A. Information Systems Within a Business
B. Characteristics of IT Systems—General
C. Characteristics of IT Systems—Specific
D. Control Objectives for Information and Related Technology (COBIT)
E. IT Risks and Internal Control
Overview
Computers have become the primary means used to process financial accounting information and have resulted in a situation in which auditors must be able to use and understand current information technology. Accordingly, knowledge of information technology implications is included in the Business Environment and Concepts section of the CPA exam. In addition, auditing procedures relating to information technology (IT) are included in the Auditing and Attestation portion of the CPA exam.
This module describes various types of information technology and describes the major types of controls that are used to assure the accuracy, completeness, and integrity of technology-processed information.
Ideally, to effectively reply to technology-related questions, you should have previously studied or worked in computerized business environments. However, if you do not have this background, we believe that the information in this module should prepare you to perform reasonably well on a typical exam. Keep in mind that the review of these materials cannot make you an expert, and a module such as this cannot cover all possible topics related to information technology. However, this material should help you to understand the complexities introduced by computers in sufficient detail to answer most questions.
NOTE: It is helpful to consider these two distinct roles for systems—that is, (a) recording transactions of various types versus (b) providing support for decision making. These topics are discussed in detail under Section B.2. (Methods of Processing).
Designing and implementing a new information and control system provides an opportunity to reexamine business processes, especially if the new system is an enterprise resource planning (ERP) system. Management can take advantage of the capabilities of the technology to redesign business processes making them more efficient and effective. The traditional methodology for developing information systems is the systems development lifecycle (SDLC). This methodology is characterized by its phases, each representing a specific set of development activities. Typically, the SDLC phases include: planning, analysis, design, development, testing, implementation, and maintenance.
Major activities in the planning phase include
This phase involves teams including end users, information technology specialists, systems analysts, and process design specialists to understand the requirements for the proposed system. Typically, processing, data, and logic models are produced during this phase to help determine the system requirements. A needs assessment may also be performed. A needs assessment involves determining the requirements for the system in terms of processes, data capture, information and reporting. Next, an analysis is performed on the existing system along the same dimensions. Then, a gap analysis is performed to examine the differences (gaps) between the required system and the existing system. Finally priorities will be established for the gaps (requirements) which will be documented in a requirements definition document, which will receive sign-off from the end users. It is during this phase that a company can take advantage of the processes inherent in the new system to improve existing processes. System specification documents contain information on basic requirements which include
The primary goal of the design phase is to build a technical blueprint of how the proposed system will work. The components that are typically designed during this phase include
During the development phase the documents from the design phase are transformed into the actual system. In the design phase the platform on which the system is to operate is built or purchased off-the-shelf and customized and databases are developed.
The testing phase involves verifying that the system works and meets the business requirements as set forth in the analysis phase. The testing phase is obviously critical. The following types of test should be performed:
The implementation phase involves putting the system in operation by the users. In order to effectively implement the system detailed user documentation must be provided to the users, and the users must be adequately trained. An organization may choose from a number of implementation methods including:
This phase involves monitoring and supporting the new system. In this phase the organization provides ongoing training, help desk resources, and a system for making authorized and tested changes to the system.
NOW REVIEW MULTIPLE-CHOICE QUESTIONS 1 THROUGH 14
General: Transactions are processed in the order in which they occur, regardless of type. Data files and programs are stored online so that updating can take place as the edited data flows to the application. System security must be in place to restrict access to programs and data to authorized persons. Online systems are often categorized as being either online transaction processing systems or online analytical processing systems.
An airline's management downloads its OLAP reservation information into another database to allow analysis of that reservation information. At a minimum, this will allow analysis without tying up the OLAP system that is used on a continuous basis; the restructuring of the data into another database is also likely to make a more detailed analysis possible.
EXAMPLE
An expert system may be used by a credit card department to authorize credit card purchases so as to minimize fraud and credit losses.
Further information on backup and recovery is included under Disaster Recovery—D.11 of this module.
NOW REVIEW MULTIPLE-CHOICE QUESTIONS 15 THROUGH 52
General: The following all use the Internet. They have in common that data communications are ordinarily through Hypertext Markup Language (HTML) and/or Extensible Markup Language (XML)—languages used to create and format documents, link documents to other Web pages, and communicate between Web browsers. XML is increasingly replacing HTML in Internet applications due to its superior ability to tag (i.e., label) and format documents that are communicated among trading partners.
Extensible Business Reporting Language (XBRL) is an XML-based language being developed specifically for the automation of business information requirements, such as the preparation, sharing, and analysis of financial reports, statements, and audit schedules. XBRL is used in filings with the SEC that are made available on EDGAR, the SEC's Electronic Data Gathering and Retrieval database.
General: When considering networks, it is helpful to consider their architecture (design). Bear in mind that the architecture must divide the following responsibilities (1) input, (2) processing, and (3) storage. In general, the client-server model may be viewed as one in which communications ordinarily take the form of a request message from the client to the server asking for some service to be performed. A “client” may be viewed as the computer or workstation of an individual user. The server is a high-capacity computer that contains the network software and may provide a variety of services ranging from simply “serving” files to a client to performing analyses.
NOTE: The above two architectures are referred to as “two-tier” architecture—client tier and server database tier.
NOTE: Tests of controls may address whether controls related to the above are effective.
NOTE: Since end-user computing relies upon microcomputers, the controls here required for microcomputers and EUC are similar. Also, tests of controls may address whether controls related to the above are effective.
NOTE: Tests of controls may address whether controls related to the above are effective.
NOW REVIEW MULTIPLE-CHOICE QUESTIONS 53 THROUGH 96
The factors that individually and collectively influence whether something will work in an organization are referred to as the COBIT 5 enablers. They include:
NOTE: We have already discussed the effect of a computer on internal control of several systems under C. (microcomputers, end-user computing, and electronic commerce). In this section we discuss the effect in general terms as presented in the AICPA Audit Guide, Consideration of Internal Control in a Financial Statement Audit. This section presents information on controls a company may have. We begin by discussing overall principles of a reliable system and overall risks. We then consider the effect of a computer on internal control using the five components of internal control—control environment, risk assessment, information and communication, monitoring, and control activities.
Ideally, in a large system, all of the above key functions should be segregated; in a small computer environment, many of the key functions are concentrated in a small number of employees. For purposes of the CPA exam remember that, at a minimum, an attempt should be made to segregate programming, operations, and the library functions. Large organizations typically have a chief information officer (CIO) that oversees all information technology and activities.
The following illustration, adapted from the AICPA Audit Guide, Consideration of Internal Control in a Financial Statement Audit, summarizes the relationships among the controls.
* Section below in which control discussion is presented.
NOTE: General control activities affect all computer applications. There are four types of general controls—(a) developing new programs and systems, (b) changing existing programs and systems, (c) controlling access to programs and data, and (d) controlling computer operations.
NOTE: Programmed application controls apply to a specific application rather than multiple applications. These controls operate to assure the proper input and processing of data. The input step converts human-readable data into computer-readable data. Ensuring the integrity of the data in the computer is critical during processing. The candidate should be prepared to identify the following common controls in a multiple-choice question.
Overall: When the input has been accepted by the computer, it usually is processed through multiple steps. Processing controls are essential to ensure the integrity of data. Essentially all of the controls listed for input may also be incorporated during processing. For example, processed information should include limit tests, record counts, and control totals. In addition, external labels should be used on removable media, with internal header and trailer labels used to determine that all information on a file has been read.
NOTE: Previously, the professional standards divided application controls into three categories—input, processing, and output. The current categories of application controls (programmed and manual) and user controls have replaced that breakdown. As an aid to discussing controls we distinguish between input and processing above. User control activities include the essentials of the previous “output” controls.
NOTE: Be aware that most approaches to control for catastrophic failures rely upon backup of the entire system in one form or another. Also, various combinations of the above approaches may be used.
NOW REVIEW MULTIPLE-CHOICE QUESTIONS 97 THROUGH 141
General: Flowcharts analytically describe some aspect of an information system. Flowcharting is a procedure to graphically show the sequential flow of data and/or operations. The data and operations portrayed include document preparation, authorization, storage, and decision making. The more common flowcharting symbols are illustrated below. Knowledge of them would help with occasional multiple-choice questions and with problems that present a detailed flowchart that must be analyzed.
NOW REVIEW MULTIPLE-CHOICE QUESTIONS 142 THROUGH 149
Because the content of this module is largely terminology, a set of key terms is not provided.
1. A software package that is used with a large set of organized data that presents the computer as an expert on a particular topic is referred to as a(n)
2. Computer memory which is used to store programs that must be accessed immediately by the central processing unit is
3. The most common output device is a(n)
4. The part of the computer that does most of the data processing is referred to as the
5. An “office suite” of software is least likely to include a(n)
6. Software that performs a variety of general technical computer-controlling operations is a(n)
7. Which of the following is not a part of the central processing unit?
8. MIPS stands for
9. Which of the following represents a type of application software that a large client is most likely to use?
10. Which of the following characteristics distinguishes computer processing from manual processing?
11. A general type of IT system that is designed to improve the productivity of daily office work is referred to as a(n)
12. The Systems Development Life Cycle (SDLC) is the traditional methodology for developing information systems. In which phase of the SDLC would the activity of identifying the problem(s) that need to be solved most likely occur?
13. Samco Inc. is in the process of designing a new customer relations system. In which phase of the development life-cycle would a needs assessment most likely be performed?
14. Which of the following system implementation models has the advantage of achieving a full operational test of the new system before it is implemented?
15. Which computer application is most frequently used on mainframe computers?
16. Which computer application is most frequently used to analyze numbers and financial information?
17. Analysis of data in a database using tools which look for trends or anomalies without knowledge in advance of the meaning of the data is referred to as
18. The most common type of primary storage in a computer is referred to as
19. A set of step-by-step procedures used to accomplish a task is a(n)
20. Which of the following compiles a complete translation of a program in a high-level computer language before the program is run for the first time?
21. GUI is the abbreviation for
22. Unix is a(n)
23. In a spreadsheet, each specific cell may be identified by a specific
24. In a spreadsheet, which of the following is correct concerning rows and columns?
Rows | Columns |
a. Numbered | Numbered |
b. Numbered | Lettered |
c. Lettered | Numbered |
d. Lettered | Lettered |
25. Which of the following is least likely to be considered an advantage of a database?
26. Most current computers process data using which of the following formats?
27. Which term below describes the technology that allows multiple operating systems to run simultaneously on a single computer?
28. What type of secondary storage device requires no moving parts for read/write operations?
29. Another term for cloud-based storage is
30. The wireless input device that is used for inventory control and similar to bar-codes technology but does not require line-of sight access is
31. The 2nd generation programming language that is generally specific to a computer architecture (i.e., it is not portable) is
32. The online analytical processing term that represents a combination of systems that help aggregate, access, and analyze business data and assist in the business decision-making process is
33. What is the hierarchy of data organization, from smallest to largest unit, for a relational database?
34. A current day instruction to a computer such as “Extract all Customers where ‘Name’ is Smith” would most likely relate to a
35. Several language interfaces exist in a database management system. These typically include a data definition language (DDL), a data control language (DCL), a data manipulation language (DML), and a database query language (DQL). What language interface would a database administrator use to establish the structure of database tables?
36. Users making database queries often need to combine several tables to get the information they want. One approach to combining tables is known as
37. User acceptance testing is more important in an object-oriented development process than in a traditional environment because of the implications of the
38. A company's management has expressed concern over the varied system architectures that the organization uses. Potential security and control concerns would include all of the following except:
39. All of the following are methods for distributing a relational database across multiple servers except:
40. Client/server architecture may potentially involve a variety of hardware, systems software, and application software from many vendors. The best way to protect a client/server system from unauthorized access is through
41. What technology is needed in order to convert a paper document into a computer file?
42. Unauthorized alteration of online records can be prevented by employing
43. A manufacturer of complex electronic equipment such as oscilloscopes and microscopes has been shipping its products with thick paper manuals but wants to reduce the cost of producing and shipping this documentation. Of the following, the best medium for the manufacturer to use to accomplish this is
44. Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because
45. Which of the following is not a characteristic of a batch processed computer system?
46. Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a
47. First Federal S & L has an online real-time system, with terminals installed in all of its branches. This system will not accept a customer's cash withdrawal instructions in excess of $1,000 without the use of a “terminal audit key.” After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by
48. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's sales transaction tape are electronically sorted by customer number and are subjected to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this tape most likely would be a
49. Where disk files are used, the grandfather-father-son updating backup concept is relatively difficult to implement because the
**50. In a computerized system, procedure or problem-oriented language is converted to machine language through a(n)
51. What type of computer system is characterized by data that is assembled from more than one location and records that are updated immediately?
52. Which of the following characteristics distinguishes electronic data interchange (EDI) from other forms of electronic commerce?
53. LAN is the abbreviation for
54. A computer that is designed to provide software and other applications to other computers is referred to as a
55. Which is least likely to be considered a component of a computer network?
56. The network most frequently used for private operations designed to link computers within widely separated portions of an organization is referred to as a(n)
57. A set of rules for exchanging data between two computers is a
58. A web page is most frequently created using
59. Laptop computers provide automation outside of the normal office location. Which of the following would provide the least security for sensitive data stored on a laptop computer?
60. When developing a new computer system that will handle customer orders and process customer payments, a high-level systems design phase would include determination of which of the following?
**61. A company using EDI made it a practice to track the functional acknowledgments from trading partners and to issue warning messages if acknowledgments did not occur within a reasonable length of time. What risk was the company attempting to address by this practice?
62. Management is concerned that data uploaded from a microcomputer to the company's mainframe system in batch processing may be erroneous. Which of the following controls would best address this issue?
Items 63 and 64 are based on the following information:
One major category of computer viruses is programs that attach themselves to other programs, thus infecting the other programs. While many of these viruses are relatively harmless, some have the potential to cause significant damage.
63. Which of the following is an indication that a computer virus of this category is present?
64. Which of the following operating procedures increases an organization's exposure to computer viruses?
65. Which of the following is a risk that is higher when an electronic funds transfer (EFT) system is used?
66. The use of message encryption software
**67. A company's management is concerned about computer data eavesdropping and wants to maintain the confidentiality of its information as it is transmitted. The company should utilize
68. Which of the following is likely to be a benefit of electronic data interchange (EDI)?
69. The internal auditor is reviewing a new policy on electronic mail. Appropriate elements of such a policy would include all of the following except:
70. Which of the following risks is most likely to be encountered in an end-user computing (EUC) environment as compared to a mainframe computer system?
71. Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system using paper transactions?
72. Methods to minimize the installation of unlicensed microcomputer software include all of the following except:
73. In traditional information systems, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of
74. An auditor is least likely to find that a client's data is input through
75. End-user computing is an example of which of the following?
76. End-user computing is most likely to occur on which of the following types of computers?
77. Which of the following statements is correct regarding the Internet as a commercially viable network?
78. To reduce security exposure when transmitting proprietary data over communication lines, a company should use
79. Securing client/server systems is a complex task because of all of the following factors except:
80. Which of the following would an auditor ordinarily consider the greatest risk regarding an entity's use of electronic data interchange (EDI)?
81. Which of the following characteristics distinguish electronic data interchange (EDI) from other forms of electronic commerce?
82. Which of the following is considered a component of a local area network?
83. Which of the following represents an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment?
84. Many entities use the Internet as a network to transmit electronic data interchange (EDI) transactions. An advantage of using the Internet for electronic commerce rather than a traditional value-added network (VAN) is that the Internet
85. Which of the following is not considered an exposure involved with electronic data interchange (EDI) systems as compared to other systems?
86. Which of the following statements is correct concerning internal control when a client is using an electronic data interchange system for its sales?
87. Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files?
88. Which of the following is usually a benefit of transmitting transactions in an electronic data interchange (EDI) environment?
89. Which of the following is a network node that is used to improve network traffic and to set up as a boundary that prevents traffic from one segment to cross over to another?
90. Which of the following is an example of how specific controls in a database environment may differ from controls in a nondatabase environment?
91. A retail entity uses electronic data interchange (EDI) in executing and recording most of its purchase transactions. The entity's auditor recognized that the documentation of the transactions will be retained for only a short period of time. To compensate for this limitation, the auditor most likely would
92. Which of the following is an encryption feature that can be used to authenticate the originator of a document and ensure that the message is intact and has not been tampered with?
93. In building an electronic data interchange (EDI) system, what process is used to determine which elements in the entity's computer system correspond to the standard data elements?
94. Which of the following passwords would be most difficult to crack?
95. Which of the following is a password security problem?
96. Many of the Web 2.0 applications rely on an XML-based application that facilitates the sharing and syndication of web content, by subscription, Which of the applications below represents this XML application?
97. Which of the following is not one of the five principles of COBIT 5?
98. The Control Objectives for Information and Related Technology (COBIT) framework has been established by:
99. Which of the following procedures would an entity most likely include in its computer disaster recovery plan?
100. A company is concerned that a power outage or disaster could impair the computer hardware's ability to function as designed. The company desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The company most likely should consider a
101. Which of the following procedures would an entity most likely include in its disaster recovery plan?
102. Almost all commercially marketed software is
103. A widely used disaster recovery approach includes
104. A “hot site” is most frequently associated with
105. Output controls ensure that the results of computer processing are accurate, complete, and properly distributed. Which of the following is not a typical output control?
106. Minimizing the likelihood of unauthorized editing of production programs, job control language, and operating system software can best be accomplished by
107. Some companies have replaced mainframe computers with microcomputers and networks because the smaller computers could do the same work at less cost. Assuming that management of a company decided to launch a downsizing project, what should be done with respect to mainframe applications such as the general ledger system?
108. A corporation receives the majority of its revenue from top-secret military contracts with the government. Which of the following would be of greatest concern to an auditor reviewing a policy about selling the company's used microcomputers to outside parties?
109. A manufacturer is considering using bar-code identification for recording information on parts used by the manufacturer. A reason to use bar codes rather than other means of identification is to ensure that
110. A company often revises its production processes. The changes may entail revisions to processing programs. Ensuring that changes have a minimal impact on processing and result in minimal risk to the system is a function of
111. Pirated software obtained through the Internet may lead to civil lawsuits or criminal prosecution. Of the following, which would reduce an organization's risk in this area?
112. Good planning will help an organization restore computer operations after a processing outage. Good recovery planning should ensure that
113. In a large organization, the biggest risk in not having an adequately staffed information center help desk is
114. To properly control access to accounting database files, the database administrator should ensure that database system features are in place to permit
115. When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the
116. Which of the following statements is correct concerning internal control in an electronic data interchange (EDI) system?
117. Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
118. Which of the following is an essential element of the audit trail in an electronic data interchange (EDI) system?
119. Which of the following are essential elements of the audit trail in an electronic data interchange (EDI) system?
120. To avoid invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as
121. Preventing someone with sufficient technical skill from circumventing security procedures and making changes to production programs is best accomplished by
122. Computer program libraries can best be kept secure by
123. Which of the following security controls would best prevent unauthorized access to sensitive data through an unattended data terminal directly connected to a mainframe?
124. An entity has the following invoices in a batch:
Which of the following most likely represents a hash total?
125. A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error?
126. In entering the billing address for a new client in Emil Company's computerized database, a clerk erroneously entered a nonexistent zip code. As a result, the first month's bill mailed to the new client was returned to Emil Company. Which one of the following would most likely have led to discovery of the error at the time of entry into Emil Company's computerized database?
127. Which of the following controls is a processing control designed to ensure the reliability and accuracy of data processing?
128. Which of the following activities would most likely be performed in the information systems department?
129. The use of a header label in conjunction with magnetic tape is most likely to prevent errors by the
130. For the accounting system of Acme Company, the amounts of cash disbursements entered into a terminal are transmitted to the computer that immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables the operator to
131. When computer programs or files can be accessed from terminals, users should be required to enter a(n)
132. The possibility of erasing a large amount of information stored on magnetic tape most likely would be reduced by the use of
133. Which of the following controls most likely would assure that an entity can reconstruct its financial records?
134. Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission?
135. Which of the following is an example of a validity check?
136. Which of the following is a computer test made to ascertain whether a given characteristic belongs to the group?
137. A control feature in an electronic data processing system requires the central processing unit (CPU) to send signals to the printer to activate the print mechanism for each character. The print mechanism, just prior to printing, sends a signal back to the CPU verifying that the proper print position has been activated. This type of hardware control is referred to as
138. Which of the following is an example of a check digit?
139. Which of the following most likely represents a significant deficiency in internal control?
140. Internal control is ineffective when computer department personnel
141. Which of the following activities most likely would detect whether payroll data were altered during processing?
142. Which of the following tools would best give a graphical representation of a sequence of activities and decisions?
Items 143 and 144 are based on the following flowchart of a client's revenue cycle:
143. Symbol A most likely represents the
144. Symbol B most likely represents
145. An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the auditor's
Item 146 is based on the following flowchart:
146. The above flowchart depicts
Item 147 is based on the following flowchart:
147. In a credit sales and cash receipts system flowchart, symbol X could represent
148. Which of the following symbolic representations indicate that a file has been consulted?
149. A well-prepared flowchart should make it easier for the auditor to
1. (b) The requirement is to identify a type of software package that uses a large set of organized data that presents the computer as an expert on a particular topic. Answer (b) is correct because an expert system presents the computer as such an expert. Answer (a) is incorrect because data mining uses tools which look for trends or anomalies without advance knowledge of the meaning of the data. Answer (c) is incorrect because artificial intelligence is a branch of computer science that involves computer programs that can solve specific problems creatively. Answer (d) is incorrect because virtual reality involves computer creation of an artificial, three-dimension world that may be interacted with.
2. (a) The requirement is to identify the type of computer memory used to store programs that must be accessed immediately by the central processing unit. Answer (a) is correct because primary memory is quickly accessed and generally used to store programs that must be accessed immediately. Answer (b) is incorrect because secondary storage is accessed less quickly. Answer (c) is incorrect because the term tertiary storage has no meaning in information technology. Answer (d) is incorrect because tape storage requires relatively long access times.
3. (b) The requirement is to identify the most common output device. Answer (b) is correct because a printer is a common output device and because the other replies represent input, not output devices.
4. (c) The requirement is to identify the part of the computer that does most of the data processing. Answer (c) is correct because the CPU, the central processing unit, does the primary processing for a computer. Answer (a) is incorrect because the word “analyter” has no meaning in information technology. Answer (b) is incorrect because a compiler is used to compile a particular type of computer program. Answer (d) is incorrect because a printer is an output device.
5. (b) The requirement is to identify the software least likely to be included in an “office suite” of software. Answer (b), operating systems, (e.g., Windows, Linux, Unix) is not ordinarily included in an office suite. Answers (a), (c) and (d) are all incorrect because databases, spreadsheets, and word processing software are often included.
6. (d) The requirement is to identify the software that performs a variety of technical operations. Answer (d) is correct because an operating system controls the execution of computer programs and may provide various services. Answer (a) is incorrect because an integrated “suite” (e.g., Microsoft Office) is a series of applications such as a word processor, database, and spreadsheet. Answer (b) is incorrect because shareware is generally considered to be software made available at a low, or no, cost to users. Answer (c) is incorrect because a database system deals with more specific technical processing.
7. (d) The requirement is to identify the part listed that is not considered a part of the central processing unit. Answer (d) is correct because the printer is a separate output device. Answers (a), (b), and (c) are all incorrect because a computer includes control, arithmetic, and logic units.
8. (b) The requirement is to identify the meaning of MIPS. Answer (b) is correct because MIPS is an abbreviation for millions of instructions per second, a unit for measuring the execution speed of computers. Answers (a), (c), and (d) all include combinations of words with no particular meaning in information technology.
9. (a) The requirement is to identify the type of applications software that a large client is most likely to use. Answer (a) is correct because enterprise resource planning (ERP) software is a form of applications software that provides relatively complete information systems for large and medium size organizations. Answer (b) is incorrect because a computer operating system is considered systems software, not applications software. Answer (c) is incorrect because the central processing unit is the principal hardware component of a computer, not software. Answer (d) is incorrect because a value-added network is a privately owned network whose services are sold to the public.
10. (a) The requirement is to identify a characteristic that distinguishes computer processing from manual processing. Answer (a) is correct because the high degree of accuracy of computer computation virtually eliminates the occurrence of computational errors. Answer (b) is incorrect because errors or fraud in computer processing may or may not be detected, depending upon the effectiveness of an entity's internal control. Answer (c) is incorrect because a programming error will result in a high level of systematic error in a computerized system and therefore, such errors may occur in either a manual or a computerized system. Answer (d) is incorrect because most computer systems are designed to include transaction trails.
11. (a) The requirement is to identify the type of general IT system that is designed to improve productivity by supporting the daily work of employees. Answer (a) is correct because office automation systems include the software tools of daily work, including word processing programs, spreadsheets, email, and electronic calendars. Answer (b) is incorrect because transaction processing systems are designed to improve the efficiency of processing transactions. Answer (c) is incorrect because decision support systems are used to solve nonstructured problems. Answer (d) is incorrect because executive information systems are specifically designed to support executive work.
12. (c) The requirement is to identify the phase of the SDLC where analysts identify the problem(s) of an existing information system. Answer (c) is correct because planning is the first phase of the SDLC and this information is needed before most of the analysis phase activities can be initiated. Answer (a) is incorrect because analysis phase activities are generally dependent on knowing exactly what problem(s) need to be solved before an effort is made to determine the requirements of a new system. Answer (b) is incorrect because implementation is the phase where the new system is put into operation. Answer (d) is incorrect because development is the phase of the SDLC where the new system design is transformed into an actual system.
13. (a) The requirement is to identify the phase in which a needs assessment is most likely to be performed. Answer (a) is correct because in the analysis phase the team attempts to get an understanding of the requirements of the system. Answers (b), (c) and (d) are incorrect because these phases occur after the requirements have been determined.
14. (a) The requirement is to identify the implementation model that has the advantage of a full operational test of the system before it is implemented. Answer (a) is correct because with parallel implementation both systems are operated until it is determined that the new system is operating properly. Answer (b) is incorrect because with the plunge model the new system is put into operation without a full operational test. Answer (c) is incorrect because with pilot implementation the system is only tested with a pilot group. Answer (d) is incorrect because with the phased implementation the system is phased in over time.
15. (a) The requirement is to identify the most frequently used mainframe computer application. Answer (a) is correct because mainframe computers (the largest and most powerful computers available at a particular point in time) are generally used to store and process extremely large computer databases. Answers (b), (c), and (d) are all incorrect because they are less frequent mainframe computer applications.
16. (c) The requirement is to identify the computer application most frequently used to analyze numbers and financial information. Answer (c) is correct because the purpose of a spreadsheet is generally to process numbers and financial information; for example, spreadsheets are often used to perform “what if” analysis which makes various assumptions with respect to a particular situation. Answer (a) is incorrect because while computer graphics programs may present numbers and financial information, they do not in general process them to the extent of spreadsheets. Answer (b) is incorrect because a WAN is a wide area network, and not an application used to analyze numbers and financial information. Answer (d) is incorrect because the emphasis of word processing programs is not ordinarily on processing numbers and financial information.
17. (b) The requirement is to identify the type of analysis that uses a database and tools to look for trends or anomalies, without knowledge in advance of the meaning of the data. Answer (b) is correct because data mining uses tools which look for trends or anomalies without such advance knowledge. Answer (a) is incorrect because artificial intelligence is a branch of computer science that involves computer programs that can solve specific problems creatively. Answer (c) is incorrect because virtual reality involves computer creation of an artificial, three-dimension world that may be interacted with. Answer (d) is incorrect because the term transitory analysis has no meaning relating to information technology.
18. (b) The requirement is to identify the most common type of primary storage in a computer. Answer (b) is correct because RAM (Random Access Memory) is the most common computer memory which can be used by programs to perform necessary tasks; RAM allows information to be stored or accessed in any order and all storage locations are equally accessible. Answer (a) is incorrect because CMAN has no meaning in information technology. Answer (c) is incorrect because ROM (Read Only Memory) is memory whose contents can be accessed and read but cannot be changed. Answer (d) is incorrect because it is a nonvolatile storage that can be electrically erased and programmed anew that is less common than RAM.
19. (a) The requirement is to identify a set of step-by-step procedures that are used to accomplish a task. Answer (a) is correct because an algorithm uses a step-by-step approach to accomplish a task. Answer (b) is incorrect because the term “compilation master” has no meaning in information technology. Answer (c) is incorrect because Linux is a form of operating system. Answer (d) is incorrect because the term “transitor” has no meaning in information technology.
20. (d) The requirement is to identify the item that compiles a complex translation of a program in a high-level computer language before the program is run for the first time. Answer (d) is correct because a compiler decodes instructions written in a higher order language and produces an assembly language program. Answers (a) and (b) are incorrect because Visual Basic and JAVA are programming languages. Answer (c) is incorrect because an algorithm is a “step-by-step” approach used to accomplish a particular task.
21. (b) The requirement is to identify the meaning of the abbreviation GUI. Answer (b), graphical user interface, is correct. The other replies all represent combinations of words with no meaning in information technology.
22. (a) The requirement is to identify the nature of Unix. Answer (a) is correct because Unix is a powerful operating system, originally developed by AT&T Bell Labs, that is used by many users of high-end computing hardware. Answers (b), (c), and (d) are all incorrect because Unix is not a singular disk drive, a central processing unit, or a logic unit.
23. (a) The requirement is to identify how each specific cell within a spreadsheet is identified. Answer (a) is correct because each cell has an address, composed of a combination of its column and row in the spreadsheet. Answer (b) is incorrect because the column portion of the address is not specific to the cell. Answer (c) is incorrect because the row portion of the address is not specific to the cell. Answer (d) is incorrect because no diagonal is ordinarily used to identify a particular cell.
24. (b) The requirement is to identify whether rows and columns of a spreadsheet are numbered or lettered. Answer (b) is correct because rows are numbered and columns are lettered. The other replies are all incorrect because they include incorrect combinations of “numbered” and “lettered.”
25. (d) The requirement is to identify what is least likely to be considered an advantage of a database. Answer (d) is correct because a database itself does not make it easy to distribute information to every possible user—information must still be distributed either electronically or physically. Answer (a) is incorrect because a database is used to store large quantities of information. Answer (b) is incorrect because information may ordinarily be required quickly from a database. Answer (c) is incorrect because specific normalization rules have been identified for organizing information within a database.
26. (b) The requirement is to identify the most frequent current format for computer processing of data. Answer (b) is correct because most current computers process data using a digital approach in that they represent information by numerical (binary) digits. Answer (a) is incorrect because analog computers, which represent information by variable quantities (e.g., positions or voltages), are less frequent in practice than digital computers. Answer (c) is incorrect because “memory enhanced” is not a format for processing information. Answer (d) is incorrect because “organic” is not a format for processing information.
27. (d) The requirement is to identify the computer technology that is being widely adopted by organizations to lower computer hardware costs and to reduce energy costs by allowing multiple operating systems to coexist and operate simultaneously on the same machine. Answer (d) is correct because virtualization software allows a single computer to run multiple operating systems simultaneously. Answer (a) is incorrect because a client is a computing device that connects to a server or mainframe. Answer (b) is incorrect because a mainframe typically runs a single operating system but serves clients. Answer (c) is incorrect because Linux is an operating system, not a hardware device.
28. (c) The requirement is to identify the secondary storage technology that essentially has no moving parts. Answer (c) is correct because solid state devices store data on microchips and not a medium that must move to write or read data. Answer (a) is incorrect as the magnetic tape drive must spin for read/write operations. Answer (b) is incorrect as CDs and DVDs must also spin and use a moveable read/write head for operation. Answer (d) is incorrect as RAID devices are typically hard disk drives that must also spin and use a moveable read/write head for operations.
29. (d) The requirement is to identify another term for cloud-based storage. Answer (d) is correct because Storage-as-a-Service is another term for cloud-based storage. Answer (a) is incorrect as RAID is disk storage that is directly attached to a computing device. Answer (b) is incorrect as solid state storage is usually associated with a storage device that is directly attached to a computing device. Answer (c) is incorrect as analog refers to the representation of data.
30. (b) The requirement is to identify the wireless technology that is being used for inventory control that does not require line-of-sight access to the inventory. Answer (b) is the correct answer as Radio Frequency Identification (RFID) tags do not need to be seen by RFID readers to work. Answer (a) is incorrect as MICR technology requires items (documents) to pass through a read/write device. Answer (c) is incorrect as touch screen technology is not considered a wireless technology. Answer (d) is incorrect as current point-of-sale scanners must “see” the barcode to read it.
31. (b) The requirement is to distinguish between the various generations of programming languages. Answer (b) is correct as it is the only 2nd generation language listed. Answer (a) is incorrect as binary is considered machine language, the 1st generation programming language. Answer (c) is incorrect as COBOL is a 3rd generation programming language. Answer (d) is incorrect as it is also considered a higher-level, or 3rd generation programming language.
32. (d) The requirement is to distinguish among the OLAP technologies. Answer (d) is correct as business intelligence is the combination of systems that help aggregate, access, and analyze business data. Answer (a) is incorrect as artificial intelligence deals with relatively structured decision making in many areas, not specifically business. Answer (b) is incorrect as a data mart may be used in the process of business intelligence. Answer (c) is incorrect as decision support systems are used in a variety of business and nonbusiness decision-making situations.
33. (a) The requirement here is to identify the hierarchy of data with respect to relational databases. Answer (a) is the correct representation of data, from smallest to largest, for relational databases.
34. (b) The requirement is to identify the generation of programming language most likely to include an instruction such as “Extract all Customers where ‘Name’ is Smith” Answer (b) is correct because fourth generation programs ordinarily include instructions relatively close to human languages—such as the instruction in this question. Answer (a) is incorrect because first generation instructions are in terms of “1's” and “0's.” Answers (c) and (d) are incorrect because seventh and ninth generation programming languages have not yet been developed (a few fifth generation languages with extensive visual and graphic interfaces are currently in process).
35. (a) The requirement is to identify the language interface used to establish the structure of database tables. Answer (a) is correct because DDL is used to define (i.e., determine) the database. Answer (b) is incorrect because DCL is used to specify privileges and security rules. Answer (c) is incorrect because DML provides programmers with a facility to update the database. Answer (d) is incorrect because DQL is used for ad hoc queries.
36. (a) The requirement is to identify the function used in a database query to combine several tables. Answer (a) is correct because joining is the combining of one or more tables based on matching criteria. For example, if a supplier table contains information about suppliers and a parts table contains information about parts, the two tables could be joined on supplier number (assuming both tables contained this attribute) to give information about the supplier of particular parts. Answers (b), (c), and (d) are all incorrect.
37. (d) The requirement is to identify a reason that user acceptance testing is more important in an object-oriented development process than in a traditional environment. Answer (d) is correct because user acceptance testing is more important in object-oriented development because of the fact that all objects in a class inherit the properties of the hierarchy, which means that changes to one object may affect other objects, which increases the importance of user acceptance testing to verify correct functioning of the whole system. Answer (a) is incorrect because instead of traditional design documents, items such as the business model, narratives of process functions, iterative development screens, computer processes and reports, and product description guides are produced in object-oriented development, but the existence of specific documents does not affect the importance of user acceptance testing. Answer (b) is incorrect because in general, object-oriented development systems do include tracking systems for changes made to objects and hierarchies. Answer (c) is incorrect; because object-oriented systems are usually developed in client/server environments there is the potential for continuous monitoring of system use, but continuous monitoring typically occurs during system operation, not during development.
38. (d) The requirement is to identify the reply that does not represent a potential security and control concern. Answer (d) is correct because the distribution of data actually decreases this risk so this would not cause a control concern; it is a potential advantage to distributed systems of various architectures versus centralized data in a single mainframe computer. Answer (a) is incorrect because password proliferation is a considerable security concern because users will be tempted to write their passwords down or make them overly simplistic. Answer (b) is incorrect because consistent security across varied platforms is often challenging because of the different security features of the various systems and the decentralized nature of those controlling security administration. Answer (c) is incorrect because under centralized control, management can feel more confident that backup file storage is being uniformly controlled. Decentralization of this function may lead to lack of consistency and difficulty in monitoring compliance.
39. (c) The requirement is to determine which answer is not a method for distributing a relational database across multiple servers. Answer (c) is correct because normalization is a process of database design, not distribution. Answer (a) is incorrect because making a copy of the database for distribution is a viable method for the described distribution. Answer (b) is incorrect because creating and maintaining replica copies at multiple locations is a viable method for the described distribution. Answer (d) is incorrect because separating the database into parts and distributing where they are needed is a viable method for the described distribution.
40. (a) The requirement is to identify the best way to protect a client/server system from unauthorized access. Answer (a) is correct because since there is no perfect solution, this is the best way. Answer (b) is incorrect because authentication systems, such as Kerberos, are only a part of the solution. Answer (c) is incorrect because this only affects general access control techniques. Answer (d) is incorrect because testing and evaluation of remote procedure calls may be a small part of an overall security review.
41. (a) The requirement is to identify the technology needed to convert a paper document into a computer file. Answer (a) is correct because optical character recognition (OCR) software converts images of paper documents, as read by a scanning device, into text document computer files. Answer (b) is incorrect because electronic data interchange involves electronic transactions between trading partners. Answer (c) is incorrect because bar-code scanning reads price and item information, but does not convert a paper document into a computer file. Answer (d) is incorrect because joining and merging are processes applied to computer files.
42. (d) The requirement is to identify the best method for preventing unauthorized alteration of online records. Answer (d) is correct because users can gain access to databases from terminals only through established recognition and authorization procedures, thus unauthorized access is prevented. Answer (a) is incorrect because key verification ensures the accuracy of selected fields by requiring a second keying of them, ordinarily by another individual. Answer (b) is incorrect because sequence checks are used to ensure the completeness of input or update data by checking the use of preassigned document serial numbers. Answer (c) is incorrect because computer matching entails checking selected fields of input data with information held in a suspense master file.
43. (c) The requirement is to identify a way of eliminating thick paper manuals and reducing costs. Answer (c) is correct since a compact disc/read-only memory (CD-ROM) would be cheaper to produce and ship than the existing paper, yet would permit large volumes of text and images to be reproduced. Answer (a) is incorrect because write-once-read-many (WORM) is an optical storage technique often used as an archival medium. Answer (b) is incorrect because digital audio tape is primarily used as a backup medium in imaging systems and as a master for CD-ROM. Answer (d) is incorrect because computer-output-to-microform is used for frequent access to archived documents such as canceled checks in banking applications.
44. (c) The requirement is to identify a reason that misstatements in a batch computer system may not be detected immediately. Answer (c) is correct because batch programs are run periodically and thereby result in delays in processing; accordingly, detection of misstatements may be delayed. Answer (a) is incorrect because errors will be detected in the batch. Answer (b) is incorrect because the identification of errors in input data is typically included as a part of a batch program. Answer (d) is incorrect because a batch system will ordinarily process transactions in a uniform manner.
45. (d) The requirement is to determine which answer is not a characteristic of a batch processed computer system. Simultaneous posting to several files is most frequently related to an online real-time system, not a batch system. Answer (a) is incorrect since a batch system may process sequentially against a master file. Answer (b) is incorrect because keypunching is followed by machine processing in batch systems. Answer (c) is incorrect because the numerous batches ordinarily result in numerous printouts.
46. (b) The requirement is to identify the most likely direct output of an edit check included in an online sales order processing system. Edit checks are used to screen incoming data against established standards of validity, with data that pass all edit checks viewed as “valid” and then processed. Answer (b) is correct because an edit check will ordinarily create an output file of rejected transactions. Answer (a) is incorrect because sales invoices may not have been prepared at the point of the sales order processing and because the answer is much less complete than answer (b). Answer (c) is incorrect because while periodic printouts of user code numbers and passwords should be prepared, this is not a primary purpose of an edit check. Answer (d) is incorrect because shipping documents will not ordinarily be prepared at this point and because the answer is much less complete than answer (b).
47. (a) The requirement is to determine a control which will strengthen an online real-time cash withdrawal system. Answer (a) is correct because documentation of all situations in which the “terminal audit key” has been used will improve the audit trail. Answer (b) is incorrect because increasing the dollar amount required for use of the key will simply reduce the number of times it is used (and allow larger withdrawals to be made without any required special authorization). Answer (c) is incorrect because there is no reason to believe that a manual system will be more effective than an online system. Answer (d) is incorrect because parallel simulation, running the data through alternate software, would seem to have no particular advantage for processing these large withdrawals.
48. (a) The requirement is to identify a direct output of a sorting, editing, and updating program. Answer (a) is correct because the program will output both exceptions and control totals to determine whether all transactions have been processed properly. Answers (b), (c), and (d) are all incorrect because while a program such as this may output such schedules, this will occur after exceptions are cleared and control totals are reconciled.
49. (d) The requirement is to determine why the grandfather-father-son updating backup concept is relatively difficult to implement for disk files. Answer (d) is correct because updating destroys the old records. Answer (a) is incorrect because the location of information points on disks is not an extremely time consuming task if the disks have been properly organized and maintained. Answer (b) is incorrect because off-site storage through disks is possible, though costly. Answer (c) is incorrect because information need not be dumped in the form of hard copy.
50. (c) The requirement is to determine the item which converts problem-oriented language to machine language. A compiler produces a machine-language object program from a source-program (i.e., problem oriented) language. Answer (a) is incorrect because an interpreter is used to make punched cards easily readable to people. Answer (b) is incorrect because a verifier is used to test whether key punching errors exist on punched cards. Answer (d) is incorrect because a converter changes a program from one form of problem oriented language to another, related form (e.g., from one form of COBOL to another form of COBOL).
51. (d) The requirement is to determine the type of computer system characterized by more than one location and records that are updated immediately. Answer (d) is correct because online real-time systems typically allow access from multiple locations, and always have the immediate update of records. Answers (a) and (b) are incorrect because small computers often are limited to one location, and they may or may not allow immediate updating for particular applications. Answer (c) is incorrect because batch processing is a method which does not update records immediately (e.g., processing the “batch” of the firm's daily sales each evening, not at the moment they occur).
52. (a) The requirement is to identify a characteristic that distinguishes electronic data interchange (EDI) from other forms of electronic commerce. Answer (a) is correct because EDI transactions are ordinarily formatted using one of the available uniform worldwide sets of standards. Answer (b) is incorrect because, when financial statements are prepared, EDI transactions must follow generally accepted accounting principles. Answer (c) is incorrect because EDI transactions may or may not be processed using the Internet. Answer (d) is incorrect because security and privacy are considered when recording EDI transactions. See the Auditing Procedure Study Audit Implications of EDI for more information on electronic data interchange.
53. (b) The requirement is to identify the meaning of the abbreviation LAN. Answer (b) is correct because LAN is the abbreviation for local area network. A local area network is a computer network for communication between computers. For example, a local area network may connect computers, word processors and other electronic office equipment to create a communication system within an office. Answers (a), (c) and (d) are all incorrect because they are combinations of words that have no specific meaning in information technology.
54. (c) The requirement is to identify the type of computer that is designed to provide software and other applications to other computers. Answer (c) is correct because a server provides other computers (“clients”) with access to files and printers as shared resources to a computer network. Answer (a) is incorrect because a microcomputer is a small digital computer based on a microprocessor and designed to be used by one person at a time. Answer (b) is incorrect because a network computer is a low-cost personal computer for business networks that is configured with only essential equipment. Answer (d) is incorrect because a supercomputer is a mainframe computer that is one of the most powerful available at a given time.
55. (a) The requirement is to identify the item least likely to be considered a component of a computer network. Answer (a) is least likely because application program is a program that gives a computer instructions that provide the user with tools to accomplish a specific task (e.g., a word processing application). Answer (b) is incorrect because computers are an integral part of a computer network. Answer (c) is incorrect because software is required for operation of the network. Answer (d) is incorrect because routers are used to forward data within a computer network.
56. (c) The requirement is to identify the type of network used to link widely separated portions of an organization. Answer (c) is correct because a wide area network is used to span a wide geographical space to link together portions of an organization. Answer (a) is incorrect because a bulletin board is a computer that is running software that allows users to leave messages and access information of general interest. Answer (b) is incorrect because a local area network's coverage is restricted to a relatively small geographical area. Answer (d) is incorrect because the term “zero base network” has no meaning in information technology.
57. (c) The requirement is to identify a set of rules for exchanging data between two computers. Answer (c) is correct because a protocol is such a set of rules. Answer (a) is incorrect because the term “communicator” is very general and has no specific meaning in this context. Answer (b) is incorrect because while an operating system controls the execution of computer programs and may provide various services related to computers, it is not a set of rules for exchanging data. Answer (d) is incorrect because transmission speed is the speed at which computer processing occurs.
58. (d) The requirement is to identify the approach most frequently used to create a webpage. Answer (d) is correct because HTML (hypertext markup language) or XML (extensible markup language) are used to develop hypertext documents such as webpages. Answers (a), (b), and (c) are all incorrect because while such tools may be used on webpage creation, they are not as fundamentally related as are HTML or XML.
59. (b) The requirement is to identify the reply that would provide the least security for sensitive data stored on a laptop computer. Answer (b) is correct because password protection for a screensaver program can be easily bypassed. Answer (a) is incorrect because data encryption provides adequate security for laptop computers. Answer (c) is incorrect because removable hard drives would provide adequate security. Answer (d) is incorrect because security is promoted by physically locking the laptop computer to an immovable object.
60. (c) The requirement is to identify the most likely procedure to be included in the high-level systems design phase of a computer system that will handle customer orders and process customer payments. Answer (c) is correct because the determination of what type of system to obtain is made during the high-level design phase. Answer (a) is incorrect because the effect of the new system would be part of the feasibility study. Answer (b) is incorrect because the file layouts are part of the detailed design phase. Answer (d) is incorrect because formal approval is made during the request for the systems design phase.
61. (b) The requirement is to identify the risk being controlled when a company using EDI makes it a practice to track the functional acknowledgments from trading partners. Answer (b) is correct because tracking of customers' functional acknowledgments, when required, will help to ensure successful transmission of EDI transactions. Answer (a) is incorrect because to address this issue, unauthorized access to the EDI system should be prevented, procedures should be in place to ensure the effective use of passwords, and data integrity and privacy should be maintained through the use of encryption and authentication measures. Answer (c) is incorrect because contractual agreements should exist between the company and the EDI trading partners. Answer (d) is incorrect because the risk that EDI data may not be completely and accurately processed is primarily controlled by the system.
62. (c) The requirement is to identify the best control to assure that data uploaded from a microcomputer to the company's mainframe system in batch processing is properly handled. Answer (c) is correct because this could help prevent data errors. Answer (a) is incorrect because while this practice is a wise control, it does not address the issue of upload-data integrity. Backups cannot prevent or detect data-upload problems, but can only help correct data errors that a poor upload caused. Answer (b) is incorrect because this control may be somewhat helpful in preventing fraud in data uploads, but it is of little use in preventing errors. Answer (d) is incorrect because this control is detective in nature, but the error could have already caused erroneous reports and management decisions. Having users try to find errors in uploaded data would be costly.
63. (b) The requirement is to identify the most likely indication that a computer virus is present. Answer (b) is correct because unexplainable losses of or changes to data files are symptomatic of a virus attack. Answer (a) is incorrect because power surges are symptomatic of hardware or environmental (power supply) problems. Answer (c) is incorrect because inadequate backup, recovery, and contingency plans are symptomatic of operating policy and/or compliance problems. Answer (d) is incorrect because copyright violations are symptomatic of operating policy and/or compliance problems.
64. (c) The requirement is to identify the operating procedure most likely to increase an organization's exposure to computer viruses. Answer (c) is correct because there is a risk that downloaded public-domain software may be contaminated with a virus. Answers (a) and (b) are incorrect because viruses are spread through the distribution of computer programs. Answer (d) is incorrect because original copies of purchased software should be virus-free and cannot legally be shared.
65. (b) The requirement is to identify the risk that increases when an EFT system is used. Answer (b) is correct because unauthorized access is a risk which is higher in an EFT environment. Answers (a), (c), and (d) are all incorrect because this is a risk which is common to each IT environment.
66. (c) The requirement is to identify the statement that is correct concerning message encryption software. Answer (c) is correct because the machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down. Answer (a) is incorrect because no encryption approach absolutely guarantees the secrecy of data in transmission although encryption approaches are considered to be less amenable to being broken than others. Answer (b) is incorrect because keys may be distributed manually, but they may also be distributed electronically via secure key transporters. Answer (d) is incorrect because using encryption software does not reduce the need for periodic password changes because passwords are the typical means of validating users' access to unencrypted data.
67. (a) The requirement is to identify the method to prevent data eavesdropping. Answer (a) is correct because data encryption prevents eavesdropping by using codes to ensure that data transmissions are protected from unauthorized tampering or electronic eavesdropping. Answer (b) is incorrect because dial back systems ensure that data are received from a valid source. Answer (c) is incorrect because message acknowledgment procedures help ensure that data were received by the intended party. Answer (d) is incorrect because password codes are designed to prevent unauthorized access to terminals or systems.
68. (b) The requirement is to identify a likely benefit of EDI. Answer (b) is correct because improved business relationships with trading partners is a benefit of EDI. Answer (a) is incorrect because EDI transmits document data, not the actual document. Answer (c) is incorrect because liability issues related to protection of proprietary business data are a major legal implication of EDI. Answer (d) is incorrect because EDI backup and contingency planning requirements are not diminished.
69. (a) The requirement is to identify the least likely part of a company's policy on electronic mail. Answer (a) is correct because the company should have access to the business-related e-mail that is left behind. Access to e-mail can also be critical in business or possible criminal investigations. The privacy concerns of the individual case must be mitigated by compelling business interests: the need to follow up on business e-mail and to assist in investigations. Answer (b) is incorrect because encryption helps prevent eavesdropping by unauthorized persons trying to compromise e-mail messages. Answer (c) is incorrect because limiting the number of packages would decrease the number of administrators who might have access to all messages. Answer (d) is incorrect because controlling the transmission of confidential information by e-mail will help avoid theft of information through intrusion by outsiders.
70. (c) The requirement is to identify the most likely risk relating to end-user computing as compared to a mainframe computer system. Answer (c) is correct because this risk is considered unique to end-user computing (EUC) system development. Answer (a) is incorrect because this risk relates to both traditional information systems and end-user computing (EUC) environments. Answer (b) is incorrect because this risk relates to both traditional information systems and end-user computing (EUC) environments. Answer (d) is incorrect because this risk relates to all computing environments.
71. (c) The requirement is to identify the risk that is not greater in an EFT environment as compared to a manual system using paper transactions. Answer (c) is correct because per transaction costs are lower with electronic funds transfer. Answer (a) is incorrect because this is a major risk factor inherent to electronic funds transfer (EFT). Answer (b) is incorrect because this is another inherent risk factor. Answer (d) is incorrect because this is a critical risk factor.
72. (c) The requirement is to identify the reply that is not a method to minimize the risk of installation of unlicensed microcomputer software. Answer (c) is correct because this technique will not affect introduction of unlicensed software. Answer (a) is incorrect because this technique works. Answer (b) is incorrect because such audits are a must to test the other controls that should be in place. Answer (d) is incorrect because the basis for all good controls is a written policy.
73. (a) The requirement is to determine whose responsibility it is to back up software and data files in distributed or cooperative systems. Answer (a) is correct because in distributed or cooperative systems, the responsibility for ensuring that adequate backups are taken is the responsibility of user management because the systems are under the control of users. Answer (b) is incorrect because in distributed environments, there will be no systems programmers comparable to those at central sites for traditional systems. Answer (c) is incorrect because in distributed environments, there may be no data entry clerks because users are typically performing their own data entry. Answer (d) is incorrect because in distributed environments, there are no tape librarians.
74. (b) The requirement is to identify the least likely way that a client's data will be input. Answer (b) is correct because the term “dynamic linking character reader” is a combination of terms that has no real meaning. The other three terms all represent methods of data input.
75. (d) The requirement is to identify what end-user computing is an example of. Answer (d) is correct because end-user computing involves individual users performing the development and execution of computer applications in a decentralized manner. Answer (a) is incorrect because client/server processing involves a networked model, rather than an end-user approach. Answer (b) is incorrect because a distributed system involves networked computers processing transactions for a single (or related) database. Answer (c) is incorrect because using sophisticated techniques from statistics, artificial intelligence, and computer graphics to explain, confirm, and explore relationships among data may be performed in many environments.
76. (c) The requirement is to identify the type of computer that end-user computing is most likely to occur on. Answer (c) is correct because end-user computing involves individual users performing the development and execution of computer applications in a decentralized manner and these individuals are most likely to be using personal computers. Answers (a) and (b) are incorrect because they represent computers less frequently used by end users. Answer (d) is incorrect because “personal reference assistants” is a term not used in information technology.
77. (a) The requirement is to identify the correct statement regarding the Internet as a commercially viable network. Answer (a) is correct because companies that wish to maintain adequate security must use firewalls to protect data from being accessed by unauthorized users. Answer (b) is incorrect because anyone can establish a homepage on the Internet without obtaining permission. Answer (c) is incorrect because there are no such security standards for connecting to the Internet.
78. (d) The requirement is to identify a method of reducing security exposure when transmitting proprietary data over communication lines. Answer (d) is correct because cryptographic devices protect data in transmission over communication lines. Answer (a) is incorrect because asynchronous modems handle data streams from peripheral devices to a central processor. Answer (b) is incorrect because authentication techniques confirm that valid users have access to the system. Answer (c) is incorrect because callback procedures are used to ensure incoming calls are from authorized locations.
79. (a) The requirement is to identify the reply which is not a reason that securing client/server systems is a complex task. Answer (a) is correct because client/server implementation does not necessarily use relational databases. Answers (b), (c), and (d) are all incorrect because the number of access points, concurrent operation by multiple users, and widespread data access and update capabilities make securing such systems complex.
80. (c) The requirement is to identify what an auditor would ordinarily consider the greatest risk regarding an entity's use of electronic data interchange (EDI). Answer (c) is correct because an EDI system must include controls to make certain that EDI transactions are processed by the proper entity, using the proper accounts. Answers (a) and (b) are incorrect because authorization of EDI transactions and duplication of EDI transmissions ordinarily pose no greater risk than for other systems. Answer (d) is incorrect because the elimination of paper documents in and of itself does not propose a great risk.
81. (d) The requirement is to identify the characteristic that distinguishes electronic data interchange (EDI) from other forms of electronic commerce. Answer (d) is correct because standards for EDI transactions, within any one group of trading partners, have been agreed upon so as to allow the system to function efficiently. Answer (a) is incorrect because the cost of EDI transaction using a VAN will often exceed the cost of using the Internet. Answer (b) is incorrect because software maintenance contracts are often necessary. Answer (c) is incorrect because EDI commerce involves legally binding contracts between trading partners.
82. (c) The requirement is to identify a component of a local area network. Answer (c) is correct because a local area network requires that data be transmitted from one computer to another through some form of transmission media. Answers (a), (b), and (d) are all general replies that are not requirements of a local area network.
83. (c) The requirement is to identify an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment. Answer (c) is correct because such transactions must be translated to allow transmission. Answer (a) is incorrect because no particular controls are required for redundant data checks under EDI as compared to a traditional paper environment. Answer (b) is incorrect because there need be no increase in random data entry errors under EDI. Answer (d) is incorrect because since computer controls are ordinarily heavily relied upon under EDI, often fewer supervisory personnel are needed.
84. (a) The requirement is to identify an advantage of using the Internet for electronic commerce EDI transactions as compared to a value-added network (VAN). Answer (a) is correct because such simultaneous processing of transactions is more likely under an Internet system in which lines are often available at a fixed or nearly fixed rate. Answer (b) is incorrect because the Internet itself will not automatically prepare such batches. Answer (c) is incorrect because an Internet system will not ordinarily have superior characteristics regarding disaster recovery. Answer (d) is incorrect because translation software is needed both for Internet and VAN systems.
85. (b) The requirement is to identify the statement which does not represent an exposure involved with electronic data interchange (EDI) systems. Answer (b) is correct because EDI ordinarily decreases transaction processing time; it does not delay transaction processing time. Answer (a) is incorrect because increased reliance upon both one's own computers and those of other parties are involved in EDI. Answer (c) is incorrect because involvement with other parties in EDI systems may result in the loss of confidentiality of information. Answer (d) is incorrect because EDI systems involve third parties such as customers, suppliers, and those involved with the computer network, and accordingly result in increased reliance upon their proper performance of their functions.
86. (b) The requirement is to identify the correct statement concerning internal control when a client uses an electronic data interchange system for processing its sales. Answer (b) is correct because encryption controls are designed to assure that messages are unreadable to unauthorized persons and to thereby control the transactions. Answer (a) is incorrect because suppliers are not ordinarily included in a company's sales controls and because even in a purchasing EDI system all suppliers need not be included. Answer (c) is incorrect because a value-added-network that provides network services may or may not be used in an EDI system. Answer (d) is incorrect because “paper” versions of transactions typically disappear in an EDI system.
87. (d) The requirement is to identify the statement that represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files. Answer (d) is correct because persons with computer skills may be able to improperly access and alter microcomputer files. When a system is prepared manually such manipulations may be more obvious. Answer (a) is incorrect because random error is more closely associated with manual processing than with computer processing. Answer (b) is incorrect because comparing recorded accountability with the physical count of assets should not be affected by whether a manual or a microcomputer system is being used. Answer (c) is incorrect because the accuracy of the programming process is not generally tested when microcomputers are used.
88. (a) The requirement is to identify a benefit of transmitting transactions in an electronic data interchange (EDI) environment. Answer (a) is correct because the speed at which transactions can occur and be processed electronically results in lower year-end receivables since payments occur so quickly. Answer (b) is incorrect because an EDI environment requires many controls related to sales and collections. Answer (c) is incorrect because sampling may or may not be used in such circumstances. Answer (d) is incorrect because third-party service providers are often involved in such transactions—accordingly they are relied upon. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.
89. (c) The requirement is to identify the network node that is used to improve network traffic and to set up as a boundary that prevents traffic from one segment to cross over to another. Answer (c) is correct because a firewall is a computer that provides a defense between one network (inside the firewall) and another network (outside the firewall) that could pose a threat to the inside network. Answer (a) is incorrect because a router is a computer that determines the best way for data to move forward to their destination. Answer (b) is incorrect because a gateway is a communications interface device that allows a local area network to be connected to external networks and to communicate with external computers and databases. Answer (d) is incorrect because a heuristic is a simplified rule to help an individual make decisions.
90. (a) The requirement is to identify the best example of how specific controls in a database environment may differ from controls in a nondatabase environment. Answer (a) is correct because a primary control within a database environment is to appropriately control access and updating by the many users; in most nondatabase environments there are ordinarily far fewer users who are able to directly access and update data. Answer (b) is incorrect because controls over data sharing differ among users for both database and nondatabase environments. Answer (c) is incorrect because under both database and nondatabase systems, the programmer should debug the program. Answer (d) is incorrect because controls can verify that authorized transactions are processed under either a database or nondatabase environment.
91. (b) The requirement is to identify an effective audit approach in an EDI environment in which documentation of transactions will be retained for only a short period of time. Answer (b) is correct because performing tests throughout the year will allow the auditor to examine transaction documentation before the transactions are destroyed. Answer (a) is incorrect because if documentation relating to the transactions is not maintained, it will be impossible to perform such cutoff tests. Answer (d) is incorrect because such a situation need not lead to a 100% count of inventory at or near year-end. Answer (d) is incorrect because an increase in the assessed level of control risk rather than a decrease is more likely.
92. (d) The requirement is to identify the encryption feature that can be used to authenticate the originator of a document and to ensure that the message is intact and has not been tampered with. Answer (d) is correct because digital signatures are used in electronic commerce to authenticate the originator and to ensure that the message has not been tampered with. Answers (a), (b), and (c) are all incorrect because they do not directly deal with such authentication.
93. (a) The requirement is to identify the process used in building an electronic data interchange (EDI) system to determine that elements in the entity's computer system correspond to the standard data elements. Answer (a) is correct because mapping, or “data mapping,” is the processes of selecting the appropriate data fields from the various application databases and passing them to the EDI translation software. Answer (b) is incorrect because translation involves the actual modification of the data into a standard format that is used by the EDI system. Answer (c) is incorrect because encryption is a technique for protecting information within a computer system in which an algorithm transforms that data to render it unintelligible; the process can be reversed to regenerate the original data for further processing. Answer (d) is incorrect because decoding is the process of making data intelligible. See the Auditing Procedure Study Audit Implications of EDI for more information on electronic data interchange.
94. (a) The requirement is to identify the password that would be most difficult to crack. A password is a secret series of characters that enables a user to access a file, computer, or program; ideally, the password should be something nobody could guess. Answer (a) is correct because OrCA!FlSi does not seem like a password that one would guess or even recall if seen briefly. Answers (b), (c), and (d) are all incorrect because they represent passwords that would be easier to identify.
95. (a) The requirement is to determine which reply represents a password security problem. A password is a secret series of characters that enables a user to access a file, computer, or program; ideally the password should be something that nobody could guess. Answer (a) is correct because individuals have a tendency to not change passwords, and over time, others may be able to identify them. Answer (b) is incorrect because using different passwords for different accounts on several systems represents a control (assuming the user can remember them). Answer (c) is incorrect because copying of passwords to a secure location (e.g., a wallet) does not ordinarily represent a security problem. Answer (d) is incorrect because passwords should be kept secret and not listed in an online dictionary.
96. (c) The requirement is to distinguish between the Web 2.0 applications. Answer (c) is correct because RSS feeds (and Atom feeds) are XML applications that are designed specifically for sharing and syndication of web content. The acronym RSS refers to Really Simple Syndication. (Atom feeds are similar to RSS feeds). Answer (a) is incorrect because a wiki is a collaboratively-developed information sharing website. Answer (b) is incorrect because a blog is a moderator-led electronic discussion. Answer (d) is incorrect because Twitter is similar to a blog but restricts input to 140 characters per entry.
97. (b) The requirement is to identify the item that is not a COBIT 5 principle. Answer (b) is correct because business processes is not one of the five principles of COBIT 5. The five principles include: (1) Meeting stakeholder needs, (2) Covering the enterprise end-to-end, (3) Applying a single integrated framework, (4) Enabling a holistic approach, and (5) Separating governance from management.
98. (c) The requirement is to identify the organization that developed the COBIT framework. Answer (c) is correct because the COBIT framework was created by The Information Systems Audit and Control Association.
99. (b) The requirement is to identify the most likely procedure to be included in a computer disaster recovery plan. Answer (b) is correct because duplicate copies of critical files will allow an entity to reconstruct the data whose original files have been lost or damaged. Answer (a) is incorrect because an auxiliary power supply will provide uninterrupted electricity to avoid the need for a recovery since it may reduce the likelihood of such a disaster. Answer (c) is incorrect because simply maintaining passwords will not allow the entity to reconstruct data after a disaster has occurred. Answer (d) is incorrect because while cryptography will enhance the security of files from unintended uses, it is not a primary method to recover from a computer disaster.
100. (d) The requirement is to identify the type of backup site a company would most likely consider when there is concern about a power outage and desires for a fully configured and ready to operate system. Answer (d) is correct because a hot site is a site that is already configured to meet a user's requirements. Answer (a) is incorrect because a cold site is a facility that provides everything necessary to quickly install computer equipment but doesn't have the computers installed. Answers (b) and (c) are incorrect because they represent terms not frequently used in such circumstances.
101. (d) The requirement is to identify the procedure an entity would most likely include in its disaster recovery plan. Answer (d) is correct because storing duplicate copies of files in a different location will allow recovery of contaminated original files. Answer (a) is incorrect because converting all data from EDI format to an internal company format is ordinarily inefficient, and not a disaster recovery plan. Answer (b) is incorrect because a Trojan horse program (one which masquerades as a benign application but actually causes damage) ordinarily causes illicit activity, it does not prevent illicit activity. Answer (c) is incorrect because an auxiliary power supply is meant to prevent disaster, not recover from disaster.
102. (b) The requirement is to determine whether almost all commercially marketed software is copyrighted, copy protected, or both. Answer (b) is correct because while almost all such software is copyrighted, much of it is not copy protected. Answer (a) is incorrect because it suggests that almost all such software is copy protected. Answer (c) is incorrect both because it suggests that such software is not copyrighted and that it is copy protected. Answer (d) is incorrect because it suggests that such software is not copyrighted.
103. (c) The requirement is to identify a widely used disaster recovery approach. Answer (c) is correct because regular backups (copying) of data allows recovery when original records are damaged. Answer (a) is incorrect because encryption is used with a goal of making files impossible to read by those other than the intended users. Answer (b) is incorrect because firewalls are designed to control any possible inappropriate communication between computers within one system and those on the outside. Answer (d) is incorrect because surge protectors are electrical devices inserted in a power line to protect equipment from sudden fluctuations in current, and thereby prevent disasters, not recover from them.
104. (a) The requirement is to identify what a “hot site” is most frequently associated with. Answer (a) is correct because a hot site is a commercial disaster recovery service that allows a business to continue computer operations in the event of computer disaster. For example, if a company's data processing center become inoperable, that enterprise can move all processing to a hot site that has all the equipment needed to continue operation. Answer (b) is incorrect because a hot site is not frequently associated with online relational database design. Answer (c) is incorrect because source programs (programs written in a language from which statements are translated into machine language) are not directly related to a hot site. Answer (d) is incorrect because when used in information technology, the term hot site is not directly related to temperature control for computers.
105. (b) The requirement is to determine which reply is not a typical output control. Answer (b) is correct because matching the input data with information held on master or suspense files is a processing control, not an output control, to ensure that data are complete and accurate during updating. Answer (a) is incorrect because a review of the computer processing logs is an output control to ensure that data are accurate and complete. Answer (c) is incorrect because periodic reconciliation of output reports is an output control to ensure that data are accurate and complete. Answer (d) is incorrect because maintaining formal procedures and documentation specifying authorized recipients is an output control to ensure proper distribution.
106. (c) The requirement is to identify the best way to minimize the likelihood of unauthorized editing of production programs, job control language, and operating system software. Answer (c) is correct because program change control comprises: (1) maintaining records of change authorizations, code changes, and test results; (2) adhering to a systems development methodology (including documentation; (3) authorizing changeovers of subsidiary and headquarters' interfaces; and (4) restricting access to authorized source and executable codes. Answer (a) is incorrect because the purpose of database reviews is to determine if (1) users have gained access to database areas for which they have no authorization; and (2) authorized users can access the database using programs that provide them with unauthorized privileges to view and/or change information. Answer (b) is incorrect because the purpose of compliance reviews is to determine whether an organization has complied with applicable internal and external procedures and regulations. Answer (d) is incorrect because the purpose of network security software is to provide logical controls over the network.
107. (d) The requirement is to determine the most likely actions relating to mainframe applications when a company decides to launch a downsizing project. Answer (d) is correct because mainframe applications represent a significant investment and may still provide adequate service. The fact that mainframes can provide a stable platform for enterprise applications may be an advantage while exploring other nonmainframe options. Answer (a) is incorrect because the costs of converting mainframe applications to a microcomputer network and retraining the personnel who would rewrite and maintain them preclude any rapid transition. Answer (b) is incorrect because general ledger programs that aggregate business data on a regular basis will be among the last to be converted. Answer (c) is incorrect because incremental modifications may have high paybacks.
108. (a) The requirement is to identify the greatest concern relating to a client's setting of used microcomputers when that corporation receives the majority of its revenue from top-secret military contracts with the government. Answer (a) is correct because while most delete programs erase file pointers, they do not remove the underlying data. The company must use special utilities that fully erase the data; this is especially important because of the potential for top-secret data on the microcomputers. This risk is the largest because it could cause them to lose military contract business. Answer (b) is incorrect because while it could create a liability for the company if a virus destroyed the purchasing party's data or programs the purchasing party should use antiviral software to detect and eliminate any viruses. This concern, while important, is not as serious as the one in answer (a). Answer (c) is incorrect because the purchasing party has a responsibility to insure that all their software is properly licensed. If the company represented that all the software was properly licensed, this could create a liability. However, this liability is not as serious as the implication from answer (a). Answer (d) is incorrect because terminal emulation software is widely available.
109. (b) The requirement is to identify a reason to use bar codes rather than other means of identifying information on parts. Answer (b) is correct because a reason to use bar codes rather than other means of identification is to record the movement of parts with minimal labor costs. Answer (a) is incorrect because the movement of parts can escape being recorded with any identification method. Answer (c) is incorrect because each vendor has its own part-numbering scheme, which is unlikely to correspond to the buyer's scheme. Answer (d) is incorrect because each vendor has its own identification method, although vendors in the same industry often cooperate to minimize the number of bar code systems they use.
110. (b) The requirement is to identify the function that ensures that changes in processing programs have a minimal impact on processing and result in minimal risk to the system. Answer (b) is correct because change control is the process of authorizing, developing, testing, and installing coded changes so as to minimize the impact on processing and the risk to the system. Answer (a) is incorrect because security administration is not involved as directly applicable as is change control. Answer (c) is incorrect because problem tracking is the process of collecting operational data about processes so that they can be analyzed for corrective action. Answer (d) is incorrect because problem-escalation procedures are a means of categorizing problems or unusual circumstances so that the least skilled person can address them.
111. (b) The requirement is to identify the approach(es) that may reduce an organization's risk of civil lawsuit due to the use of pirated software. Answer (b) is correct because: (I) Maintaining a log protects an organization since a log documents software purchases. (II) Auditing individual computers will discourage illegal software usage. (III) Establishing a corporate software policy will discourage illegal software usage. (IV) Allowing users to keep original diskettes increases both the likelihood of illegal copies being made and the loss of diskettes. Answers (a), (c), and (d) are all incorrect.
112. (a) The requirement is to identify a benefit of good recovery planning. Answer (a) is correct because an essential component of a disaster recovery plan is that the need for backup/restart has been anticipated and provided for in the application systems. Answer (b) is incorrect because change control procedures should not be bypassed by operating personnel, but that is not generally a consideration in disaster recovery planning. Answer (c) is incorrect because planned changes in equipment capacities should be compatible with projected workloads, but that is not generally a consideration in disaster recovery planning. Answer (d) is incorrect because service level agreements with owners of critical applications should be adequate, but that is not generally a consideration in disaster recovery planning.
113. (d) The requirement is to identify the biggest risk in not having an adequately staffed information center help desk. Answer (d) is correct because not having such a help desk may lead to a situation in which users will unknowingly persist in making errors in their interaction with the information systems. Answer (a) is incorrect because application audits should be about the same difficulty with or without an adequately staffed help desk. Answer (b) is incorrect because the preparation of documentation is a development function, not a help desk function. Answer (c) is incorrect because the likelihood of use of unauthorized program code is a function of change control, not of a help desk.
114. (c) The requirement is to determine how a database administrator should ensure that the database system properly controls access to accounting database files. Answer (c) is correct because one security feature in database systems is their ability to let the database administrator restrict access on a logical view basis for each user. Answer (a) is incorrect because if the only access permitted is read-only, then there could no updating of database files Answer (b) is incorrect because permitting catalog updating from privileged software would be a breach of security, which might permit unauthorized access. Answer (d) is incorrect because updating of users' access profiles should be a function of a security officer, not the user.
115. (b) The requirement is to identify a major auditor concern when a client processes sales transactions on the Internet. Answer (b) is correct because computer disruptions may result in the incorrect recording of sales. Answer (a) is incorrect because electronic sales invoices may replace sales invoice documents in such an environment. Answer (c) is incorrect because there may or may not be a need to establish an integrated test facility in such circumstances. Answer (d) is incorrect because the frequency of archiving and data retention is not as important as is ensuring that such policies appropriately control system backup.
116. (a) The requirement is to identify the correct statement concerning internal control in an electronic data interchange (EDI) system. Answer (a) is correct because preventive controls are important and often cost-effective in an EDI environment so as to not allow the error to occur, and because detective controls may detect misstatements too late to allow proper correction. Answer (b) is incorrect because the control objectives under EDI systems generally remain the same as for other information systems. Answer (c) is incorrect because a well-controlled EDI system may allow control risk to be assessed below the maximum. Answer (d) is incorrect because the programmed nature of most EDI controls limits the possible segregation of duties within the system. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.
117. (b) The requirement is to identify the correct statement relating to the security of messages in an electronic data interchange (EDI) system. Answer (b) is correct because both the physical security of the hardware and the hardware itself create a situation in which the encryption is ordinarily more secure than encryption performed by software. Answer (a) is incorrect because message authentication deals with whether the message received is the same as that sent, and not as directly with confidentiality. Answer (c) is incorrect because message authentication deals most directly with whether changes have been made in the message sent, and not with the variety of other potential problems addressed by segregation of duties. Answer (d) is incorrect because security is necessary at the transaction phase in EDI systems. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.
118. (c) The requirement is to identify an essential element of the audit trail in an electronic data interchange (EDI) system. Answer (c) is correct because effective audit trails need to include activity logs, including processed and failed transactions, network and sender/recipient acknowledgments, and time sequence of processing. Answer (a) is incorrect because disaster recovery plans, while essential to the overall system, are not an essential element of the audit trail. Answer (b) is incorrect because encrypted hash totals deal less directly with the audit trail than do activity logs. Answer (d) is incorrect because hardware security modules that store sensitive data do not deal directly with the audit trail. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.
119. (a) The requirement is to identify an essential element of the audit trail in an electronic data interchange (EDI) system. Answer (a) is correct because effective audit trails need to include activity logs, including processed and failed transactions, network and sender/recipient acknowledgments, and time sequence of processing. Answer (b) is incorrect because neither message directories nor header segments directly affect the audit trial. Answer (c) is incorrect because contingency and disaster recovery plans, while important, are not as directly related to the audit trail as are the acknowledgments suggested in answer (a). Answer (d) is incorrect because while knowing trading partner security and mailbox codes is essential, it is more closely related to overall security than is answer (a). See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.
120. (b) The requirement is to identify the type of control that involves adding an extra number at the end of an account number and subjecting the new number to an algorithm. Answer (b) is correct because a check digit is an extra reference number that follows an identification code and bears a mathematical relationship to the other digits. Answer (a) is incorrect because optical character recognition involves a computer being able to “read in” printed data. Answer (c) is incorrect because a dependency check involves some form of check between differing related pieces of data. Answer (d) is incorrect because a format check involves determining whether the proper type of data has been input or processed (e.g., numerical data input under account withdrawal amount).
121. (d) The requirement is to identify the best control for preventing someone with sufficient technical skill from circumventing security procedures and making changes to production programs. Answer (d) is correct because a suitable segregation of duties will make such alteration impossible since when duties are separated, users cannot obtain the detailed knowledge of programs and computer operators cannot gain unsupervised access to production programs. Answers (a), (b), and (c) are all incorrect because the reviews of jobs processed, comparing programs with copies, and running attest data will all potentially disclose such alteration, but will not prevent it.
122. (c) The requirement is to identify the best method of keeping computer program libraries secure. Answer (c) is correct because restricting physical and logical access secures program libraries from unauthorized use in person or remotely via terminals. Answers (a) and (b) are incorrect because installing a logging system for program access or monitoring physical access would permit detection of unauthorized access but would not prevent it. Answer (d) is incorrect because denying all remote access via terminals would likely be inefficient and would not secure program libraries against physical access.
123. (d) The requirement is to identify the security control that would best prevent unauthorized access to sensitive data through an unattended data terminal directly connected to a mainframe. Answer (d) is correct because automatic log-off of inactive users may prevent the viewing of sensitive data on an unattended data terminal. Answer (a) is incorrect because data terminals do not normally use screen-saver protection, and because a screen saver would not prevent access. Answer (b) is incorrect because scripting is the use of a program to automate a process such as startup. Answer (c) is incorrect because encryption of data files will not prevent viewing of data on an unattended data terminal.
124. (d) The requirement is to identify the reply that most likely represents a hash total. A hash total is a control total where the total is meaningless for financial purposes, but has some meaning for processing purposes. Answer (d) is correct because 810 represents the sum of the invoice numbers. Answer (a) is incorrect because it appears to be an accumulation of all letters, plus a sum of the numbers. Answer (b) is more likely to be considered a record count. Answer (c) is incorrect because it is simply the invoice number of the last invoice in the batch.
125. (a) The requirement is to determine the type of control that would detect a miscoding of a product number on an order from a customer. Answer (a) is correct because a check digit is an extra digit added to an identification number to verify that the number is authorized and to thereby detect such coding errors. Answer (b) is incorrect because a record count involves a count of the number of records processed which is not being considered here. Answer (c) is incorrect because the term “hash total” ordinarily relates to a total of items and is meaningless for financial purposes (e.g., the total of the invoice numbers for a particular day's sales), but has some meaning for processing purposes. Answer (d) is incorrect because a redundant data check uses two identifiers in each transaction record to confirm that the correct master file record has been updated (e.g., the client account number and first several letters of the customer's name can be used to retrieve the correct customer master record from the accounts receivable file).
126. (b) The requirement is to identify the technique that would most likely detect a nonexistent zip code. Answer (b) is correct because a zip code that is nonexistent would not pass a validity test. It would not be a valid item. Answer (a) is incorrect because a limit test restricts the amount of a transaction that will be processed. Answer (c) is incorrect because a parity test prevents loss of digits in processing. Answer (d) is incorrect because a record count test helps prevent the loss of records.
127. (a) The requirement is to determine whether limit tests and validity check tests are processing controls designed to ensure the reliability and accuracy of data processing. Answer (a) is correct because both a limit test and a validity check test may serve as a control over either inputs or processing in an accounting system. A limit test will establish an upper and/or lower limit as reasonable, with results outside of those limits indicated (e.g., after net pay is calculated, an “error message” is printed for any employee with a weekly salary in excess of a certain amount). A validity check test allows only “valid” transactions or data to be processed in the system (e.g., during the processing of payroll, a control determines whether a paycheck is improperly issued to an ex-employee).
128. (b) The requirement is to identify the activity most likely to be performed in the information systems department. Answer (b) is correct because the conversion of information into machine-readable form is essential to the inputting of data; computer equipment is generally used to perform this function. Answer (a) is incorrect because under good internal control, the initiation of changes to master records should be authorized by functions independent of those which process the records. Answer (c) is incorrect because a separate function should exist to correct transactional errors. Answer (d) is incorrect because changes to computer applications should be initiated by the appropriate user group.
129. (a) The requirement is to determine the errors which a header label is likely to prevent. Since the header label is actually on the magnetic tape, it is the computer operator whose errors will be prevented. Answer (b) is incorrect because the keypunch operator deals with punch cards. Answer (c) is incorrect because the programmer will write the programs and not run them under good internal control. Answer (d) is incorrect because the maintenance technician will not run the magnetic tape.
130. (b) The requirement is to determine the purpose of programming computer to immediately transmit back to the terminal for display information that has been input on cash disbursements. Answer (b) is correct because the entry of disbursement amounts and the subsequent display of the amounts on the terminal screen will allow the operator to visually verify that the data provided to be input was entered accurately. Answer (a) is incorrect because displaying on the screen the data entered does not ensure the validity of the data, only that the data was entered correctly. Answer (c) is incorrect because no evidence has been provided as to whether the disbursement was authorized. Answer (d) is incorrect because the display of the amount will not be compared to a “correct” amount—only to the amount that was to be input.
131. (b) The requirement is to identify a useful control when computer programs or files can be accessed from terminals. Answer (b) is correct because use of personal identification codes (passwords) will limit access to the programs or files on the terminal to those who know the codes. Answers (a), (c), and (d) are all incorrect because while they list valid controls used in computer systems, none of them require entry of data by the user. A parity check control is a special bit added to each character stored in memory to help detect whether the hardware has lost a bit during the internal movement of that character. A self-diagnosis test is run on a computer to check the internal operations and devices within the computer system. An echo check is primarily used in telecommunications transmissions to determine whether the receiving hardware has received the information sent by the sending hardware.
132. (a) The requirement is to identify the item which would reduce the possibility of erasing a large amount of information stored on magnetic tape. Answer (a) is correct because a file protection ring is a control that ensures that an operator does not erase important information on a magnetic tape. Answer (b) is incorrect because a check digit is a digit added to an identification number to detect entry errors. Answer (c) is incorrect because a completeness test would generally be used to test whether all data were processed. Answer (d) is incorrect because conversion verification would address whether the conversion of data from one form to another (e.g., disk to magnetic tape) was complete.
133. (b) The requirement is to identify the controls most likely to assure that an entity can reconstruct its financial records. Answer (b) is correct because backup diskettes or tapes may be maintained that will provide the information needed to reconstruct financial records. Answer (a) is incorrect because while hardware controls are meant to assure the proper processing of data, when reconstruction is needed, hardware controls will not have the data necessary to reconstruct the financial records. Answer (c) is incorrect because parallel simulations will only occasionally be run and will not maintain adequate data to reconstruct records. Answer (d) is incorrect because while systems flowcharts will provide information on the design of the overall system, they will not assure the reconstruction of financial records.
134. (d) The requirement is to identify the type of input control that is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission. Answer (d) is correct because a check digit is an extra digit added to an identification number to detect such errors. Answer (a) is incorrect because the term “hash total” ordinarily relates to a total of items and is meaningless for financial purposes (e.g., the total of the invoice numbers for a particular day's sales), but has some meaning for processing purposes. Answer (b) is incorrect because a parity check is a process in which a computer reads or receives a set of characters and simultaneously sums the number of 1 bits in each character to verify that it is an even (or alternatively, odd) number. Answer (c) is incorrect because encryption involves a coding of data, ordinarily for purposes of ensuring privacy and accuracy of transmission.
135. (c) The requirement is to identify the best example of a validity check. A validity test compares data (for example, employee, vendor, and other codes) against a master file for authenticity. Answer (c) is correct because the computer flagging of inappropriate transactions due to data in a control field that did not match that of an existing file record is such a test. Answer (a) is incorrect because a limit test ensures that a numerical amount in a record does not exceed some predetermined amount. Answer (b) is incorrect because the resubmission of data is not a validity check. Answer (d) is incorrect because the reading back of data to the terminal is an echo check.
136. (b) The requirement is to identify the type of computer test made to ascertain whether a given characteristic belongs to a group. Answer (b) is correct because a validity check determines whether a character is legitimate per the given character set. Note the validity check determines whether a given character is within the desired group. Answer (a) is incorrect because a parity check is a summation check in which the binary digits of a character are added to determine whether the sum is odd or even. Another bit, the parity bit, is turned on or off so the total number of bits will be odd or even as required. Answer (c) is incorrect because an echo check is a hardware control wherein data is transmitted back to its source and compared to the original data to verify the transmission correctness. Answer (d) is incorrect because a limit or reasonableness check is a programmed control based on specified limits. For example, a calendar month cannot be numbered higher than twelve, or a week cannot have more than 168 hours.
137. (a) The requirement is to identify the type of hardware control that requires the CPU to send signals to the printer to activate the print mechanism for each character. Answer (a) is correct because an echo check or control consists of transmitting data back to the source unit for comparison with the original data that were transmitted. In this case, the print command is sent to the printer and then returned to the CPU to verify that the proper command was received. A validity check [answer (b)] consists of the examination of a bit pattern to determine that the combination is legitimate for the system character set (i.e., that the character represented by the bit combination is valid per the system). Answer (c), a signal control or signal check, appears to be a nonsense term. Answer (d), check digit control, is a programmed control wherein the last character or digit can be calculated from the previous digits.
138. (b) The requirement is to identify an example of a check digit. Answer (b) is correct because a check digit is an extra digit in an identification number, algebraically determined, that detects specified types of data input, transmission, or conversion errors. Answer (a) is incorrect because the agreement of the total number of employees to the checks printed is an example of a control total. Answer (c) is incorrect because ensuring that all employee numbers are nine digits could be considered a logic check, a field size check, or a missing data check. Answer (d) is incorrect because determining that no employee has more than fifty hours per workweek is a limit check.
139. (b) The requirement is to determine the most likely significant deficiency in internal control. Answer (b) is correct because the systems programmer should not maintain custody of output in a computerized system. At a minimum, the programming, operating, and library functions should be segregated in such computer systems.
140. (c) The requirement is to identify the weakness in internal control relating to a function performed by computer department personnel. Answer (c) is correct because individuals outside of the computer department should originate changes in master files; this separates the authorization of changes from the actual processing of records. Answer (a) is incorrect because participation of computer department personnel in making computer software acquisition decisions is often appropriate and desirable given their expertise in the area. Answer (b) is incorrect for similar reasons as (a). In addition, computer department personnel will often be able to effectively design the required documentation for computerized systems. Answer (d) is incorrect because the physical security for program files may appropriately be assigned to a library function within the computer department.
141. (b) The requirement is to identify the activity most likely to detect whether payroll data were altered during processing. Answer (b) is correct because test data may be used to provide evidence on whether edit routines (routines to check the validity and accuracy of input data) are operating and have not been altered. Answer (a) is incorrect because the distribution of any data control sheets will provide little information on altered data. Answer (c) is incorrect because the approval of source documents is not at issue—it is the alteration of payroll data. Answer (d) is incorrect because any segregation activities may eliminate future alterations, but would have little effect on prior alterations.
142. (a) The requirement is to identify the tool that would best give a graphical representation of a sequence of activities and decisions. Answer (a) is correct because a flowchart is a graphical representation of a sequence of activities and decisions. Answer (b) is incorrect because a control chart is used to monitor actual versus desired quality measurements during repetition operation. Answer (c) is incorrect because a histogram is a bar chart showing conformance to a standard bell curve. Answer (d) is incorrect because a run chart tracks the frequency or amount of a given variable over time.
143. (c) The requirement is to determine what the symbol A represents in the flowchart of a client's revenue cycle. Answer (c) is correct because the accounts receivable master file will be accessed during the revenue cycle and does not appear elsewhere on the flowchart. Answers (a), (b), and (d) are all incorrect because remittance advices, receiving reports, and cash disbursements transaction files are not a primary transaction file accessed during the revenue cycle.
144. (d) The requirement is to determine what the symbol B represents in the flowchart of a client's revenue cycle. Answer (d) is correct because it represents the only major document of the revenue cycle that is not presented elsewhere on the flowchart and because one would expect generation of a sales invoice in the cycle. Answer (a) is incorrect because the customer order appears in the top left portion of the flowchart. Answer (b) is incorrect because no receiving report is being generated during the revenue cycle. Answer (c) is incorrect because the customer's check (remittance) is represented on the top portion of the flowchart.
145. (d) The requirement is to identify the correct statement concerning an auditor's flowchart of a client's accounting system. Answer (d) is correct because a flowchart is a diagrammatic representation that depicts the auditor's understanding of the system. See AU 319 for various procedures auditors use to document their understanding of internal control. Answer (a) is incorrect because the flowchart depicts the auditor's understanding of the system, not the assessment of control risk. Answer (b) is incorrect because while the flowchart may be used to identify weaknesses, it depicts the entire system—strengths as well as weaknesses. Answer (c) is incorrect because the flowchart is of the accounting system, not of the control environment.
146. (b) The requirement is to determine the approach illustrated in the flowchart. Answer (b) is correct because parallel simulation involves processing actual client data through an auditor's program. Answer (a) is incorrect because program code checking involves an analysis of the client's actual program. Answer (c) is incorrect because an integrated test facility approach introduces dummy transactions into a system in the midst of live transaction processing and is usually built into the system during the original design. Answer (d) is incorrect because controlled reprocessing often includes using the auditor's copy of a client program, rather than the auditor's program.
147. (b) The requirement is to identify the item represented by the “X” on the flowchart. Answer (b) is correct because the existence of a credit memo, in addition to a sales invoice, would indicate that this portion of the flowchart deals with cash receipts; therefore, the “X” would represent the remittance advices. Thus, the receipt transactions are credited to the accounts receivable master file, and an updated master file, a register of receipts, and exception reports are generated. Answer (a) is incorrect because an auditor's test data will not result in an input into the transactions file. Answer (c) is incorrect because since no processing has occurred at the point in question—an error report is unlikely. Answer (d) is incorrect because credit authorization will generally occur prior to the preparation of credit memos.
148. (d) The requirement is to determine the symbolic representations that indicate that a file has been consulted. Answer (d) indicates that a manual operation (the trapezoid symbol) is accessing data from a file and returning the data to the file (i.e., “consulting” the file). Answer (a) is incorrect because it represents a processing step (the rectangle) being followed by a manual operation. Answer (b) is incorrect because it represents a document being filed. Answer (c) is incorrect because the diamond symbol represents a decision process.
149. (c) The requirement is to determine a benefit of a well-prepared flowchart. Answer (c) is correct because a flowchart may be used to document the auditor's understanding of the flow of transactions and documents. Answer (a) is incorrect because while an audit procedures manual may suggest the use of flowcharts, flowcharts will not in general be used to prepare such a manual. Answer (b) is less accurate than (c) because while it may be possible to obtain general information on various jobs, the flowchart will not allow one to obtain a detailed job description. Answer (d) is incorrect because a flowchart does not directly address the actual accuracy of financial data within a system.
Tintco, Inc. is a distributor of auto supplies. Currently, the corporation has a batch processing system for processing all transactions and maintaining its inventory records. Batches are processed monthly. George Wilson, the chief information officer for the corporation, is considering adopting an online, real-time processing system. He has asked you (a consultant) to prepare a memorandum describing the advantages of adopting such a system for the corporation.
REMINDER: Your response will be graded for both technical content and writing skills. Technical content will be evaluated for information that is helpful to the intended reader and clearly relevant to the issue. Writing skills will be evaluated for development, organization, and the appropriate expression of ideas in professional correspondence. Use a standard business memo or letter format with a clear beginning, middle, and end. Do not convey information in the form of a table, bullet point list, or other abbreviated presentation.
To: | Mr. George Wilson, CIO Tintco, Inc. |
From: | CPA Candidate |
To: | Mr. George Wilson, CIO Tintco, Inc. |
From: | CPA Candidate |
As you requested, this memorandum describes the advantages of implementing an online, real-time processing system for inventory. As you are aware, the firm currently uses a batch processing system that processes transactions monthly. The primary advantage of an online, real-time processing system is that it provides timely information for decision making. With your batch system you have current and accurate information about inventory only monthly when the records are updated. Therefore, decisions about ordering inventory, valuation of inventory, and company profitability are not based on timely information. As a result, management cannot do a very good job of managing inventory. If the company implements an online, real-time system, information about inventory levels, inventory investment, and cost of goods sold would be available on a continuous basis. As a result, business decisions will be based on accurate and timely information. This should result in much better decisions and better financial performance.
It is clear that an online, real-time inventory system is superior to your current batch processing system. If you would like to have additional information about implementation of a new inventory processing system, please contact me.
** CMA adapted
3.15.219.217