ACCOUNTING INFORMATION SYSTEMS CONTROLS AND PROCESSES TURNER / WEICKGENANNT CHAPTER 4: Internal Controls and Risks in IT Systems TEST BANK - CHAPTER 4 - TRUE / FALSE 1. If a company’s IT system fails, fails, it would have little or no effect effect on the company’s company’s operations. 2. It is necessary necessary for students and accountants to understand the types types of threats that may affect an accounting system, so that the threats can be avoided. 3. It is important for accountants to consider possible threats to the IT system and to know how to implement controls to try to prevent those threats from becoming reality. 4. General controls apply to the IT accounting system and are not restricted restricted to any any particular accounting application. 5. The use of passwords passwords to allow only authorized users to to log into an IT system is an example of an application control. 6. Application controls apply to to the IT accounting accounting system and are not restricted restricted to any particular accounting application. 7. The use of passwords passwords to allow only authorized users to to log into an IT system is an example of a general control. 8. General controls are used specifically in accounting accounting applications to control inputs, processing, and outputs. 9. Application controls are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed. 10. A validity checks is an example example of an input application application control. 11. To increase the effectiveness of login restrictions, user Ids must be unique for each user. 12. To increase the effectiveness of login restrictions, passwords passwords must be unique for each user. 13. Biometric devises use unique physical characteristics characteristics to identify identify users. The most most common common method used is retina scans. 14. There are a number of methods described that are intended to limit log-ins exclusively to authorized users. The only method that that is foolproof is the biometric devices. devices. 15. The user ID and and password for a particular user should should not allow access access to the configuration configuration tables unless that user is authorized to change the configuration settings.
16. It is necessary for an IT system system to be networked to an external internet to be open to opportunities for unauthorized access. 17. Unauthorized access is a concern when an an IT system is networked to either internal networks or the Internet. 18. A firewall can can prevent the unauthorized flow of data in both both directions. 19. Deciphering renders data data useless to those who do not have the correct correct encryption key. 20. Discussing the strength of encryption refers to how difficult it would would be to break break the code. 21. The longer the encryption encryption key is bits; bits; the more difficult it will be to to break the code. code. 22. The longest encryption keys are 128 bits. 23. Encryption is more important for dial-up networks than for wireless networks. 24. Using a unique service set identifier (SSID) makes it more more difficult for an outsider outsider to access the wireless network. 25. The VPN, virtual private private network, uses uses the internet and is therefore not truly private – but is virtually private. 26. Once an organization has set up an effective system to prevent unauthorized access access to the IT system, it is not necessary to continually con tinually monitor the vulnerability of that system. 27. It is important to understand that the IT governance committee delegates delegates many of its duties by the policies that it develops. 28. The most important important factor in controlling IT systems is the maintenance maintenance of the vulnerability assessment activities. 29. In a properly segregated segregated IT system, system, no single person person or department department should develop computer computer programs and also have access to data that is commensurate with operations personnel. 30. It is proper that the database administrator develop develop and write programs. 31. To the extent possible, IT systems systems should be installed in locations away from any any location likely to be affected by natural disasters. 32. It is not necessary necessary to control the humidity and temperature temperature in the location where the computer system is housed. 33. Disaster recovery planning is a proactive proactive plan to protect protect IT systems systems and the related related data. 34. Each organization has to decide which combination combination of IT controls is most suitable suitable for its IT system, making sure that the benefits of each control outweigh its costs.
35. Controls will help to to reduce risks, but but it is impossible impossible to completely eliminate risks. 36. It is possible possible to completely completely eliminate risks with the proper controls. 37. The most popular type type of type of unauthorized access is probably by a person known to the the organization. 38. Employees who hack into computer networks networks are often more dangerous because of their knowledge of company operations. 39. It is necessary to identify the “entry points” in the IT system system that make an organization susceptible to IT risks. 40. Access to the operating system will not allow hackers access to the application software software or the database. 41. Controlling access to the operating system system is critical because that access opens access to any data or program within the system. 42. A database is often less open open to unauthorized access access than the physical, paper records, records, because the database has fewer access points. poin ts. 43. The workstations and and the network cabling cabling and connections represent represent spots were were an intruder could tap into the network n etwork for unauthorized access. 44. In a wireless network, signals are transmitted transmitted through the air rather than over cables. Anyone who wants to gain access to the network would need to know the password to access these “air-borne” signals. FALSE 45. The use of dual firewalls - one between between the internet and the web server server and one between the web server and the organization’s network - can help prevent unauthorized from accessing the organization’s internal network of computers. 46. Telecommuting workers cause two sources sources of risk exposures exposures for their organizations organizations - the network equipment and cabling in addition to the teleworker’s computer - with only “entrypoint” being teleworker’s computer. 47. Many IT systems systems do not use source source documents; documents; the input is automatic. 48. If no source documents documents are used by the IT system, system, then the the general controls, such as computer logging of transactions, become less important. 49. The group of controls referred to as as Source Document Controls does not include form design. 50. The closer the source document matches matches the input screen, the easier it will be for the data entry employee to complete the input screen without errors.
51. The form authorization and control control includes the the requirement that source documents should be prenumbered and are to be used in sequence. 52. Once the data from the source documents have been been keyed into the the computer, the source document can be destroyed. 53. With the proper training training of employees and the adequate adequate controls, it would would be possible to to eliminate all errors. 54. To verify the accuracy accuracy of application software, software, an organization organization should be sure the the software is tested before it is implemented and must regularly test it after implementation. 55. An organization must maintain maintain procedures to to protect the output from unauthorized access access in the form of written guidelines and procedures for output distribution. 56. Management must discourage illegal behavior by employees, such as the misuse misuse of computers and theft through the computer systems. ANSWERS TO TEST BANK – CHAPTER 4 1. F 11. T 21. 2. F 12. F 22. 3. T 13. F 23. 4. T 14. F 24. 5. F 15. T 25. 6. F 16. F 26. 7. T 17. T 27. 8. F 18. T 28. 9. T 19. F 29. 10. T 20. T 30.
– TRUE / FALSE: T 31. T F 32. F F 33. F T 34. T T 35. T F 36. F T 37. F F 38. T T 39. T F 40. F
41. 42. 43. 44. 45. 46. 47. 48. 49. 50.
T F T F T F T F F T
51. 52. 53. 54. 55. 56.
T F F T T F
TEST BANK - CHAPTER 4 - MULTIPLE CHOICE 57. Unchecked risks and threats threats to the IT could result in: A. An interruption of the computer operations operations B. Damage to an organization C. Incorrect or incomplete accounting information D. All of the above 58. In order to master master risks and and controls and how they fit together, which of the following is NOT one of the areas to fully understand? A. The accounting information system. system. B. The description of the the general and application application controls that that should exist in IT system. C. The type and nature of risks in IT systems. D. The recognition of how controls can can be used used to reduce reduce risk.
59. General controls in IT systems systems are divided into five broad categories. categories. Which of the following is NOT one of those categories? A. Authentication of uses and limiting unauthorized access access B. Output controls C. Organization structure D. Physical environment and physical physical security of the system. 60. A process or procedure in an IT system system to ensure that that the person accessing accessing the IT system is value and authorized is called: A. Hacking and other network break-ins B. Physical environment and physical security C. Authentication of users and limiting limiting unauthorized access D. Organizational structure 61. This term relates relates to making the computer recognize recognize a user in order to create create a connection at at the beginning of the computer session. A. User ID B. Password C. Smart card D. Login 62. Which of the following is NOT NOT one of the the rules for the effective use of passwords? A. Passwords should not be case case sensitive B. Passwords should should be at least 6 characters in length C. Passwords should contain at least one nonalphanumeric character. character. D. Password should be changed every 90 days. 63. Which of the following is not a good example of an effective password? A. Abc*$123 B. a1b2c3 C. A*1b?2C$3 D. MSU#Rules$ 64. This item, that strengthens the use use of passwords, is plugged into the computer’s card reader and helps authenticate that the use is valid; vali d; it has an integrated i ntegrated circuit that displays a constantly changing ID code. These statements statements describe: A. Security token B. USB control key C. Smart card D. Biometrics 65. A new technology that is used to authenticate users is one that plugs into the USB port and and eliminates the need for a card reader. This item is called a: A. Biometric reader B. Smart card C. USB smart key D. Security token
66. The use of the smart card or security security tokens is referred to as a two factor authorization because: A. It is based on something the the user has, the token or card, card, and something the user knows, the password. B. It requires that the user is granted the card card / token in a secure environment and that the user actually uses the card / token. C. It requires that the user has two different authorizations: authorizations: (1) to receive receive the card / token, and (2) to use the card / token. D. It requires the use the card / token to (1) login to the system and (2) access the applications. 67. This type of authentication authentication uses some some unique physical characteristic characteristic of the user user to identify the user and allow the appropriate access to the system. A. Nonrepudiation card B. Biometric device C. Configuration table D. Computer log 68. Which of the following is not not an example example of physical characteristics characteristics being used used in biometric devices? A. Retina scans B. Fingerprint matching C. Social security number D. Voice verification 69. There are a number of reasons that all access access to the IT system be logged - which includes a computer log of all dates, times, and uses for each user. user. Which of the following is not one of the reasons for the log to be maintained? A. Any login or use abnormalities can be examined in more detail detail to determine any weaknesses in the login procedures. B. A user cannot deny deny any particular act that he or she did on the the system. C. To establish nonrepudiation of sales sales transactions transactions by a customer. D. To establish a user profile. 70. This should be established established for every authorized authorized user and determines determines each each user’s access level to hardware, software, and data according to the individual’s job responsibilities. A. User profile B. User password C. User ID D. User log 71. This A. B. C. D.
table contains a list of valid, authorized users and the access access level granted to each one. User table Authority table Authentication table Configuration table
72. The IT system includes this type of table for software, hardware, and application programs programs that contain the appropriate set-up and security settings. A. Configuration table B. Authentication table C. User table D. Authority table 73. Nonrepudiation means that: A. A user is not authorized to change configuration configuration settings. B. A user is not allowed access to to the authority authority tables. C. A user can can prevent the unauthorized flow of data in both directions. D. A user cannot deny deny any particular act that he or she did on the IT system. system. 74. Hardware, software, software, or a combination of both that is designed to block unauthorized access to an IT system is called: A. Computer log B. Biometric device C. Firewall D. Security token 75. The A. B. C. D.
process of converting data into secret codes referred to cipher text is called: Deciphering Encryption Nonrepudiation Enciphering
76. This form of encryption encryption uses a single single encryption key that must be used to encrypt data and also to decode the encrypted data. A. Multiple encryptions B. Public key encryption C. Wired encryption D. Symmetric encryption 77. This form of encryption encryption uses a public key, which is known by by everyone, to encrypt data, and and a private key, to decode the data. A. Multiple encryptions B. Public key encryption C. Wired encryption D. Symmetric encryption 78. This encryption method, used with wireless wireless network equipment, is symmetric in that both the sending and receiving network nodes must use the same encryption key. It has been proven to be susceptible to hacking. A. Wired Equivalency Privacy (WEP) B. Wired Encryption Policy (WEP) C. Wireless Protection Access (WPA) D. Wired Privacy Authentication (WPA)
79. This encryption method requests connection connection to the network via an access access point and that point then requests the use identity and transmits that identity to an authentication server, substantially authenticating the computer and the user. A. Wired Equivalency Privacy (WEP) B. Wired Encryption Provider (WEP) C. Wireless Provider Authentication (WPA) D. Wireless Protection Access (WPA) 80. This security feature, used on wireless networks, is a password that is passed between between the sending and receiving nodes of a wireless network. A. Secure sockets layer B. Service set identifier C. Wired provided access D. Virtual private network 81. Authorized employees may may need to access access the company company IT system system from locations locations outside the organization. These employees should connect to to the IT system using using this type of network. A. Secure socket network B. Service set identifier C. Virtual private network D. Wireless encryption portal 82. The type of network network uses tunnels, authentication, and encryption encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data. A. Residential user network B. Service internet parameter network C. Virtual private network D. Virtual public network 83. This communication protocol is built into web server and browser browser software that encrypts data data transferred on that website. website. You can determine if a website website uses this technology by looking at the URL. A. Secure sockets layer B. Service security line C. Secure encryption network D. Secure service layer 84. Which of the following URL’s would indicate that the site is using browser software software that encrypts data transferred to the website? A. shttp://misu B. https://misu C. http://smisus D. https://smisus
85. A self-replicating piece of program code that can attach attach itself to other programs and data data and perform malicious actions is referred to as a(n): A. Worm B. Encryption C. Virus D. Infection
86. A small piece of program code that attaches attaches to the computer’s computer’s unused memory memory space and replicates itself until the system becomes overloaded and shuts down is called: A. Infections B. Virus C. Serum D. Worm 87. This type of software software should be used to avoid destruction destruction of data programs and to maintain operation of the IT system. system. It continually scans the system for viruses and worms and and either deletes or quarantines them. A. Penicillin Software B. Antivirus Software C. Infection Software D. Internet Software 88. The process of proactively examining the IT system for weaknesses that can be exploited exploited by hackers, viruses, or malicious employees is called: A. Intrusion detection B. Virus management C. Vulnerability assessment D. Penetration testing 89. This method of monitoring monitoring exposure can involve involve either manual testing or automated automated software tools. The method can identify weaknesses weaknesses before they become network break-ins and attempt attempt to fix these weaknesses before they are exploited. A. Vulnerability assessment B. Intrusion detection C. Encryption examination D. Penetration testing 90. Specific software tools that monitor data flow within a network and alert the IT staff to hacking attempts or other unauthorized access attempts is called: A. Security detection B. Vulnerability assessment C. Penetration testing D. Intrusion detection
91.
The process process of legitimately attempting attempting to to hack into an IT system system to find whether weaknesses can be exploited by unauthorized hackers is referred to as: A. Vulnerability assessment B. Intrusion detection C. Penetration testing D. Worm detection
92. The function of this committee committee is to govern the overall overall development and operation of IT systems. A. IT Budget Committee B. IT Audit Committee C. IT Governance Committee D. IT Oversight Committee 93. Which of the following would normally not be found on the IT Governance Committee? A. Computer input operators B. Chief Executive Officer C. Chief Information Officer D. Heads of business units 94. The IT Governance Committee Committee has several important important responsibilities. responsibilities. Which of the following is not normally one of those responsibilities? A. Align IT investments to business strategies. strategies. B. Oversee and prioritize changes to IT systems. systems. C. Develop, monitor, monitor, and review security procedures. procedures. D. Investing excess excess IT funds in long-term investments. 95. The functional responsibilities within an IT system system must include the proper segregation segregation of duties. Which of the following positions is not one of the duties that are to be segregated segregated from the others? A. Systems analysts B. Chief information officer C. Database administrator D. Operations personnel 96. The systematic systematic steps undertaken undertaken to plan, prioritize, authorize, authorize, oversee, test, and implement implement large-scale changes to the IT system are called: A. IT Governance System B. Operations Governance C. System Development Life Cycle D. Systems Analysis 97. General controls controls for an IT system include: A. Controls over the physical environment only. B. Controls over the physical physical access access only. C. Controls over the physical environment environment and over the physical access. D. None of the above.
98. A battery to maintain power power in the event of a power outage outage meant to keep the computer computer running for several minutes after the power outage is called: A. Uninterruptible power supply B. System power supply C. Emergency power supply D. Battery power supply 99. An alternative power supply that provides electrical power in the event that a main source is lost is called: A. Uninterruptible power supply B. System power supply C. Emergency power supply D. Battery power supply 100. Large-scale IT systems systems should be protected protected by physical access controls. Which of the following is not listed as one of those controls? A. Limited access to computer computer rooms. B. Video surveillance equipment. C. Locked storage of backup data. D. Encryption of passwords. 101. A proactive program for considering risks to the business continuation and the development of plans and procedures to reduce those risks is referred to as: A. Redundant business planning B. Business continuity planning C. Unnecessary in the current safe environments D. Emergency backup power 102. Two or more computer network or data servers that can run identical processes or maintain the same data are called: A. Emergency power supply B. Uninterruptible power source C. Redundant servers D. Business continuity planning 103. Many IT systems have redundant data storage such that two or more disks are exact mirror images. This is accomplished accomplished by the use of: A. Redundant arrays of independent disks B. Redundant mirror image disks C. Mirror image independent disks D. Redundant mirror image dependent disks 104. The AICPA Trust Principles categorizes categorizes IT controls and risks into categories. categories. Which of the following is not one of those categories? A. Confidentiality B. Security C. Recovery D. Availability
105. The establishment of log-in procedures can help prevent or lessen security risks and are referred to as: A. Reactive controls B. Preventive controls C. Availability controls D. Confidentiality controls 106. Availability risks, related to the authentication of users would include: A. Shutting down the system and shutting down down programs B. Altering data and repudiating transactions C. Stealing data data and recording nonexistent transactions transactions D. Sabotaging systems and destroying data 107. The accuracy, completeness, and timeliness of the process in IT systems are referred to as: A. Availability Risks B. Security Risks C. Confidentiality Risks D. Processing Integrity Risks 108. The software that controls the basic input and output activities of the computer are called: A. Operating System B. Application Software C. Data Base Management System D. Electronic Data Interchange 109. Unauthorized access to the operating system would allow the unauthorized user to: A. Browse disk files for sensitive sensitive data or passwords B. Alter data data through the operating operating system system C. Alter application programs D. All of the above 110. A software system that manages the interface between many users and the database is called: A. Database security system system B. Database management system C. Database binary monetary system D. Database assessment 111. A computer network covering a small geographic area, which, in most cases, are within a single building or a local group of buildings is called a: A. Land area network B. Local access network C. Local area network D. Locality arena network 112. A group of LANs connected to each other to cover a wider geographic area is called a: A. Connected local network B. Wide area network C. Connected wide area D. Wide geographic network
113. A popular activity is to find a company whose network signal bleeds outside the building to the sidewalk around it. Abusers of this network then make make identifiable chalk marks on the sidewalks so that others can find the network network access. This process is referred referred to as: A. Chalkwalking B. Netwalking C. Network Warring D. Warchalking 114. The work arrangement where employees work from home using u sing some type of network connection to the office is referred to as: A. Telecommuting B. Telemarketing C. Network Employment D. Electronic working 115. The company-to-company transfer of standard business documents in electronic form is called: A. Facsimile Transmission B. PDF Interchange C. Electronic Data Interchange D. Tele-transmission 116. The software that accomplishes end user tasks such as word processing, spreadsheets, and accounting functions is called: A. Operating Software B. Database Software C. Application Software D. Management Software 117. Internal controls over the input, processing, and output of accounting applications are called: A. Accounting Controls B. Application Controls C. Network Controls D. LAN Controls 118. This type of control is intended to ensure the accuracy and completeness of data input procedures and the resulting data: A. Input Controls B. Internal Controls C. Processing Controls D. Output Controls 119. This type of control is intended to ensure the accuracy and completeness of processing that occurs in accounting applications: A. Input Controls B. Internal Controls C. Processing Controls D. Output Controls
120. This type of control is intended to help ensure the accuracy, completeness, and security of outputs that result from application processing: A. Input Controls B. Internal Controls C. Processing Controls D. Output Controls 121. The process of converting data from human readable form to computer readable form is referred to as: A. Transcription B. Data Input C. Keyboarding D. Scanning 122. Which of the following is NOT one of the types of input controls? A. Source document controls B. Programmed edit checks C. Confidentiality check D. Control totals and reconciliation 123. The paper form used to capture and record the original data of an accounting transaction is called a(n): A. Input control B. Source document C. Sales invoice D. General ledger 124. Which of the following items is not one of the source document controls? A. Validity check B. Form design C. Form authorization and control D. Retention of source documents 125. The process where the details of individual transactions at each stage of the business process can be recreated in order to establish whether proper accounting procedures for the transaction were performed is called: A. Source document reconciliation B. Range check C. Validity verification D. Audit trail 126. The procedures to collect and prepare source documents are termed: A. Input validation procedures B. Form authorization procedures C. Data preparation procedures D. Document retention procedures
127. The data preparation procedures are to be well-defined so that employees will be sure of: A. Which forms to use B. When to use them C. Where to route them D. All of the above 128. Field check, limit check, range check and sequence check are all examples of: A. Input Validation Checks B. Source Document Controls C. Control Reconciliation D. Application Controls 129. This type of input validation check examines a field to ensure that the data entry in the field is valid compared with a preexisting list of acceptable values. A. Field Check B. Completeness Check C. Validity Check D. Range Check 130. This type of input validation check assesses the critical fields in an input screen to make sure that a value is in those fields. A. Field Check B. Completeness Check C. Range Check D. Limit Check 131. This type of input check ensures that the batch of transactions is sorted in order, but does not help to find the missing transactions. A. Completeness Check B. Range Check C. Self-checking Digit Check D. Sequence Check 132. An extra digit added to a coded identification number, determined by a mathematical algorithm is called a: A. Coded Digit Check B. Self-Checking Digit Check C. Sequence Check D. Run to Run Check 133. Which of the following is NOT one of the types of control totals? A. Digit Count B. Record Count C. Batch Totals D. Hash Totals
134. The totals of fields that have no apparent logical reason to be added are called: A. Record Totals B. Digit Totals C. Batch Totals D. Hash Totals 135. These controls are intended to prevent, detect, or correct errors that occur during the processing of an application. A. Application Controls B. Source Document Controls C. Processing Controls D. Input Controls 136. A primary objective of output controls would be: A. Manage the safekeeping of source source documents B. Assure the accuracy and completeness completeness of the output C. Ensure that that the input data is accurate accurate D. Prevention and detection of processing processing errors 137. The responsibility of management to safeguard assets and funds entrusted to them by the owners of an organization is referred to as: A. Stewardship Responsibility B. IT System Controls C. Application Controls D. Internal Controls ANSWERS TO TEST BANK – CHAPTER 4 57. D 71. B 85. 58. A 72. A 86. 59. B 73. D 87. 60. C 74. C 88. 61. D 75. B 89. 62. A 76. D 90. 63. B 77. B 91. 64. C 78. A 92. 65. D 79. D 93. 66. A 80. B 94. 67. B 81. C 95. 68. C 82. C 96. 69. D 83. A 97. 70. A 84. B 98.
– MULTIPLE CHOICE: CHOICE: C 99. C D 100. D B 101. B C 102. C A 103. A D 104. C C 105. B C 106. A A 107. D D 108. A B 109. D C 110. B C 111. C A 112. B
113. 114. 115. 116. 117. 118. 119. 120. 121. 122. 123. 124. 125. 126.
D A C C B A C D B C B A D C
127. 128. 129. 130. 131. 132. 133. 134. 135. 136. 137.
D A C B D B A D C B A
TEST BANK - CHAPTER 4 – END OF CHAPTER QUESTIONS: 138. Internal controls that apply overall to the IT system are called: A. Overall Controls B. Technology Controls C. Application Controls D. General Controls 139. In entering client contact information in the computerized database of a telemarketing business, a clerk erroneously entered nonexistent nonexistent area codes for a block of new clients. This error rendered the block of contact useless to the company. company. Which of the following would most likely have led to discovery of this error into the company’s computerized system? A. Limit check B. Validity check C. Sequence check D. Record count 140. Which of the following is not a control intended to authenticate users? A. Use log–in B. Security token C. Encryption D. Biometric devices 141. Management of an internet retail company is concerned about the possibility of computer data eavesdropping and wiretapping, and wants to maintain the confidentiality of its information as it is transmitted. transmitted. The company should make use of: A. Data encryption B. Redundant servers C. Input controls D. Password codes 142. An IT governance committee has several responsibilities. Which of the following i s least likely to be a responsibility of the IT governance committee? A. Develop and maintain the database database and ensure adequate controls over the database. database. B. Develop, monitor, and review security policies. C. Oversee and prioritize changes to IT systems. systems. D. Align IT investments to business business strategy. strategy. 143. AICPA Trust Principles describe five categories of IT risks and and controls. Which of these five categories would be described by the statement, “The system is protected against unauthorized access”? A. Security B. Confidentiality C. Processing integrity D. Availability
144. The risk that an unauthorized user would shut down systems within the IT system is a(n): A. Security risk B. Availability risk C. Processing integrity risk D. Confidentiality risk 145. The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas? A. Telecommuting workers B. Internet C. Wireless networks D. All of the above 146. Which programmed input validation check compares the value in a field with related fields which determine whether the value is appropriate? A. Completeness check B. Validity check C. Reasonableness check D. Completeness check 147. Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered? A. Completeness check B. Validity check C. Reasonableness check D. Field check 148. Which programmed input validation makes sure t hat a value was entered in all of the critical fields? A. Completeness check B. Validity check C. Reasonableness check D. Field check 149. Which control total is the total of field values that are added for control purposes, but not added for any other purpose? A. Record count B. Hash total C. Batch total D. Field total
150. A company has the following invoices in a batch: Invoice No.
Product ID
Quantity
Unit Price
401 402 403 404
H42 K56 H42 L27
150 200 250 300
$30.00 $25.00 $10.00 $ 5.00
Which of the following numbers represents a valid record count? A. 1 B. 4 C. 70 D. 900 ANSWERS TO TEST BANK - CHAPTER 4 – END OF OF CHAPTER QUESTIONS: 138. D 143. A 148. A 139. B 144. B 149. B 140. C 145. D 150. B 141. A 146. D 142. A 147. D TEST BANK - CHAPTER 4 – SHORT ANSWER QUESTIONS 151. What is the difference between general controls and application controls? Answer: General controls are internal internal controls that apply overall to the IT accounting systems; they are not restricted to any particular accounting application. Application controls apply within accounting applications to control inputs, inpu ts, processing, and outputs. They are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed. 152. Is it necessary n ecessary to have both general controls and application controls to have a strong system of internal controls? Answer: Yes, it is necessary necessary to have both types of controls controls in a strong system of internal controls. Since they cover different aspects of the IT accounting systems and serve different purposes, both are important and necessary. An IT system would not have good internal control if it lacked either general or application controls. 153. What kinds of risks or problems can occur if an organization does not authenticate users of its IT systems? Answer: If an organization does not authenticate authenticate users of its IT systems, systems, a security security breach may occur in which an unauthorized user may be able to gain access to the computer system. If hackers or other unauthorized users gain access to information to which they are not entitled, the organization may suffer losses due to exposure of confidential information. Unauthorized users may gain access to the system for the purpose pu rpose of browsing, altering, or stealing company data. They could also record unauthorized transactions, shut down systems, alter programs, sabotage systems, or repudiate existing transactions.
154. Explain the general controls that can be used to authenticate users. Answer: In order to authenticate users, organizations must limit system system log-ins exclusively to authorized users. This can be accomplished by requiring login procedures, including user IDs and passwords. Stronger systems use biometric identification or security tokens to authenticate users. In addition, once a user is logged in, the system should have established access levels and authority tables for each user. These determine which parts of the IT system each user can access. The IT system should also maintain a computer log to monitor log-ins and follow up on unusual patterns. 155. What is two-factor authentication with regard to smart cards or security tokens? Answer: Two-factor authentication limits system log-ins to authorized users users by requiring them to have possession of a security device such as a smart card or token, and also have knowledge of a user ID and/or password. Both are needed to gain access access to the system. system. 156. Why should an organization be concerned about repudiation of sales transactions by the customer? Answer: Repudiation is the attempt attempt to claim that the customer customer was not part of a sales transaction transaction that has taken place. Organizations may suffer losses if customers repudiate sales transactions. If companies do not have adequate controls to prevent repudiation, they may not be able to collect amounts due from customers. However, organizations may reduce the risk of such losses if they require log-in of customers and if they maintain computer logs to establish undeniably which users take particular actions. This can provide proof of online transactions. 157. A firewall should inspect incoming and outgoing data to limit the passage of unauthorized data flow. Is it possible for a firewall to restrict too much much data flow? Answer: Yes, it is possible for a firewall to restrict legitimate legitimate data flow as well well as unauthorized data flow. This may occur if the firewall firewall establishes limits on data flow that are too restrictive. restrictive. In order to prevent blocking legitimate network traffic, the firewall must examine data flow and attempt to determine which data is authorized or unauthorized. The packets of information that pass through the firewall must have a proper ID to allow it to pass through the firewall. 158. How does encryption assist in limiting unauthorized access to data? Answer: Encryption is the process of converting data into secret codes referred to as cipher cipher text. Encrypted data can only be decoded by those who possess the encryption key or password. It therefore renders the data useless to any unauthorized user u ser who does not possess the encryption key. Encryption alone does not prevent access to data, but it does prevent an unauthorized user from reading or using the data. 159. What kinds of risk exist in wireless networks that can be limited by WEP, WPA, and proper use of SSID? Answer: WEP, WPA, and SSIDs can limit the risk of unauthorized access to to wireless networks, which transmit network data as high frequency radio signals through the air. Since anyone within range of these radio signals can receive the data, protecting data is extremely important within a wireless network. This can be accomplished through encryption via wired equivalency privacy (WEP), through encryption and user authentication via wireless protected access (WPA), and through password protection of the network n etwork sending and receiving nodes via service set identifiers (SSIDs).
160. Describe some recent news stories you have seen or heard regarding computer viruses. Answer: Student responses will vary greatly depending upon the date this this is discussed, but should describe situations of computer malfunctions caused by network break-ins where damaging actions were upon an organization’s programs and data. As of April 2008, a report by Symantec (www.symantec.com (www.symantec.com)) included the following statistics: The U.S. accounted for 31% of all malicious activity and was the origin of attack in 24% of cases. Symantec observed an average of 61,940 infected computers per day. The US accounted for 56% of all denial of service attacks. In the second half of 2007, Symantec reported that 499,811 new malicious code threats were reported. 161. What is the difference between business continuity planning and disaster di saster recovery planning? Answer: How are these two two concepts related? Business continuity planning is a proactive program for considering risks to the continuation of business and developing plans and procedures to reduce those risks so that continuation of the IT system is always possible. On the other hand, disaster recovery planning is i s a reactive program for restoring business operations, including IT operations, to normal after a catastrophe occurs. These two concepts are related in that they are both focused on maintaining IT operations at all times in order to minimize business disruptions. 162. How can a redundant array of independent disks (RAID) help protect the data of an organization? Answer: RAID accomplishes redundant data data storage by setting up two two or more disks as exact mirror images. This provides an automatic backup of all data. If one disk drive fails, the other (maintained on another disk drive) can serve in its place. 163. What kinds of duties should be segregated in IT systems? Answer: In an IT system, the duties to be segregated segregated are those of systems systems analysts who analyze and design the systems, programmers who write the software, operators who process data, and database administrators who maintain and control the database. No single person should develop computer programs and also have access to data. 164. Why do you think the uppermost managers should serve on the IT governance committee? Answer: An IT governance committee committee should be comprised of top management management in order to ensure that appropriate priority is assigned to the function of governing the overall development and operation of the organization’s IT systems. Since the committee’s functions include aligning the IT systems to business strategy and to budget funds and personnel for the effective use of IT systems, it is important that high-ranking company officials be aware of these priorities and involved in their development. Only top management has the power to undertake these responsibilities. 165. Why should accountants be concerned about risks inherent in a complex software system such as the operating system? Answer: Accountants need to be concerned concerned about the risks inherent in the organization’s organization’s software systems because all other software runs on top of the operating system. These systems may have exposure areas that contain entry points for potential unauthorized access to software and/or data. These entry points must be controlled by the proper combination of general controls and application controls.
166. Why is it true that increasing the number of LANs or wireless networks within an organization increases risks? Answer: Increasing the number of LANs or wireless wireless networks within an organization organization increases exposure areas, or entry points through which a user can gain access access to the network. Each LAN or wireless access point is another potential entry point for an unauthorized un authorized user. The more entry points, the more security risk the organization faces. 167. What kinds of risks are inherent when an organization stores its data in a database and database management system? Answer: Since a database management management system involves multiple use groups accessing and and sharing a database, there are multiple risks of unauthorized u nauthorized access. Anyone who gains access to the database may be able to retrieve data that they should not have. This multiples the number nu mber of people who potentially have access to the data. In addition, availability, processing integrity, and business continuity risks are also important due to the fact that so many different users rely on the system. Proper internal controls can help to reduce these inherent risks. 168. How do telecommuting workers pose IT system risk? Answer: The network equipment and cabling cabling that enables telecommuting telecommuting can be an entry point for hackers or other break-ins, and the teleworker’s computer is another potential access point that is not under the company’s direct control. Therefore, it is difficult for the company to monitor whether telecommuters’ computers is properly protected from viruses and other threats. These entry points pose security, confidentiality, availability, and processing integrity risks. 169. What kinds of risks are inherent when an organization begins conducting business over the Internet? Answer: The Internet connection required to conduct web-based web-based business can can expose the company network to unauthorized use. The sheer volume of users of the World Wide Web dramatically increases the potential number of unauthorized users who may attempt to access an organization’s network of computers. An unauthorized u nauthorized user can compromise security and confidentiality, and affect availability and processing integrity i ntegrity by altering data or software or by inserting virus or worm programs. In addition, the existence of e-commerce in an organization poses online privacy risks. 170. Why is it true that the use of EDI means that trading partners may need to grant access to each other’s files? Answer: EDI involves transferring electronic business documents between companies. companies. Because EDI involves the use of a network or the Internet, risks of unauthorized access are prevalent. In order to authenticate trading partner users to accomplish the transfer of business documents, other company data files may be at risk of unauthorized use. 171. Why is it critical that source documents be easy to use and complete? Answer: Source documents should be easy to use and complete in order minimize the potential for errors, incomplete data, or unauthorized transactions are entered from those source documents into the company’s IT systems. Since source documents represent the method of collecting data in a transaction, they need to be easy to use in order to reduce the risk of incorrect or missing data in the accounting system.
172. Explain some examples of input validation checks that you have noticed when filling out forms on websites you have visited. Answer: Student responses are likely to vary, but may include field checks, checks, validity checks, limit checks, range checks, reasonableness checks, completeness checks, or sign checks. Although sequence checks and self-checking digits are additional input validation checks, they are not likely to be cited because they are applicable to transactions processed in batches, which is not likely to apply to students’ web transactions. 173. How can control totals serve as input, processing, and output controls? Answer: Control totals can be used used as input controls when they are applied as record counts, batch totals, or hash totals to verify the accuracy and completeness of data that is being entered into the IT system. These same control totals can be used as processing controls when they are reconciled during stages of processing to verify the accuracy and completeness of processing. Finally, to ensure accuracy and completeness, the output from an IT system can be reconciled to control totals, thus serving as an output control. Therefore, totals at any stage can be compared against the initial control total to help ensure the accuracy of input, i nput, processing, or output. 174. What dangers exist related to computer output such as reports? Answer: Output reports contain data that should not fall into the wrong hands, hands, as the information contained in reports is often confidential or proprietary and could help someone commit fraud. Therefore, the risk of unauthorized u nauthorized access must be controlled through strict policies and procedures regarding report distribution, retention, and disposal. TEST BANK - CHAPTER 4 – SHORT ESSAY 175. Categorize each of the following as either a general control or an application control: a. validity check b. encryption c. security token d. batch total e. output distribution f. vulnerability assessment g. firewall h. antivirus software Answer: a. validity check – application control (input) b. encryption – general control c. security token – general control d. batch total – application control (input, processing, and output) e. output distribution – application control (output) f. vulnerability assessment – general control g. firewall – general control h. antivirus software – general control
176. Each of the given situations is independent of the other. For each, list the programmed input validation check that would prevent or detect the error. a. The zip code field was left blank on an input screen requesting a mailing address. b. A state abbreviation of “NX” was entered in the state field. c. A number was accidentally entered in the last name field. d. For a weekly payroll, the hours entry in the “hours worked field was 400. e. A pay rate of $50.00 per hour was entered for a new employee. The job code indicates an entry-level receptionist. Answer: a. The zip code field was left blank on an input screen requesting a mailing address. – Completeness check b. A state abbreviation of “NX” was entered in the state field. – Validity check c. A number was accidentally entered in the last name field. – Field Fi eld check d. For a weekly payroll, the hours entry in the “hours worked field was 400. – Limit check or range check e. A pay rate of $50.00 per hour was entered for a new employee. The job code indicates an entry-level receptionist. – Reasonableness check 177. For each AICPA Trust Services Principles category shown, list a potential risk and a corresponding control that would lessen lessen the risk. An example is provided. In a similar similar manner, list a risk and control in each of the following categories: Security, Availability, Processing Integrity, and Confidentiality. Answer: a. Security. Risk: an unauthorized user could record an invalid transaction. transaction. Control: security token to limit unauthorized users. b. Availability. Risk: An unauthorized user may shut shut down a program. program. Control: intrusion detection to find instances of unauthorized un authorized users. c. Processing Integrity. Risk: environmental problems problems such as temperature temperature can can cause glitches in the system. Control: temperature and humidity controls. d. Confidentiality. Risk: an unauthorized user could browse browse data. Control: encryption. encryption. 178. For each of the following parts of an IT system of a company, write a one-sentence description of how unauthorized users could use this as an “entry point”: a. A local area network (LAN). b. A wireless network. c. A telecommuting worker. d. A company website to sell products. Answer: a. A local area network (LAN). Each workstation or the network wiring on the LAN are access points where someone could tap into the system. b. A wireless network. The wireless signals broadcast into the air could be intercepted to gain access to the system. c. A telecommuting worker. The telecommuter’s computer may be infected with a vi rus that allows a perpetrator to see the login ID and password. d. A company website to sell products. A hacker may try to break through the web server firewall to gain access to company data.
179. Application controls include input, processing, and output controls. One type of input control is source document document controls. Briefly explain the importance importance of each of the following source document controls: Form design, Form authorization and control, and Retention of source documents. ` Answer: a. Form design. A well-designed form will reduce the chance of erroneous or incomplete data. It could also increase the speed at which the form is completed. b. Form authorization and control. Forms should have a signature line to indicate that the underlying transaction was approved by the correct person. Blank Bl ank documents should be properly controlled to limit access to them. c. Retention of source documents. documents. Source documents should be maintained as part of the audit trail. They also serve as a way to look up data when queries are raised. 180. Explain how control totals such as record counts, batch totals, and hash totals serve as input controls, processing controls, and output controls. Answer: Control totals serve as as expected results after after input, processing, or output has occurred. At each stage, the current totals totals can be compared compared against the initial control total total to help ensure the accuracy of input, processing, or output. 181. Briefly explain a situation at your home, university, or job in which you think somebody used computers unethically. Be sure to include an explanation of why you think it was unethical. Answer: Student responses will vary significantly. Some possibilities include copyrighted music music or video downloading from an unauthorized source, viewing pornography on computers at work, shopping or other browsing while whil e at work, using a work computer to store personal files or process personal work, using company e-mail systems for personal e-mail (some companies may not consider this as problematic as other potential unethical acts).
TEST BANK - CHAPTER 4 – PROBLEMS 182. Explain why an organization should establish and enforce policies for its IT systems in the following areas regarding the use of passwords for log-in: log-i n: a. Length of password. b. The use of numbers or symbols in passwords. c. Using common words or names as passwords. d. Rotation of passwords. e. Writing passwords on paper or sticky notes. Answer: a. Length of password. Passwords should be at least eight characters in length. This would make it difficult for a hacker to guess the password in order to gain unauthorized access to the system. b. The use of numbers n umbers or symbols in passwords. Passwords should contain a mix of alphanumeric digits as well as other symbols. There may also be a mix of case sensitive letters. This would make it difficult for a hacker to guess the password. c. Using common words or names names as passwords. Names, initials, and other common names should be avoided as passwords, as they tend to be b e easy to guess. d. Rotation of passwords. Passwords should be changed periodically, approximately every 90 days. This will limit the access of a hacker who has gained unauthorized unauthorized access. e. Writing passwords on paper or sticky notes. n otes. Passwords should be committed to the user’s memory and should not be written written down. If they are documented, this increases the likelihood that an unauthorized user may find the password and use it to gain access to the system. 183. The use of smart cards or tokens is called two-factor authentication. Answer the following questions, assuming that the company you work for uses smart cards or tokens for two-factor authentication. a. What do you think the advantages and disadvantages would be for you as a user? b. What do you think the advantages and disadvantages would be for the company? Answer: a. What do you think thi nk the advantages and disadvantages would be for you as a user? As a user, the advantages of two-factor authentication would be the security of the information in the system that I am am using. I would know that it would be difficult for an an unauthorized user to alter a system that uses two-factor authentication, so I have more confidence in the data within such a system. system. In addition, it is relatively easy easy to remember a password and to transport a smart card or security token. On the other hand, I might consider the use of two-factor authentication to be a disadvantage because it places more responsibility on me, the user. For instance, in order to access access the system, I have to remember my password password and maintain control of a security device. It might be considered an inconvenience to a user to maintain a smart card or security token and remember to keep it accessible at all times that I may need to access the system. It might also be susceptible to loss, similar to a set of keys. b. What do you think the advantages and disadvantages would be for the company? From the company’s perspective, the advantage of two-factor authentication is the strength of the extra level of security. The company has additional protection against against unauthorized access, access, which makes it difficult for a hacker hacker to access the system. system. The disadvantage is the cost of the additional authentication tools that comprise the dual layer of security.
184. Many IT professionals feel that wireless networks pose the highest risks in a company’s network system. 1. Why do you think this is true? 2. Which general controls can help reduce these risks? Answer: 1. Why do you think this is true? Wireless networks pose the highest risks in a company’s network computer system because the network signals are transported through the air (rather than over cables). Therefore, anyone who can receive radio signals could potential intercept the company’s information and gain access to its network. Thi s exposure is considered greater than in traditional WANs and LANs. LA Ns. 2. Which general controls can help reduce these risks? A company can avoid its exposure to unauthorized wireless network traffic by implementing proper controls, such as wired equivalency privacy (WEP) ore wireless protected access (WPA), station set identifiers (SSIDs), and encrypted data. 185. Control totals include batch totals, hash totals, and record counts. Which of these totals would be useful in preventing or detecting IT system input and processing errors or fraud described as follows? a. A payroll clerk accidentally entered the the same time card twice. twice. b. The accounts payable department overlooked an invoice and did not enter it into the system because it was stuck to another invoice. c. A systems analyst was was conducting payroll fraud by electronically adding to to his “hours worked” field during the payroll computer run. run. d. To create a fictitious employee, a payroll clerk removed a time card for a recently terminated employee and inserted a new time card with the same hours worked. Answer: a. A payroll clerk accidentally entered the same time card twice. Any of the three control control totals could be used: A batch total could detect that too many hours h ours were entered; A hash total could detect that an employee number summation was overstated; A record count could detect that too many time cards were entered. b. The accounts payable department overlooked an invoice and did not enter it into the system because it was stuck to another invoice. Any An y of the three control totals could be used: A batch total could detect the missing amount; A hash total could detect that the vendor number summation was misstated; A record count could detect that too few invoices were entered. c. A systems analyst was was conducting payroll fraud by electronically adding to his “hours “hours worked” field during the payroll computer run. A batch total could detect this fraud by revealing that the hours worked on the inputs did not agree with the hours worked on the output reports. d. To create a fictitious employee, a payroll clerk removed a time card for a recently terminated employee and inserted a new time card with the same hours worked. A record count could detect this fraud only if there was a control in place to compare the number of records processed with the number nu mber of active employees and the number of active employees had been updated to reflect a reduction for the recently terminated employee.
186. Explain how each of the following input validation checks can prevent or detect errors: field, validity, limit, range, reasonableness, completeness, sign, and a self-checking digit. Answer: a. A field check examines a field to to determine whether the appropriate appropriate type of data was was entered. This will detect mistakes in input, i nput, such as erroneous input of numeric information in an alpha field. b. A validity check examines a field to ensure that the data entry in the field is valid compared with a preexisting list of acceptable values. This will detect mistakes in input, such as nonsense entries caused by the input personnel striking the wrong key. c. A limit check verifies field inputs by making making sure that they do not exceed exceed a preestablished limit. This prevents gross overstatements of the data beyond the acceptable limit. d. A range check verifies field inputs by making making sure that they fall within a pre-established pre-established range limit. This prevents gross overstatements and understatements of the data beyond the acceptable limits. e. A reasonableness check compares compares the value in a field with similar, similar, related fields to determine whether the value seems reasonable. This can detect possible errors by identifying “outliers”. f. A completeness check assesses assesses the critical fields in an input screen to make sure that that an entry has been input in those fields. This detects possible omissions of critical information. g. A sign check examines a field to determine determine that it has the appropriate positive or negative sign. This can prevent misstatements caused by misinterpretation of information. h. A sequence check ensures that a batch of transactions is sorted and processed in sequential order. This ensures that a batch will be in the same order as the master file. This may prevent errors in the master file by ensuring that the sequence is appropriate to facilitate an accurate update of the master file. i. A self-checking digit is an extra digit added to a coded identification identification number, determined by a mathematical algorithm. This detects potential errors in input data. 187. The IT governance committee should comprise top level managers. Describe why you think that is important. What problems are likely to arise arise with regard to IT systems systems if the top level level managers are not involved in IT governance committees? Answer: It is important for an IT governance committee to to be comprised of members members of top management so it can appropriately align IT investments with the company’s overall bu siness strategies. If top level managers were not involved in this committee, it is likely that IT changes could be approved which do not enhance the company’s overall goals and strategies. strategies. In addition, it is possible that IT changes could be discussed and developed without receiving proper approval or funding.
188. Using a search engine, look up the term “penetration testing.” Describe the software tools you find that are intended to achieve penetration testing. Describe the types of systems that penetration testing is conducted upon. Answer: Software tools that perform penetration tests must must be able to replicate a successful unauthorized access attempt or recreate an attack on a company’s security, but i t must be able to do so without altering of damaging the systems upon which these tests are conducted. This will reveal weaknesses in the system so that the company can implement i mplement controls to strengthen the security of its system. Penetration testing is typically conducted upon network systems. 189. Visit the AICPA website at www.aicpa.org www.aicpa.org.. Search for the terms “WebTrust” and “SysTrust.” Describe these services and the role of Trust Services Principles in these services. Answer: WebTrust services are are professional services that that build trust and confidence among customers and businesses which operate on the Internet. SysTrust services build trust and confidence between business partners who use and rely upon each other’s computer systems. These services are built upon the Trust Services Principles of Security, Privacy, Availability, Confidentiality, and Processing Integrity to help companies create trustworthy systems. Both of these services are represented by seal on the company’s Web site. 190. Using a search site, look up the terms “disaster recovery,” along with “9/11.” The easiest way to search for both items together is to type into the search box the following: “disaster recovery” “9/11.” Find at least two two examples of companies that that have changed their disaster disaster recovery planning since the terrorist attacks on the World Trade Center on September 11, 2001. Describe how these companies changed their disaster recovery plans after the terrorist attacks. Answer: Students’ answers may may vary greatly, as there there are numerous examples examples of companies who operated in or near the World Trade Center or were otherwise affected by the events of September 11, 2001 and who have revised their business disaster recovery plans as a result. A few examples are the financial services companies of Lehman Brothers, Merrill Lynch, and American Express. An article at www.cio.com www.cio.com includes includes interviews with the IT executives at these companies as they look back to the events of 9/11. In particular, Lehman Brothers has worked hard to increase its redundant storage and real-time back-ups. It also updated its phone systems so that all direct lines lin es to customers would not terminate at the same place, as they did at the World Financial Center. In addition, it has developed a new business continuity plan, with variations that are now tied to the Homeland Security Advisory System’s color-coded warning levels. At Merrill Lynch, disaster recovery efforts focused on diversification of vendors to relieve the concentration from Lower Manhattan. In addition, it outfitted its buildings used for recovery with wireless LANs; this allows for increased flexibility through the broadcast of signals to multiple access points. For American Express, disaster recovery planning and business continu ity planning have changed to a geography-based approach, recognizing that disasters are likely to affect large geographic areas. The events of 9/11 proved that Amex’s previous building-based program was not effective.
191. Go to any website that sells goods. Examples would be BestBuy, Staples, and J.Crew. Pretend that you wish to place an order on the site you choose and complete the order screens for your pretend order. Do not finalize the order; otherwise, you will have to to pay for the goods. As you complete the order screens, attempt to enter incorrect data for fields or blanks that you complete. Describe the programmed input validation checks that you find that prevent or detect the incorrect data input. Student’s responses are likely to vary significantly, as different Web sites have different input validation checks. checks. However, most Web Web sites have a warning warning message that will appear if invalid information is entered. (For instance, the message message “The billing city, state, zip code, and country entered do not match up. Please revise your selections below” was encountered on jcrew.com when bogus city and zip code information was entered.) The warning message will typically prevent the user from proceeding to the next step in the transaction until the error is corrected.
