process
B. To provide interactive assistance during the process of problem solving
C. To impose a predefined sequence of analysis during the process of problem solving
D. To minimize a manager’s use of judgment in the process of problem solving
B. To provide interactive assistance during the process of problem solving
A DSS provides interactive problem-solving assistance. The DSS provides the decision maker with access to the computational capabilities, models, and data resources of the system to help in exploring the problem and developing potential solutions.
A DSS should support rather than automate a manager’s judgment.
A DSS provides interactive rather than predefined problem-solving assistance.
A DSS supports rather than replaces a manager’s judgment in problem solving.
Because of the sensitivity of its data, an online system for developing estimates and generating proposals was implemented with several layers of access control. Control over users’ initial log-in is a function of the:
A. integrated test facility.
B. operating system.
C. subschema authorizations.
D. application software.
B. operating system.
Initial log-in to a system is a function of the operating system–level access control software.
An integrated test facility is an audit approach to validating processing.
Database subschema authorizations control access to specific views of fields in a database.
Access to applications and their data is a function of application level software.
Which of the following would an auditor ordinarily consider the greatest risk regarding an entity’s use of electronic data interchange (EDI)?
A. Authorization of EDI transactions
B. Duplication of EDI transmissions
C. Improper distribution of EDI transactions
D. Elimination of paper documents
C. Improper distribution of EDI transactions
Electronic data interchange (EDI) transmits confidential information to business partners. There is always a risk in data transmission of it being received by unintended recipients, and this would concern an auditor.
“Authorization of EDI transactions” is incorrect because proper authorization is required for transactions whether or not EDI is involved.
“Duplication of EDI transmissions” is incorrect because duplication of transmissions to insure receipt is not a risk. The risks associated with these answer choices are controlled at the originating entity and do not result from improper transmission of the data.
“Elimination of paper documents” is incorrect because elimination of paper documents reduces the chance that the information will be acquired by unintended recipients.
