Module 41: Information Technology Flashcards
1
Q
information system within a business
A
an information system processes data and transactions to provide users with the information they need to plan, control and operate an organization, including:
- collecting transaction and other data
- entering it into the information system
- processing the data
- providing users with the information needed
- controlling the process
2
Q
advantage of computer systems versus manual systems
A
computer processing tends to reduce or eliminate processing time, and prevent computational errors and errors in processing routine transactions (when fraud is not involved)
3
Q
General types of IT systems
A
- office automation systems
- transaction processing systems
- management reporting systems
- management information systems
4
Q
Management reporting systems
A
designed to help with the decision making process by providing access to computer data types: 1. management information systems 2. decision support systems 3. expert systems 4. executive information systems
5
Q
office automation systems
A
designed to improve productivity by supporting daily work of employees (e.g. word processing, spreadsheets, presentation tools, email, electronic calendars, contact management software
6
Q
transaction processing systems
A
involve the daily processing of transactions (e.g. airplane reservations systems, payroll recording, cash receipts, cash disbursements)
7
Q
management information systems
A
(management reporting system) systems designed to provide past, present and future information for planning, organizing and controlling the operations of the organization
8
Q
decision support systems
A
(management reporting system) computer based information systems that combine models and data to resolve non-structured problems with extensive user involvement
9
Q
expert support systems
A
(management reporting system) computer systems that apply reasoning models to data in a specific relatively structured area to render advice or recommendations, much like a human expert
10
Q
executive information systems
A
(management reporting system) computerized systems that are specifically designed to support executive work
11
Q
the two distinct roles for systems
A
- recording of transactions of various types
2. providing support for decision making
12
Q
designing and implementing a new information and control system provides an opportunity to reexamine
A
business processes, especially if the new system is an enterprise resource planning (ERP) system; more efficient and effective
13
Q
Systems development lifecycle (SDLC)
A
the traditional methodology for developing information systems
characterized by its phases, each representing a specific set of development activities:
- planning
- analysis
- design
- development
- testing
- implementation
- maintenance
14
Q
SDLC Planning Phase
A
- identify the problems that proposed system will solve
- define the system to be developed (based on strategic goals of the organization)
- determine the project scope (what the system will do and how it will be evaluated); a project scope document is used and can be revisited and revised
- develop a project plan- defines the activities that will be performed, and the individuals and resources that will be used; a project manager develops the plan and tracks its progress; sets project milestones
- evaluate the initial feasibility of the project- can involve determining the project’s technical, organizational, and economical feasibility
15
Q
SDLC Analysis Phase
A
Involves teams including end users, information technology specialists, systems analysts, and process design specialists to understand the requirements for the proposed system
- Typically, processing data, and logic models are produced to help determine system requirements; a needs assessment may also be performed
- Next, an analysis is performed on the existing system along the same dimensions
- then a gap analysis is performed to examine the differences (gaps) between the required system and the existing system
- Finally, priorities are established for the gaps, which will be documented in a requirements definition document, which will receive sign-off from the end users
* It is during this phase that a company can take advantage of processes inherent in the new system to improve the existing process
16
Q
A needs assessment (SDLC analysis phase)
A
involves determining the requirements for the system in terms of processes, data capture, information and reporting
17
Q
Requirements definition document (SDLC analysis phase)
A
final document that outlines the differences between the required system and the existing system (requirements) that will receive a sign-off from end users
18
Q
Specific specification documents contain information on basic requirements which include (SDLC analysis phase)
A
- performance levels
- reliability
- quality
- interfaces
- security and privacy
- constraints and limitations
- functional capabilities
- data structures and elements
19
Q
The Design Phase (SDLC)
A
the primary goal of the design phase is to build a technical blueprint of how the proposed system will work
the components that are typically designed during this phase include:
- databases
- user interfaces for input and output
- required reports
- programs
- infrastructure and controls
20
Q
The Development Phase (SDLC)
A
documents from the design phase are transformed into the actual system
the platform on which the system is to operate is built or purchased off-the-shelf and customized and databases are developed
21
Q
The Testing Phase (SDLC)
A
involves verifying that the system works and meets the business requirements as set forth in the analysis phase
tests that should be performed:
- unit testing
- system testing
- integration testing
- user acceptance testing
22
Q
unit testing (testing phase test)
A
involves testing the units or pieces of code
23
Q
system testing (testing phase test)
A
involves testing the integration of the units or pieces of code into a system
24
Q
integration testing (testing phase test)
A
involves testing whether the separate systems can work together
25
user acceptance testing (testing phase test)
determines whether the system meets the business requirements and enables users to perform their jobs efficiently and effectively
26
The Implementation Phase (SDLC)
involves putting the system in operation by the users; in order to effectively implement the system, detailed user documentation must be provided to the suers and the users must be adequately trained
implementation methods include:
1. parallel implementation
2. plunge implementation
3. pilot implementation
4. phased implementation
27
parallel implementation (implementation phase)
uses both systems until it is determined that the new system is operating properly
this has the advantages of a full operational test of the new system with less risk of system disaster
the disadvantage is the additional work and cost during the period both systems are operating
28
plunge implementation (implementation phase)
the organization ceases using the old system and begins using the new system immediately
less costly than the parallel method but it has a higher risk of system breakdown
29
pilot implementation (implementation phase)
involves having a small group of individuals using the new system until it is seen to be working properly
has the advantage of providing a partial operational test of the new system at a lower cost than parallel implementation
30
phased implementation (implementation phase)
involves installing the system in a series of phases (e.g. GL, AR, etc)
31
The Maintenance Phase (SDLC)
involves monitoring and supporting the new system
in this phase the organization provides ongoing training, help desk resources, and a system for making authorized and tested changes to the system
32
Types of Computers
1. supercomputers
2. mainframe computers
3. servers
4. microcomputers
5. tablets/ smart phones/ personal digital assistants
33
supercomputers
extremely powerful, high speed computers used for extremely high-volume and/or complex processing needs
34
mainframe computers
large, powerful, high-speed computers; less powerful than super computers but they have traditionally been used for high-volume transaction processing
clusters of low cost, less powerful "servers" are increasingly taking over the processing chores of mainframe computers
35
servers
high-powered microcomputers that "serve" applications and data to clients that are connected via a network (web servers/ database servers)
typically have greater capacity (faster processors,more RAM, more storage capabilities) than their clients (microcomputers) and often act as a central repository for organizational data
servers today are often configured as a "virtual machine," meaning multiple operating systems can coexist and operate simultaneously on the same machine
virtual machines are appealing because they lower hardware costs and create energy savings
36
Microcomputers
e.g. desktop computers, laptop computers
designed to be used by one person at a time (personal computers)
typically used for word processing, email, spreadsheets, surfing the web, creating and editing graphics, playing music, and gaming
37
tablets/ smart phones/ personal digital assistants
e.g. iPad, iPhone, android, blackberry
these are typically smaller, handheld wireless devices that depend on WiFi and/ or cellular technology for communications
38
Central Processing Unit (CPU)
the principal hardware components of a computer
contains:
1. arithmetic/ logical unit
2. primary memory
3. control unit
major function is to fetch stored instructions and data, decode the instructions, and carry out the instructions
39
Arithmetic/ logical unit (CPU)
performs mathematical operations and logical comparisons
40
Primary memory (CPU storage)
active data and program steps that are being processed by the CPU
it may be divided into RAM (random-access memory) and ROM (read-only memory)
application programs and data are stored in the RAM at execution time
41
Control Unit (CPU)
interprets program instructions and coordinates input, output, and storage devices
42
random (RAM)
=direct storage
43
Secondary Storage Devices
1. magnetic tape
2. magnetic discs
3. RAID (Redundant array of independent [previously, inexpensive] disks)
4. compact discs
5. solid state drives (SSDs)
6. could-based storage
44
magnetic tape
slowest type of storage available because data is stored sequentially
primarily used for archiving purposes today
45
magnetic disks
the most common storage medium in use on computers today
also called "hard disks" or "hard disk drives: (HDD)
data can be accessed directly
46
RAID (Redundant array of independent [previously, inexpensive] disks)
a way of storing the same data redundantly on multiple magnetic discs (back-up)
1. when originally recorded, data is written to multiple discs to decrease the likelihood of loss
2. if a disk fails, at least one of the other disks has the information and continues operation
47
compact discs
discs (CDs) and digital video discs (DVDs)
both are the same physical size and both use optical technology to read and write data to the disc
48
solid state drives (SSDs)
use microchips to store data and require not moving parts for read/write operations
SSDs are faster and more expensive per gigabyte than CDs, DVDs, and HDDs
SSDs are increasingly being used in place HDDs in microcomputers but cost and limited capacity have constrained their adoption as a primary storage device
more commonly used for auxiliary storage
SSDs that are "pluggable" are often called "thumb drives" "flash drives" or "USBs"
49
cloud based storage
also called "storage as a Service" (SaaS)
hosted offsite, typically by third parties, and is accessed via the internet
50
manner in which information is represented in a computer
1. digital
| 2. analog
51
digital (manner in which information is represented in a computer)
a series of binary digits (0s and 1s)
one binary is called a "bit"
a series of 8 bits is referred to as a "byte"
one byte can form a letter, a number, or special character (e.g. 00000111 is the binary equivalent of the decimal number 7)
52
analog (manner in which information is represented in a computer)
the representation that is produced by the fluctuations of a continuous signal (e.g. speech, temperature, weight, speed, etc.)
rather than using 0s and 1s to represent information analog signals use electrical, mechanical, hydraulic or pneumatic devises to transmit the fluctuations in the signal itself to represent information
53
Online
equipment in direct communication with, and under the control of, the CPU
online also refers to having a connection to the Internet
54
Off-Line
equipment not in direct communication with the CPU; the operator generally must intervene to connect off-line equipment or data to the CPU (e.g. mount a magnetic tape of archival data)
Off-line also refers to the absence of an Internet connection
55
Console
a terminal used for communications between the operator and the computer (e.g. the operator of a mainframe computer)
56
peripheral equipment
all non-CPU hardware that may be placed under the control of the central processor
classified as online or off-line, this equipment consists of input, storage, output, and communications
57
controllers
hardware units designed to operate specific input-output untits
58
buffer
a temporary storage unit used to hold data during computer operations
59
MIPS
millions of instructions per second; a unit for measuring the execution speed of computers
60
Input Devices
1. keying data- data entry devices
2. online entry
3. turnaround documents
4. automated source data input devices
5. electronic commerce and electronic data interchange
61
Key-to-Tape and Key-to-disk (keying data- input device)
data is entered on magnetic tape and/ or disk respectively and then read into a computer
62
visual display terminal/monitor (online entry)
uses keyboard to directly enter data into computer
1. input interface- a program that controls the display for the user (usually on a computer monitor) and that allows the user to interact with the system
2. graphical user interface (GUI)- uses icons, pictures, and menus instead of text for inputs (e.g windows)
3. command line interface- uses text-type commands (e.g barcodes)
63
mouse, joystick, lightpens (online entry)
familiar devices that allow data entry
64
touch-sensitive screen (online entry)
allows users to enter data from a menu of items by touching the surface monitor
65
turnaround documents (input devices)
documents that are sent to the customer and returned as inputs (e.g. utility bills; to make payments "remittance")
66
automated source date inputs devices
1. magnetic tape reader
2. magnetic ink character reader (MICR)
3. scanner
4. automatic teller machine (ATM)
5. radio frequency identification (RFID)
6. point of scale (POS) recorders
7. voice recognition
67
magnetic tape reader (automated source date inputs devices)
a device capable of sensing information recorded as magnetic spots on magnetic tape
68
magnetic ink character reader- MICR (automated source date inputs devices)
device that reads characters that have been encoded with a magnetic ink (e.g. bank check readers)
69
Scanner (automated source date inputs devices)
a device that reads characters on printed pages
70
Automatic teller machine- ATM (automated source date inputs devices)
a machine used to execute and record transactions with financial institutions
71
Radio Frequency Identification- RFID (automated source date inputs devices)
uses radio waves to track and input data (e.g. wave card entry)
increasingly used for inventory and contactless payment systems
RFID tags can be read wirelessly by RFID readers; does not require line-of-sight access like bar code technology (e.g Mobil's Speedpass payment systems, FasTrak toll collection system)
72
Point-of-scale recorders- POS (automated source date inputs devices)
devises that read price and product code data (purchasing groceries)
ordinarily function as both a terminal and a cash register
allows one to record and track customer orders, process credit and debit cards, connect to other systems in a network, and manage inventory
example: a POS system for restaurants is likely to have all menu items stored in a database that can be queried for information in a number of ways
Increasingly, POS terminals are also we-enabled, which makes remote training and operation possible, as well as inventory tracking across geographically dispersed locations
73
Voice recognition (automated source date inputs devices)
a system that understands spoken words and transmits them into a computer
74
Electronic commerce and electronic data interchange (input device)
involves one company's computer communicating with another's computer
example: a buyer electronically sending a purchase order to a supplier
75
Output devices
1. many automated source data input devices and electronic commerce/electronic data interchange devices are capable of outputting data (writing in addition to reading) and therefore become output devices as well as input devices
2. monitors
3. printers
4. plotters- produce paper outputs of graphs
5. computer output to microfilm or microfiche (COM)- makes use of photographic process to store output
76
Systems software
1. Operating system
2. Utility programs
3. Communications software
77
Operating system (systems software)
manages the input, output, processing and storage devices and operations of a computer (Windows, Linux, Unix)
Performs scheduling, resource allocation, and data retrieval based on instructions provided in job control language
78
Utility programs (systems software)
handle common file, data manipulation and "housekeeping" tasks
79
Communications software (systems software)
controls and supports transmission between computers, computers and monitors, and access various databases
80
Software- computer programs that control hardware
1. systems software
| 2. applications software
81
Applications software
programs designed for specific uses, or "applications", such as
1. word processing, graphics, spreadsheets, email, and database systems
2. accounting software
82
Accounting software (applications software)
1. low-end: all in one package, designed for small organizations (quickbooks, peachtree, dell-tech)
2. high-end: ordinarily in modules (e.g. general ledger, receivables)
3. Enterprise resource planning (ERP): designed as relatively complete information system "suites" for large and medium size organizations (e.g. human resources, financial applications, manufacturing, distribution). Major vendors are well known- SAP, People Soft, Oracle, and J.D. Edwards
83
ERP System Advantages
Integration of various portions of the information system, direct electronic communication with suppliers and customers, increased responsiveness to information requests for decision-making
i.e. its all done for you; you have good support
84
ERP System Disadvantages
Complexity, costs, integration with supplier and customer systems may be more difficult than anticipated
**very expensive
85
Complier (software term)
produces a machine language object program from a source program language
86
Multiprocessing (software term)
simultaneous execution of two or more tasks, usually by two or more CPUs that are part of the same system
87
Multitasking (software term)
the simultaneous processing of several jobs on a computer
88
Object program (software term)
the converted source program that was changed using a compiler to create a set of machine readable instructions that the CPU understands
89
Source program (software term)
a program written in a language from which statements are translated into machine language; computer programming has developed in "generations"
90
Source Programming "Generations"
1. machine language
2. assembly language
3. "high-level" programming languages such as COBOL, Basic, Fortran, C++, and Java
4. an "application- specific" language usually built around database systems (i.e. SQL, a structured query language)
5. a relatively new and developing form that includes visual or graphical interfaces used to create source language that is usually compiled with a 3rd or 4th generation language compiler
91
Machine language (source programming generation 1)
composed of combinations of 1's and 0's that are meaningful to the computer (binary)
92
"high-level" programming languages such as COBOL, Basic, Fortran, C++, and Java (source programming generation 3)
C++ and Java are considered object-oriented programs (OOP) in that they are based on the concept of an "object" which is a data structure that uses a set of routines, called "methods," which operate on the data
The "objects" are efficient in that they often are reusable in other programs
Object-oriented programs keep together data structures and procedures (methods) through a procedure referred to as encapsulation.
93
assembly language (source programming generation 2)
a low-level programming language that uses words (mnemonics) instead of numbers to perform an operation.
assembly language must be translated to machine language by a utility program called an "assembler"
generally, an assembly language is specific to a computer architecture and is therefore not portable like most high-level languages
94
virtual memory (software term)
(storage) online secondary memory that is used as an extension of primary memory, thus giving the appearance of larger, virtually unlimited internal memory
95
protocol (software term)
rules determining the required format and methods for transmission of data
96
desk checking (programming term)
review of a program by the programmer for errors before the program is run and debugged on the computer
97
debug (programming term)
to find and eliminate errors in a computer program
many compliers assist debugging by listing errors in the program such as invalid commands
98
edit (programming term)
to correct input data prior to processing
99
loop (programming term)
a set of program instructions performed repetitively a predetermined number of times, or until all of a particular type of data has been processed
100
memory dump (programming term)
a listing of the contents of storage
101
patch (programming term)
a section of coding inserted into a program to correct a mistake or to alter a routine
102
run (programming term)
a complete cycle of a program including input, processing and output
103
Methods of Processing
1. batch or online real-time
| 2. centralized, decentralized, or distributed
104
batch processing
transactions flow through the system in groups of like transactions (batches).
Example: all cash receipts on accounts receivable for a day may be aggregated and run as a batch
ordinarily leaves a relatively easy-to-follow audit trail
*goes through edit checks and prints out errors (admin fee process)
105
online real-time processing (or direct access processing)
transactions are processed in the order in which they occur, regardless of type.
data files and programs are stored online so that updating can take place as the edited data flows to the application
system security must be in place to restrict access to programs and data to authorized persons
categorized into:
1. online transaction processing (OLTP)
2. online analytical processing (OLAP)
106
online transaction processing-OLTP (online real-time processing)
1. databases support day-to-day operations
| 2. example: airline reservation systems, bank automatic teller systems, internet website sales systems
107
online analytical processing- OLAP (online real-time processing)
enables the user to query the system (retrieve data), and conduct an analysis, etc.; primarily used for analytics
uses statistical and graphical tools
example: airline company downloads its OLTP reservation info into another database to allow analysis of that reservation information
108
decision support systems
computer-based info systems that combine models and data in an attempt to solve relatively unstructured problems with extensive user involvement
109
one approach to OLAP (online analytical processing) is to periodically download and combine operational databases into a
1. data warehouse: a subject-oriented, integrated collection of data used to support management decision-making processes or;
2. a data mart: a data warehouse that is limited in scope
110
data mining
using sophisticated techniques from statistics, artificial intelligence and computer graphics to explain, confirm and explore relationships among data (which is often stored in a data warehouse or data mart)
111
*Business intelligence (BI)
a combination of systems that help aggregate, access, and analyze business data and assist in the business decision-making process
112
Artificial intelligence (AI)
computer software designed to help make decisions (may be viewed as an attempt to model aspects of human thought on computers)
113
Expert system
one form of AI (artificial intelligence)
a computerized information system that guides decision processes within a well-defined area and allows decisions comparable to those of an expert
example: an expert system may be used by a credit card company to authorize credit card purchases to minimize fraud and credit losses
114
Centralized Processing
processing occurs at one location
115
Decentralized Processing
processing (and data) are stored on computers at multiple locations
may be viewed as a collection of independent databases
116
Distributed Processing
transactions for a single database are processed at various sites
processing may be either a batch or online real-time basis
117
bit
a binary digit (0 or 1) which is the smallest storage unit in a computer
118
byte
a group of adjacent bits (usually 8) that is treated as a single unit, or character, by the computer.
one byte can form a letter, a number, or a special character, or unprintable codes (those that control peripheral devices such as computers)
119
Field
a group of related characters (social security number)
120
Record
an ordered set of logically related fields
example: all payroll data (including SS number field and others) relating to a single employee
121
File
a group of related records (e.g. all the weekly pay records YTD), which is usually arranged in sequence
122
Table
a group of related records in a relational database with a unique identifier (primary key field) in each record
123
database
a group of related files or a group of related tables (if a relational database)
ordinarily stored online
124
Master file
a file containing relatively permanent information used as a source of reference and periodically updated with a detail (transaction) file (e.g. permanent payroll files- all banking information)
125
detail or transaction file
a file containing current transaction information used to update the master file (e.g. hours worked by each employee during the current period used to update the payroll master file)
126
detail or transaction file
a file containing current transaction information used to update the master file (e.g. hours worked by each employee during the current period used to update the payroll master file)
127
traditional file processing systems
focus upon data processing needs of individual departments; each application program or system is set up to meet the needs of the particular requesting department or user group
128
advantages of traditional processing systems
1. currently operational for many existing systems
| 2. cost effective for simple applications
129
disadvantages of traditional processing systems
1. data files are dependent upon a particular application program
2. in complex systems, there is much duplication of data
3. each application must be developed individually
4. program maintenance is expensive
5. data may be difficult to share btwn functional areas (isolated)
130
normalization
the process of separating the database into logical tables to avoid certain kinds of updating difficulties (referred to as "anomalies")
131
database system
computer hardware and software that enables the database to be implemented
132
database management system
software that provides a facility for communications btwn various applications programs (e.g. a payroll prep program) and the database (e.g. master payroll file containing earnings)
*create and modify
133
data independence
basic to database systems is this concept which separates the data from the related application program
134
data modeling
identifying and organizing a database's data, both logically and physically.
data model determines what info is to be contained in a database, how the info will be used, and how the items in the database will be related to each other
135
entity-relationship modeling
an approach to data modeling
the model (called entity-relationship diagram, or ERD) divides the database into two logical parts:
1. entities (e.g. customer, product) and
2. relations (e.g. buys, pays for)
136
primary key
the fields that make a record in a relational database table unique
137
foreign key
the fields that are common to two (or more) related tables in relational database
138
REA data model
a data model designed for use in designing accounting information databases
Resources; Events; Agents
139
Data Dictionary
(data repository or data directory system)
data structure that stores meta-data
140
meta-data
definitional data that provides info about or documentation of other data managed within an application or environment
i.e. data about data elements, records and data structures (length, fields, columns)
141
structured query language (SQL)
used for creating and querying relational databases; 3 types:
1. data definition language (DDL): used to define a database (creating, altering, deleting tables and establishing various constraints)
2. data manipulation language (DML): maintain a database (updating, inserting in, modifying, and querying)
3. data control language (DCL): used to control database (which users have various privileges
142
database structures
1. hierarchical
2. networked
2. relational
4. object-oriented
5. object-relational
6. distributed
143
Hierarchical (database structure)
data elements at one level "own" the data elements at the next lower level
144
Networked (database structure)
each data element can have several owners and can own several other elements
145
Relational (database structure)
a database with the logical structure of a group of related spreadsheets
have largely replaced hierarchical and networked database structures
146
Object-Oriented (database structure)
information (attributes and methods) are included in structures called object classes
this is the newest database management system technology
147
Object-relational (database structure)
includes both relational and object-oriented features
148
Distributed (database structure)
a single database that is spread physically across computers in multiple locations that are connected by a data communications link
149
Database controls
1. user department
2. access controls
3. backup and recovery
4. database administrator (DBA)
5. audit software
150
User department (database control)
strict controls over who is authorized to read and/or change the database are necessary
151
Access controls (database control)
controls within the database itself; limit the user to reading and/or changing (updating) only authorized portions of the database
152
Restricting privileges (access controls)
limits the access of users to the database, as well as operations a particular user may be able to perform
read only, not write, privileges
153
Logical views (access controls)
users may be provided with authorized views of only the portions of the database for which they have a valid need
154
Backup and recovery (database control)
a database is updated on a continuous basis during the day; 3 methods of backup and recovery include:
1. backup of database and logs of transactions
2. database replication
3. backup facility
155
Database administrator (database control)
individual responsible for maintaining the database and restricting access to the database to authorized personnel
156
Audit software (database control)
usually used by auditors to test the database
157
Advantages of database systems
1. data independence: easily used by diff. applications
2. minimal data redundancy
3. data sharing: sharing of data
4. reduced program maintenance
5. commercial applications are available for modification to a company's needs
158
Data file structures (2)
1. traditional file processing systems
| 2. database systems
159
Disadvantages of database systems
1. need for specialized personnel with database expertise
2. installation of database is costly
3. conversion of traditional file systems is costly
4. comprehensive backup and recovery procedures are necessary
160
Network
a group of interconnected computers and terminals
161
Telecommunications development
the electronic transmission of info by radio, fiber optics, wire, microwave, laser, and other electromagnetic systems- has made possible the electronic transfer of information between networks of computers
162
Networks are classified by geographical scope
1. personal network area (PAN)
2. local area networks (LAN)
3. Metropolitan area network (MAN)
4. Wide area networks (WAN)
163
Personal network area (PAN)
a computer network that is centered around an individual and the personal communication devices she uses (Bluetooth, USB)
164
Local area networks (LAN)
privately owned networks within a single building or campus of up to a few miles in size
*emphasized in AICPA materials
165
Metropolitan area network (MAN)
a larger version of LAN; might include a group of nearby offices within a city
166
Wide area networks (WAN)
Networks that span a large geographical area, often a country or continent
composed of a collection of computers and other hardware and software for funning user programs
167
Networks are certified by ownership
1. Private
2. Public
3. Cloud computing/ cloud services
168
Private network ownership
one in which network resources are usually dedicated to a small number of applications or a restricted set of users, as in a corporation's network
advantages: secure, flexible, performance often exceeds that of public
disadvantages: costly
169
Public network ownership
resources are owned by third-party companies and leased to users on a usage basis (also referred to as public switch networks- PSN)
advantages and disadvantages: in general, the opposite of those for private networks, but certainly a significant disadvantage is that they are less secure
170
Cloud computing/ cloud services network ownership
the use and access of multiple server-based computational resources via digital network
applications are provided and managed by the cloud server and data is stored remotely in the cloud configurations
171
Risks of cloud computing
1. information security and privacy- users rely on cloud providers access controls
2. continuity of services-user problems occur if cloud provider has service interruptions
3. migration- users may have difficulty changing cloud providers because there are no data standards
172
Networks classified by use of internet
1. internet
2. intranet
2. extranet
173
Hypertext markup language (HTML) and/or Extensible markup language (XML)
network internet classifications: data communications are ordinarily
HTML and XML: languages used to create and format documents, link documents to other web pages, and communicate between web browsers
XML is increasingly replacing HTML in internet applications due to its superior ability to tag and format documents that are communicated among trading partners
174
Extensible Business Reporting Language (XBRL)
an XML-based language being developed specifically for the automation of business information requirements, such as the preparation, sharing, and analysis of financial reports, statements, and audit schedules
175
Internet
international collection of networks made up of independently owned computers that operate as a large computing network
internetwork communication requires the use of a common set of rules, or protocols (TCP), and a shared routing system (IP)
176
Hypertext transfer protocol (HTTP)
the primary internet protocol for data communication on the World Wide Web
177
Uniform resource locator (URL)
a standard for finding a document by typing in an address (www.sldkfslkfjd.com)
178
World Wide Web
a framework for accessing linked resources spread out over the millions of machines all over the Internet
179
Web browser
client software that provides the user with the ability to locate and display web resources
180
Web servers
software that "serves" (makes available) web resources to software clients
181
Firewall
a method for protecting computers and computer information from outsiders
consists of security algorithms and router communications protocols that prevent outsiders from tapping into corporate database and email systems
182
Router
a communications interface device that connects two networks and determines the best way for data packets to move forward to their destinations
183
Bridge
a device that divides LAN (local area networks) into two segments, selectively forwarding traffic across the network boundary it defines; similar to a switch
184
Switch
a device that channels incoming data from any of multiple input ports to the specific output port that will take the data toward its intended destination
185
Gateway
a combination of hardware and software that links to different types of networks
example: gateways between email systems allow users of differing email systems to exchange messages
186
Proxy server
a server that saves and serves copies of web pages to those who request them
187
Web 2.0
2nd generation of the web
refers to era of web-based collaboration and community-generated content via web-based software tools such as:
1. blog
2. wiki
3. twitter
4. RSS/ATOM Feeds- Really simple syndication
188
blog
an asynchronous discussion, or web log, led by a moderator that typically focuses on a single topic
189
wiki
an information-gathering and knowledge-sharing website that is developed collaboratively by a community or group, all of whom can freely add, modify or delete content
190
twitter
a micro-variation of a blog
191
RSS/ATOM Feeds- Really simple syndication
an XML application that facilitates the sharing and syndication of website content by subscribers
192
TCP/IP (transmission control protocol/ internet protocol)
the basic communication language or protocol of the internet
two layers; one assembles messages and the other assigns IP addresses
193
IP address
the number that identifies a machine as unique on the internet
194
ISP (internet service provider)
an entity that provides access to the internet
195
Malicious programs that may adversely affect computer operations
1. virus
2. trojan horse
3. worm
4. antivirus software
5. botnet
196
virus
a program (or piece of code) that requests the computer operating system to perform certain activities not authorized by the computer user
can be transmitted by files that contain macros that are sent as an email attachment
197
macro
a stored set of instructions and functions that are organized to perform a repetitive task and can be easily activated, often by a simple key stroke combination
most macros serve valid purposes but those associated with viruses cause problems
198
trojan horse
a malicious, security-breaking program that is disguised as something benign, such as a game, but actually is intended to cause IT damage
199
worm
a program that propagates itself over a network, reproducing itself as it goes
200
antivirus software
is used to attempt to avoid viruses, trojan horses and worms but the rapid development of new viruses results in a situation in which antivirus software developers are always behind virus developers
201
botnet
a network of computers that are controlled by computer code, called a "bot", that is designed to perform a repetitive task such as sending spam, spreading a virus, or creating a distributed denial of service attack
202
Intranet
a local network, usually limited to an organization, that uses internet-based technology to communicate within the organization
203
Extranet
similar to an intranet, but includes an organization's external customers and/or suppliers in the network
204
Database client-server architecture (design)
the architecture must divide three responsibilities (1) input, (2) processing, (3) storage
a client server model may be viewed as one in which communications ordinarily take the form of a request message from the client to the server asking for some service to be performed
a "client" may be viewed as the computer or workstation of an individual user
the server is a high-capacity computer that contains the network software and may provide a variety of services ranging from simply "serving" files to a client to performing analyses
1. overall client-server systems
2. subtypes of client/server architectures
3. distributed systems
205
Overall client-server systems (database client-server architecture)
a networked computing model (usually a LAN- local area network) in which database software on a server performs database commands sent to it from client computers
diagram on page 83
206
Subtypes of client/server architectures
1. file servers
2. database servers
3. three-tier architectures
207
File servers (subtypes of client/server architectures)
the file server manages file operations and is shared by each of the client PCs (ordinarily attached to a LAN- local area network)
3 responsibilities are divided in a manner in which most input/output , and processing occurs on client computers rather than on the server:
1. input/output
2. processing
3. storage
the file server acts simply as a shared data storage device, with all data manipulations performed by client PCs
*two tier architecture: client tier and server database tier
208
Database servers (subtypes of client/server architectures)
similar to file servers, but the server here contains the database management system and thus performs more of the processing
*two tier architecture: client tier and server database tier
209
Three-tier architectures (subtypes of client/server architectures)
a client/server configuration that includes three tiers
the change from file and database servers is that this architecture includes an additional server layer
examples of additional servers:
1. printer server: make shared printers available to clients
2. communications server: serve a variety of tasks
3. fax server: allows network to share hardware for faxes
4. web server: stores and serves web pages on request
210
Distributed systems (database client-server architecture)
connect all company locations to form a distributed network in which each location has its own input/output, processing, and storage capabilities
211
Local area networks (LANs)
privately owned networks within a single building or campus of up to a few miles in size
212
LAN Software
allows devices to function cooperatively and share network resources such as printers and disk storage space
213
Common LAN services
1. network server
2. file server: stores programs and data files for users
3. print server
4. communications server
214
LAN hardware components
1. workstations
2. peripherals
3. transmission media
4. network interface cards
215
workstation (LAN hardware component)
ordinarily microcomputers
216
peripherals (LAN hardware component)
example: printers, network attached storage (NAS) devices, optical scanners, fax board
217
transmission media (LAN hardware component)
physical path that connect components of LAN, ordinarily twisted-pair wire, coaxial cable, or optical fiber
LANs that are connected wirelessly are called WLANS or WiFi networks
218
Network interface cards (LAN hardware component)
connect workstation and transmission media
219
LAN control implications
1. general controls are often weak (controls over development and modification of programs, access and computer operations)
2. controls often rely upon end users, who may not be control conscious (people writing passwords)
3. often users may not be provided with adequate resources for problem resolution, troubleshooting and recovery support
4. controlling access and gaining accountability through logging of transactions enforces segregation of duties
5. good management controls are essential (access codes and passwords)
6. LAN software ordinarily does not provide security features available in larger scale environments
*test of controls may address whether controls related to the above are effective
220
LANs and audit techniques
LANs generally make possible the computer audit techniques that may be performed either by internal auditors or external auditors
221
microcomputers
personal computers (PCs) and laptop computers
a small business will probably use a PC to run a commercially purchased general ledger package (off the shelf software)
segregation of duties becomes especially difficult in such an environment because one individual may perform all recordkeeping (processing) as well as maintain other nonrecordkeeping responsibilities
a larger client may use a network of PCs that may or may not be linked to a large corporate mainframe computer
222
small company microcomputer control objectives
1. security
2. verification of processing
3. personnel
223
small company microcomputer security (control objective)
security over small computers, while still important, may not be as critical as security over the data and any in-house developed software
access to the hard drive must be restricted since anyone turning on the power switch can read the data stored on files
a control problem may exist because the computer operator often understands the system and also has access to the input data --> management may need to become more involved in supervision when lack of segregation of duties exist in data processing
224
small company microcomputer verification of processing (control objective)
periodically, an independent verification of applications being processed on the small computer system should be made to prevent the system from being used for personal projects
verification also helps prevent errors in internally developed software from going undetected
225
small company microcomputer personnel (control objective)
centralized authorization to purchase hardware and software should be required to ensure that appropriate purchasing decisions are made, including decisions that minimize software and hardware compatibility difficulties
software piracy and viruses may be controlled by prohibiting the loading of unauthorized software and data on company-owned computers
226
a small company may control possible software piracy (the use of unlicensed software) by employees by procedures such as...
1. establishing a corporate software policy
2. maintaining a log of all software purchases
3. auditing individual computers to identify installed software
227
End-User Computing (EUC)
the end user is responsible for the development and execution of the computer application that generates the information used by that same end user
user substantially eliminates many of the services offered by an MIS (management information system) department
overall physical access controls become more difficult when companies leave a controlled MIS environment and become more dependent upon individual users for controls
228
End-User Computing (EUC) risks
1. end-user applications are not always adequately tested before implemented
2. more client personnel need to understand control concepts
3. management often does not review the results of applications appropriately
4. old or existing applications may not be updated for current applicability and accuracy
229
End-user computing (EUC) control implications
1. require applications to be adequately tested before they are implemented
2. require adequate documentation
3. physical access controls
4. control access to appropriate users
5. control use of incorrect versions of data files (use control totals for batch processing of uploaded data)
6. require backup files
7. provide applications controls (edit checks, range tests, reasonableness checks)
8. support programmed or user reconciliations to provide assurance that processing is correct
230
Physical EUC (end-user computing) controls
1. clamps or chains to prevent removal of hard disks or internal boards
2. diskless workstations that require downloaded files
3. regular backup
4. security software to limit access to those who know user ID and password
5. control over access from outside
6. commitment to security matters written into job descriptions, employee contracts, and personnel evaluation procedures
231
EUC control access to appropriate users
1. passwords and user IDs
2. menus for EUC access to database
3. protect system by restricting user ability to load data
4. when user uploads data, require appropriate validation, authorization, and reporting control
5. independent review of transactions
6. record access to company databases by EUC applications
232
the controls for microcomputers and EUC are
similar
233
Electronic commerce
involves individuals and organizations engaging in a variety of electronic transactions with computers and telecommunication networks (internet or telephone)
234
Electronic commerce IT system risks (5)
1. security
2. availability
3. processing integrity
4. online privacy
5. confidentiality
some believe these risks are impairing the growth of the web
235
WebTrust Seal of Assurance
developed by the AICPA and the Canadian Institute of Chartered Accountants
a form of assurance that tells potential customers that the firm has evaluated a website's business practices and controls to determine whether the are in conformity with WebTrust principles
236
Digital Certificates (Digital IDs)
allows an individual to digitally sign a message so the recipient knows that it actually came from that individual and wasn't modified
237
Encryption
the conversion of data into a form called cipher text, that cannot be easily understood by unauthorized people
238
Decryption
the process of converting encrypted data back into its original form so it can be understood
the conversion is performed using an algorithm and key which only the users control
239
Algorithm
a detailed sequence of actions to perform to accomplish some task
240
Key (encryption)
in the content of encryption, a value that must be fed into the algorithm used to decode an encrypted message in order to reproduce the original plain text
241
Private key system
an encryption system in which both the sender and receiver have access to the electronic key, but do not allow others access
disadvantage: both parties must have the key
242
system overhead (encryption)
the machine instructions necessary to encrypt and decrypt data constitute system overhead, which slows down the rate of processing
243
to assure continuity in the event of a natural disaster, firms should establish..
off-site mirrored Web servers
244
Electronic funds transfer (EFT)
making cash payments between two or more organizations or individuals electronically rather than by using checks (or cash)
245
EFT risk
EFT (electronic funds transfer) are vulnerable to the risk of unauthorized access to proprietary data and to the risk of fraudulent fund transfers
246
EFT controls
1. control of physical access to network facilities
2. electronic ID should be required
3. passwords should control access
4. encryption should be used to secure stored data and data being transmitted
247
Electronic Data Interchange (EDI)
the electronic exchange of business transactions, in a standard format, from one entity's computer to another's through an electronic communications network
248
EDI (electronic data interchange) risks
1. commonly used for sales and purchasing, and related accounts; the speed transactions occur often reduces receivables due to electronic processing of receipts
2. preventive controls, instead of detective controls, are usually used
3. no paper trail; some electronic copies are only kept for a certain period of time, which affect audits
249
Methods of communications between trading partners
1. point-to-point
2. value-added network (VAN)
3. public networks
4. proprietary networks
250
Point-to-Point communication between trading partners
a direct computer to computer private network link
automakers and governments traditionally use this method
251
point to point communication advantages
1. no reliance on third parties for computer processing
2. organization controls who has access to the network
3. organization can enforce proprietary (its own) software standard in dealings with all trading partners
4. timeliness of delivery may be improved since no third party is involved
252
point to point communication disadvantages
1. must establish connection with each trading partner
2. high initial cost
3. computer scheduling issues
4. need for common protocols between partners
5. need for hardware and software compatibility
253
Value-added network (VAN) communication between trading partners
a privately owned network that routes the EDI (electronic data interchanges) transactions between trading partners and in many cases provides translation, storage, and other processing
it alleviates problems related to interorganizational communication that results from the use of differing hardware and software
a VAN receives data from sender, determines intended recipient, and places data in the recipient's electronic mailbox
254
VAN (value-added network) communication advantages
1. reduces communication and data protocol problems since VANs can deal with differing protocols (eliminating need for trading partners to agree on them)
2. partners do not have to establish the numerous point-to-point connections
3. reduces scheduling problems since receiver can request delivery of transactions when it wishes
4. VAN translates application to a standard format the partner does not have to reformat
5. VAN can provide increased security
255
VAN (value-added network) communication disadvantages
1. cost (expensive)
2. dependence upon VAN's systems and controls
3. possible loss of data confidentiality
256
Public networks (communication between trading partners)
example: the internet-based commerce solutions described earlier (EFT, EDI)
257
public network communication advantages
1. avoids cost of proprietary lines
2. avoids cost of VAN
3. directly communicates transactions to trading partners
4. software is being developed which allows communication between differing systems
258
public network communication disadvantages
1. possible loss of data confidentiality
2. computer or transmission disruption
3. hackers and viruses
4. attempted electronic frauds
259
proprietary networks (communication between trading partners)
in some circumstances (health care, banking) organizations have developed their own network for their own transactions
costly to develop and operate (because of proprietary lines) although they are often extremely reliable
260
Controls required for other network systems are required for EDI systems
controls:
1. authentication-controls over the origin, proper submission, and proper delivery of EDI communications (have proof of this)
2. packets- a block of data that is transmitted from one computer to another (contains data and authentication info)
3. encryption- conversion of plain text into cipher text data used by an algorithm and key which only the users control
261
Benefits of EDI
1. quick response and access to info
2. cost efficiency
3. reduced paperwork
4. accuracy and reduced errors and error-correction costs
5. better communications and customer service
6. necessary to remain competitive
262
Exposures of EDI
1. total dependence upon computer system for operation
2. possible loss of confidentiality of sensitive info
3. increased opportunity for unayuthorized transactions and fraud
4. concentration of control among a few people involved in EDI
5. reliance on third parties (trading partners, VAN)
6. data processing, application and communication errors
7. potential legal liability due to errors
8. potential loss of audit trails and information needed by management due to limited retention policies
9. reliance on trading partner's system
263
Telecommunications
the electronic transmission of info by raido, wire, fiber optic, coaxial cable, microwave, laser, or other electromagnetic system
information transmitted: voice, data, video, fax, other
264
Telecommunications hardware
1. computers
2. transmission facilities (copper wire, fiber optic cables, microwave stations, communcations satellites)
3. modems
265
Software does what?
controls and monitors the hardware, formats information, adds appropriate control info, performs switching operations, provides security, and supports the managment of communications
266
Telecommunications enables the following technologies:
aka if we did not have telecommuncations, we would not have:
1. EDI (electronic data interchanges)
2. EFT (electronic funds transfers)
3. point of sale (POS) system
4. commercial databases
5. airline reservation systems
267
controls needed for telecommunications:
1. system integrity at remote sites
2. data entry
3. central computer security
4. dial-in security
5. transmission accuracy and completeness
6. physical security over telecommunications facilities
7. encryption during transmissions
268
Computer service organizations (bureaus, centers)
these orgs record and process data for companies
269
COBIT 5** (Control Objectives for Information and Related Technology)
a framework developed by the Information Systems Audit and Control Association to assist enterprises in achieving their objectives for governance and management of enterprise IT
it is business-oriented in that it provides a systematic way of integrating IT with business strategy and governance
270
COBIT 5 Principals**
1. meeting shareholders needs
2. covering the enterprise end-to-end
3. applying a single integrated framework
4. enabling a holistic approach
5. separating governance from management
271
COBIT 5 Enablers**
factors that individually and collectively influence whether something will work in an organization
1. processes (an organized set of practices and activities to achieve certain objectives)
2. organizational structures (the key decision-making entities in an organization)
3. culture, ethics, and behavior of individuals and the org
4. principals, policies and frameworks (the vehicle to translate the desired behavior into guidance for day-to-day management)
5. information produced and used by the enterprise
6. services, infrastructure, and applications (the infrastructure, technology, and applications that provide the enterprise with information technology processing and services)
7. people, skills, and competencies required for successful completion of all activities and for making correct decisions
272
processes (COBIT enabler)
an organized set of practices and activities to achieve certain objectives
273
organizational structures (COBIT enabler)
the key decision-making entities in an organization
274
principals, policies and frameworks (COBIT enabler)
the vehicle to translate the desired behavior into guidance for day-to-day management
275
services, infrastructure, and applications (COBIT enabler)
the infrastructure, technology, and applications that provide the enterprise with information technology processing and services
276
Principals of a reliable system
one that is capable of operating without material error, fault, or failure during a specified period in a specified environment
5 AICPA TrustServices reliable principals:
1. security
2. availability
3. processing integrity
4. online privacy
5. confidentiality
277
Security (reliable principal)
the system is protected against unauthorized access (physical and logical)
lock doors and prevent access to data
278
Availability (reliable principal)
the system is available for operation and use as committed or agreed
the system is available for operation and use in conformity with the entity's availability policies
system failure results in interruption of business operations and loss of data
279
Processing integrity (reliable principal)
system processing is complete, accurate, timely, and authorized
invalid, incomplete or inaccurate processing can affect input data, data processing, updating of master files, and creation of output
280
Online privacy (reliable principal)
personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed
risks include disclosure of customer info such as SS #s, CC #s, credit rating, and medical conditions
281
Confidentiality (reliable principal)
information designated as confidential is protected as committed or agreed
```
examples of confidential data that might be disclosed:
transaction details
engineering details of products
business plans
banking info
legal documents
inventory/ other account info
customer lists
confidential details of operations
```
282
Segregation controls (org structure)
segregate functions between information systems department and user departments
do not allow information systems department to initiate or authorize transactions
at a minimum, segregate:
1. programming
2. data entry
3. operations
4. library function within the information systems department
283
user departments
are the other departments of the company that utilize the data prepared by the information systems department
284
Systems analysis (information systems department)
systems development manager
the system analyst analyzes the present user environment and requirements and may:
1. recommend specific changes
2. recommend the purchase of a new system
3. design a new information system
285
Systems programming (information systems department)
responsible for implementing, modifying, and debugging the software necessary for making the hardware work
286
Applications programming (information systems department)
responsible for writing, testing and debugging the application programs from specifications provided by the systems analyst
287
Database administration (information systems department)
responsible for maintain the database and restricting access to the database to authorized personnel
288
Data preparation (information systems department)
data may be prepared by user departments and input by key to storage devices
289
Operations (information systems department)
the operator is responsible for the daily computer operations of both the hard ware and the software
supervises operations on the operator's console, accepts any required input, and distributes any generated output
operator should have adequate documentation to run the program (a run manual), but should not have detailed program info
*help desks are usually a responsibility of the operators because of the operational nature of their functions (ex. assisting users with systems problems and obtaining technical support)
290
Data library (information systems department)
librarian is responsible for custody of the removable media (i.e. magnetic tape or disks) and for the maintenance of program and system documentation
in many systems the library function is maintained and performed electronically by the computer
291
Data control (information systems department)
the control group acts as a liaison between users and the processing center
this group records input data in a control log, follows the progress of processing, distributes output, and ensures compliance with control totals
*ideally, in a large system, the above key functions are segregated but in a smaller co. many are concentrated to a small number of employees
***at a minimum an attempt should be made to segregate programming, operating, and library functions
292
Information and Communication (IT)
the computerized accounting system is affected by whether the company uses small computers and/or a complex mainframe system
Small systems can use off the shelf software:
1. controls within the software may be well known
2. analysis of exception reports generated during processing is important to determine that exceptions are properly handled
for complex mainframe systems, software is usually developed internally:
1. controls are unknown to auditor prior to testing
2. analysis of exception reports is important
293
Monitoring (IT)
a common method for monitoring for inappropriate access is review of system-access log (who has access0
IT can also facilitate monitoring: continuously evaluate data/trax and capture samples of items
294
Control Activities-overall (IT)
in which a computer is involved may be segregated into:
1. computer general control activities
2. application control activities
3. programmed application controls
4. manual follow-up of computer exception reports
5. user control activities to test the completeness and accuracy of computer processed controls
295
Computer general control activities
control program development, program changes, computer operations, and access to programs and data
296
Computer application control activities
programmed control activities: relate to specific computer applications and are embedded in the comp program
manual follow-up of comp. exception reports: involves employee follow up of items listed on the comp exception reports
297
user control activities to test the completeness and accuracy of computer processed transactions
represent manual checks of computer output against source document or other input, and thus provide assurance that programmed aspects of the accounting system and control activities have operated effectively
298
computer general control activities
1. developing new programs and systems
2. changing existing programs and systems
3. controlling access to programs and data
4. controlling computer operations
299
segregation controls (developing new programs and systems-general computer control activities)
1. user departments participate in systems design
2. both users and information systems personnel test new systems
3. management, users, and information systems personnel approve new systems before they are placed into operation
4. all master and transaction file conversion should be controlled to prevent unauthorized changes and to verify the accuracy of the results
5. programs and systems should be properly documented
300
computer hardware is extremely reliable because
of chip technology and controls built into the hardware
controls include:
1. parity check
2. echo check
3. diagnostic routines
4. boundary protection
5. periodic maintenance
301
parity check
a special bit is added to each character that can be detected if the hardware loses a bit during the internal movement of a character
302
echo check
primarily used in telecommunications transmissions
during the sending and receiving of characters, the receiving hardware repeats back to the sending hardware what it received and the sending hardware automatically resends any characters that were received incorrectly
303
diagnostic routines
hardware or software supplied by the manufacturer to check the internal operations and devices within the computer system
304
boundary protection
must CPUs have multiple jobs running simultaneously (multiprogramming environment)
boundary controls do not allow one job to change the allocated memory of another job
305
periodic maintenance
the system should be examined periodically (often weekly) by a qualified service technician
306
documentation
systems and programs should be adequately documented
system specification documents should detail such matters as performance levels, reliability, security and privacy, constraints and limitations, functional capabilities, and data structure elements
307
changing existing programs and systems
should be documented in a change request log
308
change control procedures (modification controls)
1. information systems manager should review all changes
2. modified program should be appropriately tested
3. details of all changes should be documented
4. a code comparison program may be used to compare source and/or object codes of a controlled copy of a program with the program currently being used to process data (will identify unauthorized changes)
309
segregation controls (controlling access to programs and data- general computer control activity)
1. access to program documentation should be limited to those who require it in the performance of their duties
2. access to data files and programs should be limited to those authorized to process data
3. access to computer hardware should be limited to authorized individuals (computer operators and their supervisors)
310
limited physical access to computer facility
the physical facility that houses the computer equipment, files, and documentation should have controls to limit access only to authorized individuals
controls: guard, key card, manual key locks, fingerprint and palmprint access granting devices
311
visitor entry log (access to computer facility)
use visitor logs to document those who have had access to the area
312
access control software
(user identification)
the most used control is a combination of a unique identification code and a confidential password
313
call back (hardware and software access controls)
a specialized form of user ID in which the user dials the system, identifies themselves, and is disconnected from the system
then either manually or computer finds authorized phone number and calls back
314
encryption as access control
data is coded when stored in computer files and/or before transmission to or from remote locations
protects data since unauthorized users not only have to obtain data, they also have to decode it
315
segregation of controls to control computer operations
1. operators should have access to an operations manual that contains the instructions for processing programs and solving routine operational program issues, but not with detailed program documentation
2. the control group should monitor the operators activities and jobs should be scheduled
316
other controls for controlling computer operations
1. backup recovery
2. contingency processing
3. internal and external labels
317
contingency processing (as a form of controlling computer operations)
detailed contingency processing plans should be developed to prepare for system failures
responsibilities of individuals, as well as the alternate processing sites that should be utilized
318
internal and external labels (controlling computer operations)
external labels are gummed-paper labels attached to storage media which identify the file
internal labels perform the same function through the use of machine readable information in the first record of the file
use of labels allows the computer operator to determine whether the correct file has been selected for processing (file protection ring makes it read only)
319
programmed application controls
apply to a specific application
operate to assure the proper input and processing of data
320
overall programmed application controls
1. inputs should be authorized and approved
2. system should verify all significant data fields used to record info
3. conversion of data into machine-readable form should be controlled and verified for accuracy
321
input validation (edit) controls
1. preprinted form
2. check digit
3. control, batch, or proof total
4. hash total
5. record count
6. limit (reasonable test)
7. menu driven input
8. field check
9. validity check
10. missing data check
11. field size check
12. logic check
13. redundant data check
14. closed-loop verification
322
preprinted form
info is pre-assigned a place and a format on the input form
323
check digit
an extra digit added to an ID number to detect certain types of data transmission errors
324
control, batch, proof total
a total of one numerical field for all the records of a batch that would normally be added (total sales dollars)
325
hash total
a control total where the total is meaningless for financial purposes
326
record count
a control total of the total records processed
327
limit (reasonable) test
test of the reasonableness of a field of data, given a predetermined upper and/or lower limit
example: limit for auditing scores would be 100
328
menu driven input
what score did you get on the auditing section of the CPA exam? 75-100?
you must enter a number between 75 and 100
329
field check
control that limits the types of characters accepted into a specific data field
ex. pay rate should only include numerical data
330
validity check
a control that allows only "valid" transactions or data to be entered into the system (female is 1 and male is 2- anything else would not be valid)
331
missing data check
a control that searches for blanks inappropriately existing in input data (required fields in a form online)
332
field size check
a control of an exact number of characters to be input (EIN has to be 9 digits)
333
logic check
ensures that illogical combinations of input are not accepted
334
redundant data check
uses two identifiers in each transaction record to confirm that the correct master file record is being updated (duplicate profile entries- it notifies me when its already in the system)
335
closed loop verification
a control that allows data entry personnel to check the accuracy of input data
336
processing application controls
when the input has been accepted by the computer, it usually is processed through multiple steps
337
application controls- manual follow-up of computer exception reports
these controls involve employee (operator and/ or control group) follow-up of items listed on computer exception reports
their effectiveness depends on the effectiveness of both the programmed control activities that produce the reports and the manual follow-up activities
338
user control activities to test the completeness and accuracy of computer-processed controls
1. checks of computer output against source documents, control totals, or other input to provide assurance that programmed aspects of the f/r system and control activities have operated effectively
2. reviewing computer processing logs to determine that all correct computer jobs were executed properly
3. maintaining proper procedures and communications specifying authorized recipients of output (did the right person get the output?)
339
**Disaster recovery and business continuity
a plan should allow the firm to:
1. minimize the extent of disruption, damage, and loss
2. establish an alternate (temporary) method for processing info
3. resume normal operations as quickly as possible
4. train and familiarize personnel to perform emergency operations
a plan should include priorities, insurance, backup approaches, specific assignment, period testing and updating, and documentation
340
backup approaches for disaster recovery and business continuity
1. batch systems
| 2. online databases and master file systems
341
backup batch systems
three forms of the file saved, 1, 2, and 3
if one is destroyed, two recovers it and so on
342
backup online databases and master file systems
1. checkpoint
2. rollback
3. backup facilities
343
checkpoint
system makes copies of the system at certain "checkpoints"
if files are destroyed, the last checkpoint saved will restore the destroyed file
344
rollback
as a part of recovery, to undo changes made to a database to a point at which it was functioning properly
345
backup facilities
1. reciprocal agreement
2. hot site
3. cold site
4. internal site
5. mirrored web server
346
reciprocal agreement- backup facilities
an agreement btwn two or more organizations to aid each other with their data processing needs in the event of a disaster (mutual aid pact)
347
hot site- backup facilities
a commercial disaster recovery service that allows a business to continue computer operations in the event of a computer disaster
example: if a co's data processing center becomes inoperable, that enterprise can move all processing to a hot site that has all the equipment needed to continue operation (recovery operations center ROC)
costly
348
cold site-backup facilities
similar to hot site, but the customer provides and installs the equipment needed to continue operations
less expensive, but takes longer to get into full operation after a disaster (empty shell)
349
internal site- backup facilities
large organizations with multiple data processing centers sometimes rely upon their own sites for backup in the event of a disaster
350
mirrored web server- backup facilities
an exact copy of a website which is the best way to back up the website
