END OF CHAPTER MATERIAL

CONCEPT CHECK

1. 1. Internal controls that apply overall to the IT system are called
   1. overall controls
   2. technology controls
   3. application controls
   4. general controls
2. 2. In entering client contact information in the computerized database of a telemarketing business, a clerk erroneously entered nonexistent area codes for a block of new clients. This error rendered the block of contacts useless to the company. Which of the following would most likely have led to discovery of this error at the time of entry into the company's computerized system?
   1. Limit check
   2. Validity check
   3. Sequence check
   4. Record count
3. 3. Which of the following is not a control intended to authenticate users?
   1. User log-in
   2. Security token
   3. Encryption
   4. Biometric devices
4. 4. Management of an Internet retail company is concerned about the possibility of computer data eavesdropping and wiretapping, and wants to maintain the confidentiality of its information as it is transmitted. The company should make use of
   1. data encryption
   2. redundant servers
   3. input controls
   4. password codes
5. 5. An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee?
   1. Develop and maintain the database and ensure adequate controls over the database.
   2. Develop, monitor, and review security policies.
   3. Oversee and prioritize changes to IT systems.
   4. Align IT investments to business strategy.
6. 6. AICPA Trust Services Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, “The system is protected against unauthorized access”?
   1. Security
   2. Confidentiality
   3. Processing integrity
   4. Availability
7. 7. The risk that an unauthorized user would shut down systems within the IT system is a(n)
   1. security risk
   2. availability risk
   3. processing integrity risk
   4. confidentiality risk
8. 8. The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas?
   1. Telecommuting workers
   2. Internet
   3. Wireless networks
   4. All of the above
9. 9. Which programmed input validation check compares the value in a field with related fields to determine whether the value is appropriate?
   1. Completeness check
   2. Validity check
   3. Reasonableness check
   4. Completeness check
10. 10. Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered?
    1. Completeness check
    2. Validity check
    3. Reasonableness check
    4. Field check
11. 11. Which programmed input validation makes sure that a value was entered in all of the critical fields?
    1. Completeness check
    2. Validity check
    3. Reasonableness check
    4. Field check
12. 12. Which control total is the total of field values that are added for control purposes, but not added for any other purpose?
    1. Record count
    2. Hash total
    3. Batch total
    4. Field total
13. 13. A company has the following invoices in a batch:

    

    Which of the following numbers represents a valid record count?

    1. 1
    2. 4
    3. 70
    4. 900

DISCUSSION QUESTIONS

1. 14. (SO 1) What is the difference between general controls and application controls?
2. 15. (SO 1) Is it necessary to have both general controls and application controls to have a strong system of internal controls?
3. 16. (SO 2) What kinds of risks or problems can occur if an organization does not authenticate users of its IT systems?
4. 17. (SO 2) Explain the general controls that can be used to authenticate users.
5. 18. (SO 2) What is two-factor authentication with regard to smart cards or security tokens?
6. 19. (SO 2) Why should an organization be concerned about repudiation of sales transactions by the customer?
7. 20. (SO 2) A firewall should inspect incoming and outgoing data to limit the passage of unauthorized data flow. Is it possible for a firewall to restrict too much data flow?
8. 21. (SO 2) How does encryption assist in limiting unauthorized access to data?
9. 22. (SO 2) What kinds of risks exist in wireless networks that can be limited by WEP, WPA, and proper use of SSID?
10. 23. (SO 2) Describe some recent news stories you have seen or heard regarding computer viruses.
11. 24. (SO 2) What is the difference between business continuity planning and disaster recovery planning? How are these two concepts related?
12. 25. (SO 2) How can a redundant array of independent disks (RAID) help protect the data of an organization?
13. 26. (SO 2) What kinds of duties should be segregated in IT systems?
14. 27. (SO 2) Why do you think the uppermost managers should serve on the IT governance committee?
15. 28. (SO 4) Why should accountants be concerned about risks inherent in a complex software system such as the operating system?
16. 29. (SO 4) Why is it true that increasing the number of LANs or wireless networks within an organization increases risks?
17. 30. (SO 4) What kinds of risks are inherent when an organization stores its data in a database and database management system?
18. 31. (SO 4) How do telecommunicating workers pose IT system risks?
19. 32. (SO 4) What kinds of risks are inherent when an organization begins conducting business over the Internet?
20. 33. (SO 4) How does the use of public cloud computing reduce costs?
21. 34. (SO 4) Why is a private cloud less risky than a public cloud?
22. 35. (SO 4) Why is it true that the use of EDI means that trading partners may need to grant access to each other's files?
23. 36. (SO 5) Why is it critical that source documents be easy to use and complete?
24. 37. (SO 5) Explain some examples of input validation checks that you have noticed when filling out forms on websites you have visited.
25. 38. (SO 5) How can control totals serve as input, processing, and output controls?
26. 39. (SO 5) What dangers exist related to computer output such as reports?

BRIEF EXERCISES

1. 40. (SO 2, SO 5) Categorize each of the following as either a general control or an application control:
   1. Validity check
   2. Encryption
   3. Security token
   4. Batch total
   5. Output distribution
   6. Vulnerability assessment
   7. Firewall
   8. Antivirus software
2. 41. (SO 5) Each of the given situations is independent of the other. For each, list the programmed input validation check that would prevent or detect the error.
   1. The ZIP code field was left blank on an input screen requesting a mailing address.
   2. A state abbreviation of “NX” was entered in the state field.
   3. A number was accidentally entered in the last name field.
   4. For a weekly payroll, the hours entry in the “hours worked” field was 400.
   5. A pay rate of $50.00 per hour was entered for a new employee. The job code indicates an entry-level receptionist.
3. 42. (SO 3) For each AICPA Trust Services Principles category shown, list a potential risk and a corresponding control that would lessen the risk. An example is provided.

   EXAMPLE

   Security:

   Risk: A hacker could alter data.

   Control: Use a firewall to limit unauthorized access.

   In a similar manner, list a risk and control in each of the following categories:

   1. Security
   2. Availability
   3. Processing integrity
   4. Confidentiality
4. 43. (SO 4) For each of the following parts of an IT system of a company, write a one-sentence description of how unauthorized users could use this as an entry point:
   1. A local area network (LAN)
   2. A wireless network
   3. A telecommuting worker
   4. A company website to sell products
5. 44. (SO 4) Explain the risk categories for cloud computing and how these risks may differ from a company that maintains its own IT hardware, software, and data.
6. 45. (SO 5) Application controls include input, processing, and output controls. One type of input control is source document controls. Briefly explain the importance of each of the following source document controls:
   1. Form design
   2. Form authorization and control
   3. Retention of source documents
7. 46. (SO 5) Explain how control totals such as record counts, batch totals, and hash totals serve as input controls, processing controls, and output controls.
8. 47. (SO 6) Briefly explain a situation at your home, university, or job in which you think somebody used computers unethically. Be sure to include an explanation of why you think it was unethical.

PROBLEMS

1. 48. (SO 1, SO 2) Explain why an organization should establish and enforce policies for its IT systems in the following areas regarding the use of passwords for log-in:
   1. Length of password
   2. Use of numbers or symbols in passwords
   3. Using common words or names as passwords
   4. Rotating passwords
   5. Writing passwords on paper or sticky notes
2. 49. (SO 2) The use of smart cards or tokens is called two-factor authentication. Answer the following questions, assuming that the company you work for uses smart cards or tokens for two-factor authentication.

   Required:

   1. What do you think the advantages and disadvantages would be for you as a user?
   2. What do you think the advantages and disadvantages would be for the company?
3. 50. (SO 4) Many IT professionals feel that wireless networks pose the highest risks in a company's network system.

   Required:

   1. Why do you think this is true?
   2. Which general controls can help reduce these risks?
4. 51. (SO 5) Control totals include batch totals, hash totals, and record counts. Which of these totals would be useful in preventing or detecting IT system input and processing errors or fraud described as follows?
   1. A payroll clerk accidentally entered the same time card twice.
   2. The accounts payable department overlooked an invoice and did not enter it into the system because it was stuck to another invoice.
   3. A systems analyst was conducting payroll fraud by electronically adding to his “hours worked” field during the payroll computer run.
   4. To create a fictitious employee, a payroll clerk removed a time card for a recently terminated employee and inserted a new time card with the same hours worked.
5. 52. (SO 5) Explain how each of the following input validation checks can prevent or detect errors:
   1. Field check
   2. Validity check
   3. Limit check
   4. Range check
   5. Reasonableness check
   6. Completeness check
   7. Sign check
   8. Sequence check
   9. Self-checking digit
6. 53. (SO 2) The IT governance committee should comprise top level managers. Describe why you think that is important. What problems are likely to arise with regard to IT systems if the top level managers are not involved in IT governance committees?
7. 54. (SO 2) Using a search engine, look up the term “penetration testing.” Describe the software tools you find that are intended to achieve penetration testing. Describe the types of systems that penetration testing is conducted upon.
8. 55. (SO 3) Visit the AICPA website at www.aicpa.org. Search for the terms “WebTrust” and “SysTrust.” Describe these services and the role of Trust Services Principles in these services.
9. 56. (SO 2) Using a search site, look up the terms “disaster recovery,” along with “9/11.” The easiest way to search for both terms together is to type into the search box the following: “disaster recovery” “9/11.” Find at least two examples of companies that have changed their disaster recovery planning since the terrorist attacks on the World Trade Center on September 11, 2001. Describe how these companies changed their disaster recovery plans after the terrorist attacks.
10. 57. (SO 5) Go to any website that sells goods. Examples would be BestBuy, Staples, and J. Crew. Pretend that you wish to place an order on the site you choose and complete the order screens for your pretend order. Do not finalize the order or enter either real or fictitious credit card information; otherwise, you will have to pay for the goods. As you complete the order screens, attempt to enter incorrect data for fields or blanks that you complete. Describe the programmed input validation checks that you find that prevent or detect incorrect data input.
11. 58. (SO 4) Using an Internet search engine, search “cloud computing” and create a list of at least ten companies that provide cloud computing services. List the names of the companies and a brief description of the cloud computing services provide by each company.

CASES

1. 59. The EnviroCons Company, a small business with 100 employees, sells environmental consulting services to large companies around the United States. It employs 40 consultants who travel the United States, assisting clients with environmental compliance. To conduct business, the company must maintain a website so that potential customers can learn of its services and contact its consultants. The company maintains an internal network with an extensive database of environmental regulations and environmental data. Each of its consultants carries a laptop computer; the company has installed a wireless network so that when the consultants are in the office they can easily connect to the company's network. Consultants visit off-site clients much of the time, but while on-site consulting with clients, they must use their laptops to access the company database to look up environmental regulations and data.

   Required:

   1. From the list of general controls shown in Exhibit 4-5, list each authentication and hacking control that you think the EnviroCons Company should have in place.
   2. Explain how each control that you list can prevent IT related risks for EnviroCons.
   3. Are there any general controls that you think would not be cost beneficial?
2. 60. Plaskor, Inc., is a manufacturer of plastic knobs for lawn and garden tractors and lawn mowers. The company has always used traditional paper-based systems to conduct transactions with its customers. For example, when a customer ordered knobs, Plaskor personnel filled out a sales order acknowledgement and mailed it to the customer. Plaskor would like to expand its business opportunities by becoming a supplier, as management believes the company can manufacture interior parts for automotive manufacturers. Automotive manufacturing companies use EDI extensively as they transact business with suppliers and expect any suppliers that they buy from to have the appropriate systems to conduct transactions via EDI. Therefore, Plaskor must buy or develop systems that would allow it to use Internet EDI.

   Required:

   1. Describe the extra IT system risks that Plaskor should consider as it evaluates whether to buy or develop an Internet EDI system.
   2. Describe the IT internal controls that should be incorporated into an Internet EDI system.
3. 61. In the early days of computers, Jerry Schneider was a very enterprising young man who, while attending UCLA, was also conducting a major fraud against Pacific Telephone and Telegraph Company (PT&T). At the height of his fraud in 1971, he was collecting approximately $30,000 a day from PT&T. In total, it was estimated that he stole as much as $900,000 from PT&T. Jerry's fraud was fairly simple in concept, but he did work very hard at it. In 1969, he began a legitimate company refurbishing phone equipment for PT&T. As a supplier to PT&T, he became familiar with some of their operations. He also spent much time digging through dumpsters at PT&T and was able to salvage many reports that helped him understand the inventory and ordering systems. He purchased a telephone truck at an auction, and since he was a valid supplier to PT&T, he had keys to the loading dock. He began tapping into PT&T's touch-tone ordering system, ordering equipment to be dropped off at certain locations. Using his truck, he would pick up the equipment and sell it, either to PT&T or to other companies, as refurbished equipment. His knowledge of computers and PT&T systems allowed him to alter their programs to erase any traces of his illicit activity. His operation became so large that he needed employees to assist him. One of his employees became disgruntled and tipped off police to Jerry's illegal activities in 1972. Jerry was convicted of grand theft, burglary, and receiving stolen property and served 40 days in jail, with a three-year probation. He eventually became a computer security consultant.

   Required:

   List and describe internal controls from this chapter that may have helped prevent or detect Jerry Schneider's fraud. Keep in mind that this case occurred before there was an Internet and large company computer networks.

CONTINUING CASE: ROBATELLI'S PIZZERIA

Reread the Robatelli's Pizzeria Continuing Case in Chapter 1. Notice that only a couple of years prior to the case time frame, the management of Robatelli's had begun an Internet order system. As management of Robatelli's considered the advantages of the Internet order system, it should also have considered the inherent risks of conducting business via the Internet.

Required:

1. Describe the new risks of Internet orders that Robatelli's management should have considered. The risks you describe should be specific to the Internet order system.
2. Describe internal controls that Robatelli's should have implemented to lessen the risks you identify in part 1.
3. If Robatelli's decides to move its data and software to a public cloud computing model, what additional risks should it consider?

SOLUTIONS TO CONCEPT CHECK

1. (SO 1) Internal controls that apply overall to the IT system are called d. general controls. There are two categories of IT internal controls. General controls apply overall to the IT system, such as passwords, encryption of data, and physical security controls. Application controls are input, processing, and output controls applied to each specific IT application system.
2. (CMA Adapted) (SO 1) In entering client contact information in the computerized database of a telemarketing business, a clerk erroneously entered nonexistent area codes for a block of new clients. This error rendered the block of contacts useless to the company. The control that would most likely have led to the discovery of this error at the time of entry into the company's computerized system is a b. validity check. A validity check can examine the data entered and alert the user to an invalid entry.
3. (SO 2) c. Encryption is not a control intended to authenticate users. Encryption can render data unreadable and useless to those without the encryption key, but it does not prevent unauthorized users from accessing the IT system. User logins, security tokens, and biometric devices do authenticate users and are intended to prevent unauthorized access.
4. (CMA Adapted, CIA Adapted) (SO 2) Management of an Internet retail company is concerned about the possibility of computer data eavesdropping and wiretapping, and wants to maintain the confidentiality of information as it is transmitted. The company should make use of a. data encryption. Since encryption renders data unreadable, it prevents eavesdropping and makes wiretapping useless.
5. (SO 2) An IT governance committee has several responsibilities. The option least likely to be a responsibility of the IT governance committee is to a. develop and maintain the database and ensure adequate controls over the database. This is a description of the responsibilities of the database administrator, not the IT governance committee.
6. (SO 3) AICPA Trust Services Principles describe five categories of IT risks and controls. Of the five given categories, the one best described by the statement “The system is protected against unauthorized access” is a. security. Availability means that the system is available for operation and use as committed or agreed. Processing integrity means that system processing is complete, accurate, timely, and authorized. Confidentiality means that information designated as confidential is protected as committed or agreed.
7. (SO 3) The risk that an unauthorized user would shut down systems within the IT system is an b. availability risk. The shutdown of all or part of the IT system would make the IT system unavailable for use as intended, and it is therefore an availability risk.
8. 8. (SO 4) The risk of an unauthorized user gaining access is likely to be a risk for d. all of the above. Each of these areas of an IT system is a potential entry point for unauthorized users.
9. (SO 5) c. A reasonableness check is the programmed input validation check that compares the value in a field with related fields to determine whether the value is appropriate. An example would be that pay rate could be compared with job category code to make sure that the pay rate is reasonable.
10. (SO 5) The programmed input validation check that determines whether the appropriate type of data, either alphabetic or numeric, was entered is a d. field check. A field check is intended to ensure that only numeric data are entered in numeric fields and only alphabetic data are entered in alphabetic fields.
11. (SO 5) The programmed input validation which verifies that a value was entered in all of the critical fields is a a. completeness check. When a user is completing an input screen, a completeness check would not allow the user to finish the input and move to the next screen or step until all critical fields contain a value.
12. (SO 5) The control total which is the total of field values added for control purposes, but not added for any other purpose, is a b. hash total. As an example, a hash total might be the total of all Social Security numbers, a field that would not be summed for any purpose other than control.
13. (CPA Adapted) (SO 5) A company has the following invoices in a batch:

    

    Of the numbers presented, the one that represents a valid record count is b. 4. This represents the number of records (invoices) included for processing in the batch.

    

    Exhibit 4-11 AICPA Trust Services Principles Reference List for IT Control Terms