Section 4A&E

Question 1

Ensuring system reliability is a top management issue. To successfully implement systems reliability principles, management must do all of the following except:

design and employ appropriate and cost-beneficial control procedures to implement the policies.
develop and document a comprehensive set of control policies at the same time that specific control procedures are designed and implemented.
effectively communicate policies to all employees
customers, suppliers, and other authorized users.
monitor the system and take corrective action to maintain compliance with policies.

Answer 1

develop and document a comprehensive set of control policies at the same time that specific control procedures are designed and implemented.

To successfully implement systems reliability principles, a company must develop and document a comprehensive set of control policies before (not at the same time as) designing and implementing specific control procedures; effectively communicate policies to all employees, customers, suppliers, and other authorized users; design and employ appropriate and cost-beneficial control procedures to implement the policies; and monitor the system and take corrective action to maintain compliance with policies.

Question 2

To successfully implement systems reliability principles, a company must:

1. Develop and ocument a comprehensive set of ___ policies before designing and implementing control procedures
2. Effectively ___policies to all employees, customers, suppliers, authorized users.
3. ____appropriate and cost-beneficial control procedures to implement the policeis
4. Monitor the system and take ___to maintain compliance w/ policies

RANDOM
To ensure system ___, companies must implement a set of preventive controls and supplement them with methods for detecting incidents and procedures for taking corrective remedial action.

A company must also employ multiple layers of controls so that if one control fails or is ___, another control will prevent, detect, or correct the reliability breakdown.

Answer 2

Control policies
communicate
Design and employ
corrective action

Reliability

circumvented

Question 3

Which of the following statements is correct regarding information technology (IT) governance?

A primary goal of IT governance is to balance risk versus return over IT and its processes.
IT governance is an appropriate issue for organizations at the level of the board of directors only.
IT goals should be independent of strategic goals.
IT governance requires that the Control Objectives for Information and Related Technology (COBIT) framework be adopted and implemented.

Answer 3

A primary goal of IT governance is to balance risk versus return over IT and its processes.

By devising appropriate strategies (i.e., balancing risk versus reward) and making decisions on allocating its resources (e.g., staff and capital) to pursue those strategies, an organization’s IT governance can help ensure that the entity’s overall goals will be achieved.

Question 4

RANDOM

One of management’s major responsibilities is to make sure a company’s information resources are secure and adequately controlled. T/F

Answer 4

True

Question 5

The following five principles have been developed by the AICPA and CICA (Canadian Institute of Chartered Accountants) for use by practitioners in the performance of Trust Services engagements:

Security – system is protected against ___ physical and logical access

Availability - system is available for operation and use as agreed

Process Integrity - System processing is complet/accurate/timely/authorized

Confidentiality - Info. designated as confidential is protected as committed

Privacy - Personal info. is used in conformity w/ the commitments

Answer 5

Unauthorized

True to all

Question 6

___is an organization’s formal process of defining its future course or direction.

Answer 6

Strategic planning

Question 7

Companies can minimize IT control and security risks be taking proactive steps such as the following:

Hiring full-time ___

Making control problems and solutions a major part of _

Establishing formal __policies and enforcing them

Building controls into systems during the __rather than adding them after the fact

Establishing a __) which requires periodic backup of all data (not only sensitive data) to a safe and secure environment

Answer 7

security and control staff

employee training

information security

initial design stage

business continuity plan (i.e., disaster recovery

Question 8

The accuracy, control, and efficiency of data input are improved by

1. Using well designed ___documents
2. __related data together
3. Using good shading/borders to __data
4. Using _source documents
5. Providing __about data collected
6. Using check-off boxes to present __
7. Using ___turnaround documents
8. Using source data automation devices (ATM/Bank Magnetic Ink, POS Scanners, Barcode Scanners) T/F

Answer 8

source 
Grouping 
separate 
prenumbered 
instructions 
avail options
machine-readable 
True

Question 9

Because an organization makes heavy use of client/server architecture, end users have much of its critical and sensitive information on their personal computers (PCs) and departmental file servers. The chief financial officer has asked the auditors for input for developing an end-user computing policy. The policy requires a long-range, end-user computing plan. Which of the following documents should most strongly influence the development of this plan?

The multi-year audit plan
The information security policy
The systems development methodology
The organization’s strategic operational plan

Answer 9

The organization’s strategic operational plan

Strategic goals outline how the organization will use information systems to create a competitive advantage, and the strategic operational plan is, therefore, one of the most important influences on the development of the end-user computing strategic plan.

Question 10

An ___is part of the strategic plan and describes short-term methods of achieving milestones

Answer 10

operational plan

Question 11

During a post-implementation review of an accounting information system (AIS), a CPA learned that an AIS with few customized features had been budgeted and scheduled to be installed over 9 months for $3 million (including hardware, software, and consulting fees). An in-house programmer was assigned as the project manager and had difficulty keeping the project on schedule. The implementation took 18 months, and actual costs were 30% over budget. Many features were added to the system on an ad-hoc basis, with the project manager’s authorization. The end users are very satisfied with the new system. The steering committee, however, is dissatisfied about the scope creep and would like a recommendation to consider before approving initiation of another large project. Based on those findings, the CPA should recommend implementing a:

change control system.
contract management system.
budgeting system.
project timekeeping system.

Answer 11

change control system.

Change control is the process of requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change

Question 12

Change control procedures include the following:

Approval of the change by the ___; assign a __

The project leader ensures all required ___and authorities have been received for a given change.

Establish and assign ___and tasks for individuals involved in the project.

All personnel involved in the project vote to adhere to the assigned work. T/F

Test, approve, and implement the change. T/f

Answer 12

change control board, project leader.

project leader.

schedules

FALSE - they MUST adhere to the assigned work

true

Question 13

In a large organization, the biggest risk in not having an adequately staffed information center help desk is:

increased difficulty in performing application audits.
inadequate documentation for application systems.
increased likelihood of use of unauthorized program code.
persistent errors in user interaction with systems.

Answer 13

persistent errors in user interaction with systems.

Question 14

Information output is presented in three forms:

Answer 14

Document
Report
Queries

Question 15

Information output is presented in three forms: Document, Report, Queries

DOCUMENTS are records/transactions of company data

1. They can be printed/stored electronically T/F
2. Some are meant for 3rd parties and others internally T/F
3. Source doc are the beginning of a process
4. ___ documents are generated at hte END of a transaction processing activity

REPORTS are prepped both externally and internally

1. Employees use reports to control __ activities
2. Managers use reports to ___ and develop ___
3. External parties use reports to comply with ___

QUERIES

1. Arise from problems & questions that need rapid __
2. Queries find the info, retrieve it, and display as req.
3. Users can have ___queries T/F

Companies are not allowed to let suppliers to query their databases so the suppliers can better meet their needs

Answer 15

T
T
T
Operational

Operational
make decisiions and develop biz strategies
laws and regulations

Action/answers
True
Predetermined

False - They are allowed

Question 16

In a large organization, the biggest risk in not having an adequately staffed information center help desk is:

increased difficulty in performing application audits.
inadequate documentation for application systems.
increased likelihood of use of unauthorized program code.
persistent errors in user interaction with systems.

Answer 16

persistent errors in user interaction with systems.

Question 17

Which of the following represents the procedure managers use to identify whether the company has information that unauthorized individuals want, how these individuals could obtain the information, the value of the information, and the probability of unauthorized access occurring?

Disaster recovery plan assessment
Systems assessment
Risk assessment
Test of controls

Answer 17

Risk Assessment

A risk assessment is the process by which management would get the information necessary to resolve the question of attractiveness of the information and the desire of unauthorized individuals to attempt access to it.

Question 18

What should be examined to determine if an information system is operating according to prescribed procedures?

System capacity
System control
System complexity
Accessibility to system information

Answer 18

System Control

The system controls should be examined because they represent a device or set of devices to manage, command, direct, or regulate other devices or systems and thus would provide the information necessary to determine how an information system is operating with respect to its prescribed procedures.

Question 19

Organizations face several IT strategic planning and budgeting threats related to information technology. These threats include all of the following, except:
T/F
the information system does not support business objectives or strategies.
IT resources are not used efficiently or effectively.
information needs are not met or are unaffordable.
the IT’s hot site is not adequately staffed.

Answer 19

True
True
true
FALSE

Question 20

STRATEGIC PLANNING AND BUDGETING
Organizations face several strategic planning and budgeting threats related to information technology:

The information system does not support __
Resources are not used __.
Information needs are not met or are __

Controls to mitigate these threats

1. ___strategic plan
2. Establish _to assess how emerging tech impacts biz
3. ___resources to support strategic plan

Answer 20

business strategies.
efficiently or effectively
unaffordable

Multiyear
R&D
Budget

Question 21

The Assurance Services Executive Committee of the AICPA has introduced Trust Services, including SysTrust and WebTrust, which are defined as a set of attestation and advisory services based on a core set of principles and criteria that address the risks of IT-enabled systems and programs. Which of the following is not one of those core principles?

Security
Efficient communication
Availability
Processing integrity

Answer 21

Communication

Question 22

DEVELOP A RELIABLE SYSTEM PLAN

1. ___responsibility
2. ___and update plan regularly
3. Make ___w/ responsibilities aware of plan
4. Req all new and exist employees to follow ___
5. Detremine ___for info. resources
6. Develop ____to train employees
7. Document ___problems and analyze them
8. Identify legal ___
9. Log ___requested by users
10. Assess system reliability ___

Answer 22

Assign 
Review
All personnel
Security Procedures
Ownership
Security awareness program
Relaibility 
Requirements
Changes
risks

Question 23

One reason some organizations cannot ensure IT system reliability is that IT governance failed to plan for this objective. Which of the following is not a step that an organization’s IT governance should implement?

Assign plan responsibility and accountability to a top-level IT manager
Require lower-level and new employees to follow all security procedures
Develop a security awareness program and use it to train employees
Determine ownership, custody, access, and maintenance responsibility for information resources

Answer 23

Require lower-level and new employees to follow all security procedures

Question 24

A problem related to computer-based information systems in organizations is that end-users require technical support and assistance in the development of their own computer applications.

The best solution to this problem would be:
communication protocol.
database management system.
information center and help desk.
modem.

Answer 24

Info center and help desk

Question 25

Organizations experience major control failures because:

the loss of crucial information is viewed as a distant, unlikely threat, so control problems are ___

Companies do not understand the control implications of moving from secure, highly controlled, and centralized computer systems to a ___

Cliient/server systems are ___than centralized mainframe systems.

companies do not fully realize that information is a strategic resource and protecting it is crucial to their __

Adequate ___control measures are not put in place due to productivity and cost pressures.

____becomes a major concern when companies give customers and suppliers access to their system and data.

Answer 25

underestimated

less secure network or Internet-based system.

harder to control

survival.

time-consuming

confidentiality

Question 26

As companies become more reliant on information systems that become ever more complex to meet growing needs for information, they face an ever-present risk of their systems being compromised. Which of the following is not one of the reasons that organizations experience major control failures?

Companies do not understand the control implications of moving from a highly controlled centralized computer system to a less secure network system.
Client server systems make information available to many more employees and easier to control than a centralized system.
Companies do not understand that information is a strategic resource.
Confidentiality is a major concern when companies share information with customers and suppliers

Answer 26

Client server systems make information available to many more employees and easier to control than a centralized system.

Question 27

Change management and control procedures help to CONTROL ANY INFORMATION SYSTEM CHANGES. Which of the following is not an example of a change management control?

Study the existing information systems.

Use the strategic master plan to prioritize all change requests.

Develop a plan to back out of any unsuccessful mission-critical system change.

Require IT management to review, monitor, and approve all change requests.

Answer 27

Study the existing information systems.

Question 28

CHANGE MANAGEMENT CONTROLS
The following change management control policies and procedures can help control information system changes:

Look for needed changes by reviewing systems
Req all info sys change requests to be submitted using __
Require IT management to review, monitor, and approve all __
Assess each change will have on the sys
Use strategic master plan to prioritize __
Assign responsibilities to ppl making the change and __their work
Prevent _ systems access by controlling access rights
Create a quality ___ function
Log all __changes that dont follow procedures

Answer 28

a standard format
standard format
change requests.
true
change request
monitor 
Unauthorized
assurance
emergency

Question 29

QUALITY ASSURANCE FUNCTION make sure all standards and procedures are followed.

make sure changes do not skip any appropriate ___(development, testing, and implementation).

__ all hardware, infrastructure, and software changes extensively in a separate, nonproduction environment before the change is put into live production mode.

determine if changes achieved their stated __.

keep management and those who requested the change informed of all changes. T/f

update all documentation and procedures after a change is implemented. T/F

Answer 29

system development steps

test

objectives

true

true

Question 30

Very rarely will information systems meet all user requirements when initially implemented. As a result, systems development personnel may be tempted to make unauthorized changes to the software or system to meet user needs. To mitigate this risk, management should implement:

logical access controls.
proper segregation of duties.
data input controls.
change management control policies.

Answer 30

Change management control policies

Change management control policies put into place the proper processes and approval channels to make changes to an organization’s systems.

Question 31

In which of the following phases of computer system development would training occur?

Planning phase
Analysis phase
Design phase
Implementation phase

Answer 31

Implementation

Implementation is the process of installing a computer system. It includes selecting and installing the equipment, training personnel, establishing operating policies, and getting the software onto the system and functioning properly.

Question 32

Most information systems changes proceed through a five-step systems development life cycle:

Systems Analysis
Conceptual Design
Physical Design
Implementation and Conversion
Operation and Maintenance

Answer 32

Yep

Question 33

Which system conversion approach results in all users being migrated to the new system in a predetermined series of steps, either by module, business unit, or location?

“Big bang” approach
Phased approach
Parallel approach
Pilot approach

Answer 33

Phased Approach

Under the phased approach, the cutover and adoption of the new application occurs in phases over an extended period of time; all users are migrated to the new system in a predetermined series of steps. This can be by module, business unit, or location.

Question 34

The most popular conversion strategies are :

____: The new system is run alongside the legacy system; users are trained on the new system while the old system is still operational.

____: The cutover and adoption of the new application occur in phases over an extended period of time; all users are migrated to the new system in a predetermined series of steps. This can be by module, business unit, or location.

____(also called direct changeover): The complete implementation occurs in one single instance; all legacy applications (if any) are cut out and all users move to the new system on an agreed-upon day.

____: This approach combines the above methods to adapt to the entity’s unique situation. For example, the most important modules can be implemented using the “big bang” strategy, and then the less significant modules can be implemented using a phased rollout.

Answer 34

Parallel Run
Phased Rollout
Big Bang
Hybrid

Question 35

hich of the following items would be most critical to include in a systems specification document for a financial report?

Cost-benefit analysis
Data elements needed
Training requirements
Communication change management considerations

Answer 35

Data Elements Needed

Before considering the cost, training, or communications changes, you must specify the data elements in the report on which the report will be based. Data elements needed, training requirements, and communication change management considerations all follow once the elements are determined

Question 36

Managing the information system function is likely to involve:

a system for charging user departments for computer services.
project development plans.
responsibility accounting principles.

Answer 36

All 3
Managing the information system function includes all of the following management issues: charging user departments for computer services, project development planning (e.g., using Gantt charts), and responsibility accounting principles.

Question 37

Implementation and conversion. During this phase all physical design components are assembled and the system is put into place.

1. Implementation and conversion plan is created T/F
2. Hardware and software are installed and ____
3. Employees are hired and exist employees ___
4. Employees are trained t/f
5. Processing procedures are developed and tested
6. System documentation is completed
7. Standards and controls are established
8. Org. converts to new system and leaves old one
9. Fine-tuning adjustments are made
10. Post implementation review is conducted to detect ___
11. New system is complete when oeprational system is ___to the organization
12. Steering committee is sent a ___

Answer 37

true
tested
relocated
true
true
True
True
True
True
Deficiencies
delivered
final report

Question 38

A department store company with stores in 11 cities is planning to install a network so that stores can transmit daily sales by item to headquarters and store salespeople can fill customer orders from merchandise held at the nearest store. Management believes that having daily sales statistics will permit better inventory management than is the case now with weekly deliveries of sales reports on paper. Salespeople have been asking about online inventory availability as a way to retain the customers that now go to another company’s stores when merchandise is not available. The planning committee anticipates many more applications so that in a short time the network would be used at or near its capacity.

As the planning committee identified the many applications that the proposed network could support, the committee realized that a significant risk could be:

incomplete, inadequately tested, or unauthorized application software.
lack of enthusiasm for installing and using the new network in the stores.
patent and trademark violations when using new application software.
inability to obtain needed network components from vendors as usage increases.

Answer 38

incomplete, inadequately tested, or unauthorized application software.

The pressure for the department store company to be competitive is so great that there may be a significant risk that applications software could be incomplete, inadequately tested, or unauthorized.

Question 39

The most appropriate data-gathering techniques for a system survey include interviews, quick questionnaires, observations, and:

prototypes.
systems documentation.
PERT charts.
Gantt charts.

Answer 39

System documentation

During the systems analysis phase, a system survey may be conducted to define the nature and scope of the project and to identify strengths and weaknesses. Information needs of users and managers are identified and documented through the use of interviews, quick questionnaires, observations, and systems documentation.

Question 40

Two categories of controls are used to make sure a system can be adequately maintained:

Answer 40

Project development and acquisition controls

Change management controls

Question 41

PROJECT DEVELOPMENT AND ACQUISITION
When project development and acquisition controls are not used, the results are:

poorly managed development or acquisition projects T/F

large sums of __

Answer 41

True

money wasted.

Question 42

he following project development and acquisition controls can help minimize failures:

1. Use proven ___for developing info. sys.
2. Develop strategic ___
3. Develop project development plans T/F
4. Assign each project a manager and hold accountable for __
5. Prep data processing schedule so ___resources can be maximized
6. Develop sys. performance measurements for proper ___
7. Conduct ___review

Answer 42

methodology 
master plan
true
success/failure
scarce 
evaluation
post-implementation

Question 43

Which system conversion approach is generally considered to be the least risky?

“Big bang” approach
Phased approach
Parallel approach
Direct changeover approach

Answer 43

Parallel approach

“big bang” approach is a bit like “sink or swim” and much faster