Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

GEAR111 > SU 5 > Flashcards

SU 5 Flashcards

1
Q

What are the 2 main categories of computer controls

A
  • General IT controls (general controls)
  • Information processing controls (application controls)
  • Dual purpose controls can be applicable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain general controls (5)

A
  • Policies & procedures that relate to many applications
  • Support effective functioning of application controls by helping ensure continued proper operation of info systems by ensuring control environment is stable & well-managed
  • Impacts overall control environment (FRAMEWORK)
  • Doesn’t relate to specific assertions
  • In place whether transaction is processed / not
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

General controls include control over: (4)

A
  • Data centre & network operations
  • System software acquisition, change, maintenance
  • Application system acquisition, development, maintenance
  • Access security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain application controls (6)

A
  • Directly address risks to integrity of info within specific application
  • System data should be free from fraud/error
  • Addresses specific assertions & business cycles
  • Procedures to initiate, record (input), process, report (output) on transactions
  • Focus on processing specific computer application, program, system
  • Ensures transactions are accurate, valid, complete
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Main objective of application controls

A

Prevent, detect, correct misstatements from arising when transaction is input & processed by application program & output generated by application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Classification of general controls (6)

A
  • Organisational controls & personnel practices
  • System development & implementation
  • Change controls
  • Business continuity controls
  • Operating controls
  • Access controls

*Each control depends on the previous one

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is included in ‘organisational controls & personnel practices’ (4)

A
  • Responsibility levels, corporate structure, reporting lines
  • Segregation of duties between departments
  • Staff practices
  • Supervision & review
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is included in ‘system development & implementation’ (6)

A
  • Needs assessment
  • Project management
  • Planning & design
  • Development & testing
  • Implementation
  • Post-implementation review
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is included in ‘business continuity’ (2)

A
  • Operating environment (preventative)
  • Repair after disaster (detective & corrective)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is included in ‘operating controls’ (5)

A
  • Scheduling & production runs
  • Operating activities & use of assets
  • Library controls
  • Logs & registers
  • Business continuity controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is included in ‘access controls’ (6)

A

Preventative controls
- Security management & policy
- Physical access controls
- Logical access controls
- Library controls
Detective & corrective controls
- Logs & reviews
- Library controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are ‘organisational controls & personnel practices’

A

How IT department is structured & activities are managed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain the culture of ‘organisational controls & personnel practices’ (3)

A
  • Ethical values & commitment thereto
  • Integrity
  • Competence of staff
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain the proper policies & procedures that are implemented of ‘organisational controls & personnel practices’ (3)

A
  • Qualified staff
  • Competent staff
  • Dismissal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens if a proper organisational structure is not in place (5)

A
  • Unauthorised transactions by unauthorised persons
  • Collusion = theft/fraud
  • Multiple duties performed by 1 person
  • Undetected misstatements due to lack of supervision
  • Untrustworthy / incompetent staff = negative staff morale
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain ‘delegation of responsibility’ as a component of ‘organisational structure & personnel practices’ (7)

A
  • King IV requires ethical IT governance
  • Responsibility of directors
  • Delegated to computer steering committee, CIO, IT manager
  • Policies & procedures communicated, implemented, monitored
  • If non-compliance = action against employee
  • Clear reporting lines & levels of authority established & communication through lines
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the computer steering committee (3)

A
  • Responsible for managing IT
  • Acts as communication channel between users of IT & IT department
  • Consists of knowledgeable executive management with business & IT background
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a chief information officer (2)

A
  • Takes responsibility for direction of IT
  • Communicates with board & committees about IT matters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is an IT manager (3)

A
  • Day-to-day operations
  • Responsible for management of staff in IT department
  • Staff carry out operational tasks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Explain ‘segregation of duties’ as a component of ‘organisational structure & personnel practices’ (8)

A
  • No 1 staff member should be able to perform incompatible tasks/functions (multiple staff involved)
  • IT department separate from user departments
  • IT report directly to executive management
  • IT shouldn’t initiate / authorise / change transactions / change master file data
  • IT shouldn’t have access to company resources, physical assets, non-physical assets
  • All work done / errors corrected should only be executed if formally requested
  • User department should review work done by IT
  • Segregation in IT development function, operation function, security function
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Explain ‘reporting, supervision, & review’ as a component of ‘organisational structure & personnel practices’ (5)

A
  • IT work originates from user department
  • User department should review integrity of data used when IT work completed
  • Review of IT work by senior qualified IT staff member & user
  • Logs & registers extracted & reviewed regularly
  • Discrepancies in registers reviewed & resolved
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

High-level review

A

Management reviews financial performance of organisation on periodic basis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Analytical review & ratios

A

Underlying relationships between data analysed & unusual deviations investigated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Reconciliation of data on system with data from independent sources

A

Financial info confirmed with another set of data on another system / physical evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Independent review
Unusual transactions in logs, registers, detailed transaction trails identified for further investigation
26
Explain 'personnel practices' as a component of 'organisational structure & personnel practices' (9)
- Document job functions & descriptions & levels of authority of IT staff - Employment policies, procedures, practices: - Who is hired (competent staff) - Professional behaviour & use of company resources - Leave policies - Staff scheduling & rotation of duties - Ongoing training - Evaluation & performance reviews - Dismissal & resignation of staff
27
How to enforce ethics (2)
- Code of conduct - Ethical officer
28
What is system development & change controls
Controls over new computer programme / significant change to existing systems
29
System development vs system acquisition
- Development = in-house Acquisition = bought from vendor - Systems have never been used before
30
Explain 'request submission, assessment, selection' as a component of 'system development & change controls' (9)
- Projects only form written user request / business need identified to achieve strategic objective - All requests need to be approved - Feasibility study done on each project - User needs assessment - Investigation on resources required for project - Investigate alternative solutions - Cost-benefit analysis - Time planner showing deadlines - Purpose of feasibility study = produce recommended course of action
31
Explain 'planning & design' as a component of 'system development & change controls' (5)
- Project team appointed consisting of IT (system development) & user (advisory capacity) department team members - Work performed according to predefined generally accepted programming standards & control frameworks laid out by international standards - Project plan contains timeline with milestones & deadlines - Project plan used to monitor & evaluate progress reported back to computer steering committee - Business analyst performs detailed investigation into user needs used to develop system
32
Explain 'development & testing' as a component of 'system development & change controls' (5)
Divided into 4 groups: - Development area - Test area - Production area - Final approval If no testing = performance problems
33
Explain 'development area' as a component of 'system development & testing'
Programmers program & develop various versions of system
34
Explain 'test area' as a component of 'system development & testing' (3)
- Independent of live system, with test data - Results reviewed & approved by relevant line manager - Program, series, system, stress, user acceptance test
35
Explain 'production area' as a component of 'system development & testing' (2)
- Completed program moved live - Reviewed again by computer steering committee
36
Explain 'implementation' as a component of 'system development & change controls' (4)
- Conversion from old to new - Transfer of data - Seen as mini project - Supervised by senior experienced staff members - 3 Different stages: - System close-off & data clean-up - System conversion - Post-conversion review - Documentation of development process for future use - Appropriate training provided to users relating to their job function
37
Explain 'system close-off and data clean-up' as part of 'implementation' (8)
- Changeover date set - Financial transactions in old system closed off - All old system data cleaned up, corrected, & tested - All financial balances calculated - Record counts performed - All data externally verified - Backup made of old system - Old system data signed off as accurate & complete
38
Explain 'system conversion' as part of 'implementation' (3)
- Parallel processing (most resource intensive & risk of misstatements) - Direct shut-down - Modular implementation (least risky & cost-effective)
39
Explain 'post-conversion review' as part of 'implementation' (6)
- Old & new data files compared - All control totals, financial balances, record counts calculated on new system - All calculations on new system reconciled with calculations on old system - Data on new system compared to results of external confirmations - Exception reports extracted from new system - Discrepancies identified & resolved
40
Explain 'post-implementation review' as a component of 'system development & change controls' (6)
Done months after implementation - Meets user needs in terms of performance & functionality - Controls implemented - Misstatements detected have been resolved - Effective process - Sufficient documentation & training
41
What are access controls
Controls implemented to prevent unauthorised persons from gaining access & limit activities of authorised persons to authorised areas
42
What should be used when implementing access controls
Least privilege principle - Personnel only given access to data & systems necessary for them to perform their duties
43
What are the 2 access controls
- Physical access controls - Logical access controls
44
What are physical access controls (2)
- Controls access from outside into company - Preventative control
45
What are logical access controls (3)
- Electronic measures to prohibit access - Preventative control - Computerised control
46
What is 'security management policy'
- Preventative control - Documents process used to identify security risks, allocate responsibility, & accountability for actions
47
Components of physical access controls (3)
- Access to premises & IT department - Access to computer terminals - Access to other sensitive info
48
Explain 'access to premises & IT department' as a component of 'physical access controls' (5)
- Electrified fences around premises - Security gates opened by electronic tag - Security guards at entrances & exits & CCTV - Visitors sign register at reception to gain access & have a visitor tag - Hardware & important documents locked away in room
49
Explain 'access to computer terminals' as a component of 'physical access controls' (5)
- Computer located in office / lockable room with only 1 access point & authorised staff should be identifiable - Member of management supervise activities on computers - Computer access limited to office hours - Registers maintained of all work performed on computer & reviewed frequently - Computer securely fastened to table
50
Explain 'access to other sensitive info' as a component of 'physical access controls' (2)
- Devices stored in separate locked room - Data librarian keeps track of use of sensitive files through register
51
Components of logical access control (3)
- Identification - Authentication - Authorisation
52
Explain 'identification' as a component of 'logical access controls' (3)
- User identification nr - Magnetic cards - Biometric techniques
53
Explain 'authentication' as a component of 'logical access controls' (5)
- Unique password - Specific question defined by user that only user knows answer to - Electronic key containing authentication-related info unique to user - Physical attribute unique to user - Password sent to user's cellphone once account activated to gain final access
54
Criteria for password to be effective (13)
- Unique & not obvious to guess - Confidential - Min length - Combination of letters, figures, symbols with upper & lower case - New users change initial password once logged into system - Changed frequently - Not displayed on screen - Disabled if resigned / moved to different department - Encrypted electronic password files - Activity log that records activities performed - Access blocked if password is unsuccessful 3 times - Log off user if inactive for period of time - Breaches = shutdown
55
Explain 'authorisation' as a component of 'logical access controls' (3)
- Access limited to that required for user to perform work - Limited to certain resources - Levels of access rights
56
Components of detective & corrective controls (3)
- Logs, activity registers, security violation reports - Library function - Data communication
57
Explain 'logs, activity registers, security violation reports' as a component of 'detective & corrective controls' (4)
- All visitors to premises - All sign-off & sign-on details - Changes to usernames & passwords - Work performed on computer
58
Explain 'library function' as a component of 'detective & corrective controls' (2)
- Employee made responsible for securing & managing electronic & physical data - Maintains records of use of data & limits rights of users' use of data
59
Explain 'data communication' as a component of 'detective & corrective controls' (3)
- Encryption - Firewalls - Anti-virus & malware programs
60
What is encryption
Software that converts data in code that can't be read unless necessary encryption key is available
61
What are firewalls (2)
- Software that restricts inflow & outflow of info from computer system - Between computer & internet connection
62
What is antivirus & malware programs
Software that blocks viruses & malware from infecting computer
63
Manual vs. computer controls (3)
- Independent manual controls - IT-dependent manual controls - Programmed/automated controls
64
What are independent manual controls
User controls performed independently from computers & don't require info from computer system
65
What are IT-dependent controls
User controls requiring info form computer system
66
What are input controls
Controls to ensure data entered is valid, accurate, complete
67
Risks if input controls aren't implemented (6)
- Unauthorised transactions entered onto system - Adding, deleting, amending data in system without authorisation - Errors when creating data on source document - Errors made while correcting other errors - Errors going uncorrected - Data lost during capturing / not captured at all
68
3 Input controls
- User-related controls - Screen aids - Logical programmed controls
69
What are 'user-related controls' of 'input controls'
Focus on people making use of info / computer system
70
What are 'screen aids' of 'input controls'
Features & procedures built into program reflected on input screen
71
What are 'logical programmed controls' of 'input controls'
Tests input of data against predetermined rules
72
Components of user-related controls (5)
- Training necessary to perform job functions - Dedicated employees perform job functions & act as capturing specialists - Accountability for capturing actions - Access profiles to limit access of users & to identify users - Segregation of duties where senior employee can override rights
73
Components of screen aids (7)
- Screen-layout assists user to input all data required - Document layout similar to screen - Standard & user-friendly - Min data requirements by use of drop-down menus & look-up function - Data echo test (closed loop verification) - Recall underlying data & display full details on screen - Prompts to fill in missing data - Compulsory fields
74
Components of logical programmed controls (6)
- Validity test - Limit test - Tests data against predetermined benchmark - Field length test - Limit on nr of characters - Computer can identify missing data - Completeness test - Field completed before allowed to continue - Alpha numeric test - Restricts user to only entering letters / nrs / combination - Sign check - Field required to be + / -
75
Explain 'validity test' from 'logical programmed controls'
Confirms data entered on system to database
76
Explain 'limit test' from 'logical programmed controls'
Tests data against predetermined benchmark
77
Explain 'field length test' from 'logical programmed controls' (2)
- Limit on nr of characters - Computer can identify missing data
78
Explain 'alpha numeric test' from 'logical programmed controls'
Restricts user to only entering letters / nrs / combination
79
Explain 'sign check' from 'logical programmed controls'
Field required to be + / -

GEAR111 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions