Module 41: Information Technology

,

Overview

Computers have become the primary means used to process financial accounting information and have resulted in a situation in which auditors must be able to use and understand current information technology. Accordingly, knowledge of information technology implications is included in the Business Environment and Concepts section of the CPA exam. In addition, auditing procedures relating to information technology (IT) are included in the Auditing and Attestation portion of the CPA exam.

This module describes various types of information technology and describes the major types of controls that are used to assure the accuracy, completeness, and integrity of technology-processed information.

Ideally, to effectively reply to technology-related questions, you should have previously studied or worked in computerized business environments. However, if you do not have this background, we believe that the information in this module should prepare you to perform reasonably well on a typical exam. Keep in mind that the review of these materials cannot make you an expert, and a module such as this cannot cover all possible topics related to information technology. However, this material should help you to understand the complexities introduced by computers in sufficient detail to answer most questions.

A. Information Systems Within a Business

1. Definition—An information system processes data and transactions to provide users with the information they need to plan, control and operate an organization, including
   1. Collecting transaction and other data
   2. Entering it into the information system
   3. Processing the data
   4. Providing users with the information needed
   5. Controlling the process
2. Manual vs. Computer Systems
   1. On an overall basis, manual accounting systems have in most circumstances been replaced by computerized accounting information systems of various types, although portions of many systems remain manual.
   2. Computer processing tends to reduce or eliminate processing time, and prevent computational errors and errors in processing routine transactions (when fraud is not involved).
3. General Types of IT Systems
   1. Office automation systems—Designed to improve productivity by supporting daily work of employees (e.g., word processing, spreadsheets, presentation tools, e-mail, electronic calendars, contact management software)
   2. Transaction processing systems—Involve the daily processing of transactions (e.g., airplane reservation systems, payroll recording, cash receipts, cash disbursements)
   3. Management reporting systems—Designed to help with the decision-making process by providing access to computer data
      • (1) Management information systems—Systems designed to provide past, present and future information for planning, organizing and controlling the operations of the organization
      • (2) Decision support systems—Computer-based information systems that combine models and data to resolve nonstructured problems with extensive user involvement
      • (3) Expert systems—Computer systems that apply reasoning methods to data in a specific relatively structured area to render advice or recommendations, much like a human expert
      • (4) Executive information systems—Computerized systems that are specifically designed to support executive work

   NOTE: It is helpful to consider these two distinct roles for systems—that is, (a) recording transactions of various types versus (b) providing support for decision making. These topics are discussed in detail under Section B.2. (Methods of Processing).

4. Systems Design and Process Improvement

   Designing and implementing a new information and control system provides an opportunity to reexamine business processes, especially if the new system is an enterprise resource planning (ERP) system. Management can take advantage of the capabilities of the technology to redesign business processes making them more efficient and effective. The traditional methodology for developing information systems is the systems development lifecycle (SDLC). This methodology is characterized by its phases, each representing a specific set of development activities. Typically, the SDLC phases include: planning, analysis, design, development, testing, implementation, and maintenance.

   1. The Planning Phase

      Major activities in the planning phase include

      • (1) Identify the problem(s) the proposed system will solve.
      • (2) Define the system to be developed. This involves identifying and selecting the system to be developed based on the strategic goals of the organization.
      • (3) Determine the project scope. This activity sets the project's boundaries by providing a clear understanding of what the new system will do and how it will be evaluated. A project scope document is used to describe the project scope. During the process of systems design, the scope of the project may be revisited and revised.
      • (4) Develop a project plan. The project plan defines the activities that will be performed, and the individuals and resources that will be used. A project manager is the individual who develops the plan and tracks its progress. The plan establishes project milestones which set forth dates by which certain activities need to be performed.
      • (5) Evaluate the initial feasibility of the project. Feasibility analysis may involve multiple measures including determining the project's technical, organizational, and economic feasibility.
   2. The Analysis Phase

      This phase involves teams including end users, information technology specialists, systems analysts, and process design specialists to understand the requirements for the proposed system. Typically, processing, data, and logic models are produced during this phase to help determine the system requirements. A needs assessment may also be performed. A needs assessment involves determining the requirements for the system in terms of processes, data capture, information and reporting. Next, an analysis is performed on the existing system along the same dimensions. Then, a gap analysis is performed to examine the differences (gaps) between the required system and the existing system. Finally priorities will be established for the gaps (requirements) which will be documented in a requirements definition document, which will receive sign-off from the end users. It is during this phase that a company can take advantage of the processes inherent in the new system to improve existing processes. System specification documents contain information on basic requirements which include

      • (1) Performance levels
      • (2) Reliability
      • (3) Quality
      • (4) Interfaces
      • (5) Security and privacy
      • (6) Constraints and limitations
      • (7) Functional capabilities
      • (8) Data structures and elements
   3. The Design Phase

      The primary goal of the design phase is to build a technical blueprint of how the proposed system will work. The components that are typically designed during this phase include

      • (1) Databases
      • (2) User interfaces for input and output
      • (3) Required reports
      • (4) Programs
      • (5) Infrastructure and controls
   4. The Development Phase

      During the development phase the documents from the design phase are transformed into the actual system. In the design phase the platform on which the system is to operate is built or purchased off-the-shelf and customized and databases are developed.

   5. The Testing Phase

      The testing phase involves verifying that the system works and meets the business requirements as set forth in the analysis phase. The testing phase is obviously critical. The following types of test should be performed:

      • (1) Unit testing. Unit testing involves testing the units or pieces of code.
      • (2) System testing. System testing involves testing of the integration of the units or pieces of code into a system.
      • (3) Integration testing. Integration testing involves testing whether the separate systems can work together.
      • (4) User acceptance testing. User acceptance testing determines whether the system meets the business requirements and enables users to perform their jobs efficiently and effectively.
   6. The Implementation Phase

      The implementation phase involves putting the system in operation by the users. In order to effectively implement the system detailed user documentation must be provided to the users, and the users must be adequately trained. An organization may choose from a number of implementation methods including:

      • (1) Parallel implementation. This method uses both systems until it is determined that the new system is operating properly. This has the advantage of a full operational test of the new system with less risk of a system disaster. The disadvantage of this method is the additional work and cost during the period in which both systems are operating.
      • (2) Plunge implementation. Using this method the organization ceases using the old system and begins using the new system immediately. This method is less costly than the parallel method but it has higher risk of a system breakdown.
      • (3) Pilot implementation. This method involves having a small group of individuals using the new system until it is seen to be working properly. This has the advantage of providing a partial operational test of the new system at a lower cost than parallel implementation.
      • (4) Phased implementation. This method involves installing the system in a series of phases.
   7. The Maintenance Phase

      This phase involves monitoring and supporting the new system. In this phase the organization provides ongoing training, help desk resources, and a system for making authorized and tested changes to the system.

      NOW REVIEW MULTIPLE-CHOICE QUESTIONS 1 THROUGH 14

B. Characteristics of IT Systems—General

1. Types of Computers, Hardware, and Software
   1. Types of computers (in order of size and power)
      • (1) Supercomputers—Extremely powerful, high-speed computers used for extremely high-volume and/or complex processing needs.
      • (2) Mainframe computers—Large, powerful, high-speed computers. While less powerful than supercomputers, they have traditionally been used for high-volume transaction processing. Clusters of lower cost, less powerful “servers” are increasingly taking over the processing chores of mainframe computers.
      • (3) Servers—High-powered microcomputers that “serve” applications and data to clients that are connected via a network (e.g., web servers, database servers). Servers typically have greater capacity (faster processors, more RAM, more storage capacity) than their clients (microcomputers) and often act as a central repository for organizational data. Servers today are often configured as a “virtual machine,” meaning multiple operating systems can coexist and operate simultaneously on the same machine. Virtual machines are appealing because they lower hardware costs and they create energy savings.
      • (4) Microcomputers (e.g., desktop computers, laptop computers)—Designed to be used by one person at a time, they are often called personal computers. Typically used for word processing, e-mail, spreadsheets, surfing the web, creating and editing graphics, playing music, and gaming.
      • (5) Tablets/Smart Phones/Personal Digital Assistants (e.g., iPad, iPhone, Android, Blackberry)—These are typically smaller, handheld wireless devices that depend on WiFi and/or cellular technology for communication. Many of these devices support touch screen input.
   2. Hardware—Physical equipment
      • (1) Central processing unit (CPU)—The principal hardware components of a computer. It contains an arithmetic/logic unit, primary memory, and a control unit. The major function of the CPU is to fetch stored instructions and data, decode the instructions, and carry out the instructions.
        • (a) Arithmetic/logic unit—Performs mathematical operations and logical comparisons.
        • (b) Primary memory (storage)—Active data and program steps that are being processed by the CPU. It may be divided into RAM (random-access memory) and ROM (read-only memory). Application programs and data are stored in the RAM at execution time.
        • (c) Control unit—Interprets program instructions and coordinates input, output, and storage devices.
      • (2) Secondary storage
        • (a) Storage devices
          • 1] Magnetic tape—Slowest type of storage available because data is stored sequentially. Primarily used for archiving purposes today.
          • 2] Magnetic disks—The most common storage medium in use on computers today. Magnetic disks are also called “hard disks” or “hard disk drives” (HDD). Data can be accessed directly.
          • 3] RAID (Redundant array of independent [previously, inexpensive] disks)—A way of storing the same data redundantly on multiple magnetic disks
            • a] When originally recorded, data is written to multiple disks to decrease the likelihood of loss of data.
            • b] If a disk fails, at least one of the other disks has the information and continues operation.
          • 4] Compact Discs—Discs (CDs) and Digital Video Discs (DVDs)—Both are the same physical size and both use optical technology to read and write data to the disc.
          • 5] Solid State Drives (SSDs)—Use microchips to store data and require no moving parts for read/write operations. SSDs are faster and more expensive per gigabyte than CDs, DVDs, and HDDs. SSDs are increasingly being used in place of HDDs in microcomputers but cost and limited capacity have constrained their adoption as a primary storage device. SSDs are more commonly used for auxiliary storage. SSDs that are “pluggable” are often called “thumb drives,” “flash drives,” or “USB drives” (because they use a USB interface to “plug” into other devices).
          • 6] Cloud-Based Storage—Also called “Storage as a Service” (SaaS). This type of storage is hosted offsite, typically by third parties, and is accessed via the Internet.
        • (b) Manner in which information is represented in a computer
          • 1] Digital—A series of binary digits (0s and 1s). One binary digit is called a “bit.” A series of 8 bits is referred to as a “byte.” One byte can form a letter, a number, or a special character (e.g., 00000111 is the binary equivalent of the decimal number 7).
          • 2] Analog—The representation that is produced by the fluctuations of a continuous signal (e.g., speech, temperature, weight, speed, etc.). Rather than using 0s and 1s to represent information, analog signals use electrical, mechanical, hydraulic or pneumatic devices to transmit the fluctuations in the signal itself to represent information.
        • (c) Related computer terms
          • 1] Online—Equipment in direct communication with, and under the control of, the CPU. Online also refers to having a connection to the Internet.
          • 2] Off-line—Equipment not in direct communication with the CPU; the operator generally must intervene to connect off-line equipment or data to the CPU (e.g., mount a magnetic tape of archival data). Off-line also refers to the absence of an Internet connection.
          • 3] Console—A terminal used for communication between the operator and the computer (e.g., the operator of a mainframe computer)
          • 4] Peripheral equipment—All non-CPU hardware that may be placed under the control of the central processor. Classified as online or off-line, this equipment consists of input, storage, output, and communication.
          • 5] Controllers—Hardware units designed to operate specific input-output units
          • 6] Buffer—A temporary storage unit used to hold data during computer operations
          • 7] MIPS—Millions of instructions per second; a unit for measuring the execution speed of computers
      • (3) Input devices
        • (a) Keying data—Data entry devices
          • 1] Key-to-tape and key-to-disk in which data is entered on magnetic tape and/or disk respectively, and then read into a computer
        • (b) Online entry
          • 1] Visual display terminal/monitors—Uses keyboard to directly enter data into computer
            • a] Input interface—A program that controls the display for the user (usually on a computer monitor) and that allows the user to interact with the system
            • b] Graphical user interface (GUI) uses icons, pictures, and menus instead of text for inputs (e.g., Windows).
            • c] Command line interface—Uses text-type commands
          • 2] Mouse, joystick, light pens—Familiar devices that allow data entry
          • 3] Touch-sensitive screen—Allows users to enter data from a menu of items by touching the surface of the monitor
        • (c) Turnaround documents—Documents that are sent to the customer and returned as inputs (e.g., utility bills)
        • (d) Automated source data input devices
          • 1] Magnetic tape reader—A device capable of sensing information recorded as magnetic spots on magnetic tape
          • 2] Magnetic ink character reader (MICR)—Device that reads characters that have been encoded with a magnetic ink (e.g., bank check readers)
          • 3] Scanner—A device that reads characters on printed pages
          • 4] Automatic teller machine (ATM)—A machine used to execute and record transactions with financial institutions
          • 5] Radio Frequency Identification (RFID)—Uses radio waves to track and input data. Increasingly used for inventory and contactless payment systems. RFID tags can be read wirelessly by RFID readers; does not require line-of-sight access like bar code technology (e.g., Mobil's Speedpass® payment systems, FasTrak® toll collection system).
          • 6] Point-of-sale (POS) recorders—Devices that read price and product code data (e.g., recall purchasing groceries—items are frequently passed over a POS recorder). POS recorders ordinarily function as both a terminal and a cash register.
            • a] POS processing allows one to record and track customer orders, process credit and debit cards, connect to other systems in a network, and manage inventory. Generally, a POS terminal has as its core a personal computer, which is provided with application-specific programs and input/output devices for the particular environment in which it will serve.
            • b] POS terminals are used in most industries that have a point of sale such as a service desk, including restaurants, lodging, entertainment, and museums. For example, a POS system for a restaurant is likely to have all menu items stored in a database that can be queried for information in a number of ways.
            • c] Increasingly, POS terminals are also Web-enabled, which makes remote training and operation possible, as well as inventory tracking across geographically dispersed locations.
          • 7] Voice recognition—A system that understands spoken words and transmits them into a computer.
        • (e) Electronic commerce and electronic data interchange—Involves one company's computer communicating with another's computer. For example, a buyer electronically sending a purchase order to a supplier. Discussed in further detail in Section C.5. of this module.
      • (4) Output devices
        • (a) Many automated source data input devices and electronic commerce/electronic data interchange devices [(3)(d) and (e) above] are capable of outputting data (“writing” in addition to “reading”) and therefore become output devices as well as input devices.
        • (b) Monitors—Visually display output
        • (c) Printers—Produce paper output
        • (d) Plotters—Produce paper output of graphs
        • (e) Computer output to microfilm or microfiche (COM)—Makes use of photographic process to store output
   3. Software—Computer programs that control hardware
      • (1) Systems software
        • (a) Operating system—Manages the input, output, processing and storage devices and operations of a computer (e.g., Windows, Linux, Unix)
          • 1] Performs scheduling, resource allocation, and data retrieval based on instructions provided in job control language
        • (b) Utility programs—Handle common file, data manipulation and “housekeeping” tasks
        • (c) Communications software—Controls and supports transmission between computers, computers and monitors, and accesses various databases
      • (2) Applications software—Programs designed for specific uses, or “applications,” such as
        • (a) Word processing, graphics, spreadsheets, email, and database systems
        • (b) Accounting software
          • 1] Low-end—All in one package, designed for small organizations
          • 2] High-end—Ordinarily in modules (e.g., general ledger, receivables)
          • 3] Enterprise Resource Planning (ERP)—Designed as relatively complete information system “suites” for large and medium size organizations (e.g., human resources, financial applications, manufacturing, distribution). Major vendors are well known—SAP, PeopleSoft, Oracle, and J.D. Edwards.
            • a] Advantages of ERP systems—Integration of various portions of the information system, direct electronic communication with suppliers and customers, increased responsiveness to information requests for decision-making
            • b] Disadvantages of ERP systems—Complexity, costs, integration with supplier and customer systems may be more difficult than anticipated
      • (3) Software terms
        • (a) Compiler—Produces a machine language object program from a source program language
        • (b) Multiprocessing—Simultaneous execution of two or more tasks, usually by two or more CPUs that are part of the same system
        • (c) Multitasking—The simultaneous processing of several jobs on a computer
        • (d) Object program—The converted source program that was changed using a compiler to create a set of machine readable instructions that the CPU understands
        • (e) Source program—A program written in a language from which statements are translated into machine language; computer programming has developed in “generations”
          • 1] Machine language (composed of combinations of 1's and 0's that are meaningful to the computer).
          • 2] Assembly language—A low-level programming language that uses words (mnemonics) instead of numbers to perform an operation. Assembly language must be translated to machine language by a utility program called an assembler. Generally, an assembly language is specific to a computer architecture and is therefore not portable like most high-level languages.
          • 3] “High-level” programming languages such as COBOL, Basic, Fortran, C++, and Java.
            • a] C++ and Java are considered object-oriented programs (OOPs) in that they are based on the concept of an “object” which is a data structure that uses a set of routines, called “methods,” which operate on the data. The “objects” are efficient in that they often are reusable in other programs.
            • b] Object-oriented programs keep together data structures and procedures (methods) through a procedure referred to as encapsulation. Basic to object-oriented programs are the concepts of a class (a set of objects with similar structures) and inheritance (the ability to create new classes from existing classes).
          • 4] An “application-specific” language usually built around database systems. These programs are ordinarily closer to human languages than the first three generations (e.g., SQL, Structured Query Language: an instruction to create a report might be Extract all Customers where “Name” is Jones).
          • 5] A relatively new and developing form that includes visual or graphical interfaces used to create source language that is usually compiled with a 3rd or 4th generation language compiler.
        • (f) Virtual memory (storage)—Online secondary memory that is used as an extension of primary memory, thus giving the appearance of larger, virtually unlimited internal memory
        • (g) Protocol—Rules determining the required format and methods for transmission of data
      • (4) Programming terms
        • (a) Desk checking—Review of a program by the programmer for errors before the program is run and debugged on the computer
        • (b) Debug—To find and eliminate errors in a computer program. Many compilers assist debugging by listing errors such as invalid commands in the program.
        • (c) Edit—To correct input data prior to processing
        • (d) Loop—A set of program instructions performed repetitively a predetermined number of times, or until all of a particular type of data has been processed
        • (e) Memory dump—A listing of the contents of storage
        • (f) Patch—A section of coding inserted into a program to correct a mistake or to alter a routine
        • (g) Run—A complete cycle of a program including input, processing and output
2. Methods of Processing
   1. Batch or online real-time
      • (1) Batch
        • (a) Transactions flow through the system in groups of like transactions (batches). For example, all cash receipts on accounts receivable for a day may be aggregated and run as a batch.
        • (b) Ordinarily leaves a relatively easy-to-follow audit trail.
      • (2) Online real-time (also referred to as direct access processing)

        General: Transactions are processed in the order in which they occur, regardless of type. Data files and programs are stored online so that updating can take place as the edited data flows to the application. System security must be in place to restrict access to programs and data to authorized persons. Online systems are often categorized as being either online transaction processing systems or online analytical processing systems.

        • (a) Online transaction processing (OLTP)
          • 1] Databases that support day-to-day operations
          • 2] Examples: airline reservations systems, bank automatic teller systems, and Internet website sales systems
        • (b) Online analytical processing (OLAP)
          • 1] A category of software technology that enables the user to query the system (retrieve data), and conduct an analysis, etc., ordinarily while the user is at a PC. The result is generated in seconds. OLAP systems are primarily used for analytical analysis.

            EXAMPLE

            An airline's management downloads its OLAP reservation information into another database to allow analysis of that reservation information. At a minimum, this will allow analysis without tying up the OLAP system that is used on a continuous basis; the restructuring of the data into another database is also likely to make a more detailed analysis possible.

          • 2] Uses statistical and graphical tools that provide users with various (often multidimensional) views of their data, and allows them to analyze the data in detail.
          • 3] These techniques are used as decision support systems (computer-based information systems that combine models and data in an attempt to solve relatively unstructured problems with extensive user involvement).
          • 4] One approach to OLAP is to periodically download and combine operational databases into a data warehouse (a subject-oriented, integrated collection of data used to support management decision-making processes) or a data mart (a data warehouse that is limited in scope).
            • a] Data mining—Using sophisticated techniques from statistics, artificial intelligence and computer graphics to explain, confirm and explore relationships among data (which is often stored in a data warehouse or data mart)
            • b] Business intelligence (BI)—A combination of systems that help aggregate, access, and analyze business data and assist in the business decision-making process.
          • 5] Artificial intelligence (AI)—Computer software designed to help humans make decisions. AI may be viewed as an attempt to model aspects of human thought on computers. AI ordinarily deals with decisions that may be made using a relatively structured approach. It frequently involves using a computer to quickly solve a problem that a human could ultimately solve through extremely detailed analysis.
          • 6] Expert system—One form of AI. A computerized information system that guides decision processes within a well-defined area and allows decisions comparable to those of an expert. Expert knowledge is modeled into a mathematical system.

            EXAMPLE

            An expert system may be used by a credit card department to authorize credit card purchases so as to minimize fraud and credit losses.

   2. Centralized, Decentralized, or Distributed
      • (1) Centralized
        • (a) Processing occurs at one location.
        • (b) Historically, this is the model used in which a mainframe computer processes data submitted to it through terminals.
        • (c) Today, centralized vs. decentralized processing is often a matter of degree—how much is processed by a centralized computer vs. how much by decentralized computers.
      • (2) Decentralized
        • (a) Processing (and data) are stored on computers at multiple locations.
        • (b) Ordinarily the computers involved are not interconnected by a network, so users at various sites cannot share data.
        • (c) May be viewed as a collection of independent databases, rather than a single database.
        • (d) End-user computing (Section C.4. below) is relatively decentralized.
      • (3) Distributed
        • (a) Transactions for a single database are processed at various sites.

          EXAMPLE

          Payroll is processed for Minneapolis employees in Minneapolis, and for Santa Fe employees in Santa Fe. Yet the overall payroll information is in one database.

        • (b) Processing may be on either a batch or online real-time basis.
        • (c) An overall single database is ordinarily updated for these transactions and available at the various sites.
3. Methods of Data Structure
   1. Data organization for computer operations
      • (1) Bit—A binary digit (0 or 1) which is the smallest storage unit in a computer.
      • (2) Byte—A group of adjacent bits (usually 8) that is treated as a single unit, or character, by the computer. Printable alphanumeric characters (e.g., A-Z, a-z, 0-9); special characters (e.g., $, %, !, @, etc.) and unprintable control codes (e.g., those that control peripheral devices such as printers) can be represented by an 8-bit byte. Character-encoding schemes for computers, such as ASCII and UTF-8, ensure universal interpretation of the 8-bit codes.
      • (3) Field—A group of related characters (e.g., a social security number).
      • (4) Record—An ordered set of logically related fields. For example, all payroll data (including the social security number field and others) relating to a single employee.
      • (5) File—a group of related records (e.g., all the weekly pay records year-to-date), which is usually arranged in sequence.
      • (6) Table—A group of related records in a relational database with a unique identifier (primary key field) in each record.
      • (7) Database—A group of related files or a group of related tables (if a relational database).
      • (8) Array—In a programming language, an aggregate that consists of data objects with attributes, each of which may be uniquely referenced by an index (address). For example, an array may be used to request input of various payroll information for a new employee in one step. Thus an array could include employee name, social security number, withholdings, pay rate, etc.—for example (John Jones, 470-44-5044, 2, $18.32, …). Name would be indexed as 1 (or zero), with each succeeding attribute receiving the next higher number as an address. Also arrays may be multidimensional. They are often used with object-oriented programming languages such as C++ and Java.
      • (9) Master file—A file containing relatively permanent information used as a source of reference and periodically updated with a detail (transaction) file (e.g., permanent payroll records).
      • (10) Detail or transaction file—A file containing current transaction information used to update the master file (e.g., hours worked by each employee during the current period used to update the payroll master file).
   2. Data file structure
      • (1) Traditional file processing systems—These systems focus upon data processing needs of individual departments. Each application program or system is developed to meet the needs of the particular requesting department or user group. For accounting purposes these systems are often similar to traditional accounting systems, with files set up for operations such as purchasing, sales, cash receipts, cash disbursements, etc.
        • (a) Advantages of traditional processing systems
          • 1] Currently operational for many existing (legacy) systems
          • 2] Often cost effective for simple applications
        • (b) Disadvantages of traditional processing systems
          • 1] Data files are dependent upon a particular application program.
          • 2] In complex business situations there is much duplication of data between data files.
          • 3] Each application must be developed individually.
          • 4] Program maintenance is expensive.
          • 5] Data may be isolated and difficult to share between functional areas.
      • (2) Database systems
        • (a) Definitions
          • 1] Database—A collection of interrelated files, ordinarily most of which are stored online.
            • a] Normalization—The process of separating the database into logical tables to avoid certain kinds of updating difficulties (referred to as “anomalies”).
          • 2] Database system—Computer hardware and software that enables the database(s) to be implemented.
          • 3] Database management system—Software that provides a facility for communications between various applications programs (e.g., a payroll preparation program) and the database (e.g., a payroll master file containing the earnings records of the employees).
          • 4] Data independence—Basic to database systems is this concept which separates the data from the related application programs.
          • 5] Data modeling—Identifying and organizing a database's data, both logically and physically. A data model determines what information is to be contained in a database, how the information will be used, and how the items in the database will be related to each other.
            • a] Entity-relationship modeling—An approach to data modeling. The model (called the entity-relationship diagram, or ERD) divides the database in two logical parts—entities (e.g. “customer,” “product”) and relations (“buys,” “pays for”).
            • b] Primary key—The field(s) that make a record in a relational database table unique.
            • c] Foreign key—The field(s) that are common to two (or more) related tables in a relational database.
            • d] REA data model—A data model designed for use in designing accounting information databases. REA is an acronym for the model's basic types of objects: Resources—Identifiable objects that have economic value, Events—An organization's business activities, Agents—People or organizations about which data is collected.
          • 6] Data Dictionary (also referred to as a data repository or data directory system)—A data structure that stores meta-data.
            • a] Meta-data—Definitional data that provides information about or documentation of other data managed within an application or environment. For example, data about data elements, records and data structures (length, fields, columns, etc.).
          • 7] Structured query language (SQL)—The most common language used for creating and querying relational databases (see (b)3] below), its commands may be classified into three types.
            • a] Data definition language (DDL)—Used to define a database, including creating, altering, and deleting tables and establishing various constraints.
            • b] Data manipulation language (DML)—Commands used to maintain and query a database, including updating, inserting in, modifying, and querying (asking for data). For example, a frequent query involves the joining of information from more than one table.
            • c] Data control language (DCL)—Commands used to control a database, including controlling which users have various privileges (e.g., who is able to read from and write to various portions of the database).
        • (b) Database structures
          • 1] Hierarchical—The data elements at one level “own” the data elements at the next lower level (think of an organization chart in which one manager supervises several assistants, who in turn each supervise several lower level employees).
          • 2] Networked—Each data element can have several owners and can own several other elements (think of a matrix-type structure in which various relationships can be supported.
          • 3] Relational—A database with the logical structure of a group of related spreadsheets. Each row represents a record, which is an accumulation of all the fields related to the same identifier or key; each column represents a field common to all of the records. Relational databases have in many situations largely replaced the earlier developed hierarchical and networked databases.
          • 4] Object-oriented—Information (attributes and methods) are included in structures called object classes. This is the newest database management system technology
          • 5] Object-relational—Includes both relational and object-oriented features.
          • 6] Distributed—A single database that is spread physically across computers in multiple locations that are connected by a data communications link. (The structure of the database is most frequently relational, object-oriented, or object-relational.)
        • (c) Database controls
          • 1] User department—Because users directly input data, strict controls over who is authorized to read and/or change the database are necessary.
          • 2] Access controls—In addition to the usual controls over terminals and access to the system, database processing also maintains controls within the database itself. These controls limit the user to reading and/or changing (updating) only authorized portions of the database.
            • a] Restricting privileges—This limits the access of users to the database, as well as operations a particular user may be able to perform. For example, certain employees and customers may have only read, and not write, privileges.
            • b] Logical views—Users may be provided with authorized views of only the portions of the database for which they have a valid need.
          • 3] Backup and recovery—A database is updated on a continuous basis during the day. Three methods of backup and recovery are:
            • a] Backup of database and logs of transactions (sometimes referred to as “systems logs”). The approach is to backup the entire database several times per week, generally to magnetic tape. A log of all transactions is also maintained. If there is extensive damage to a major portion of the database due to catastrophic failure, such as disk crash, the recovery method is to restore the most recent past copy of the database and to reconstruct it to a more current state by reapplying or redoing transactions from the log up to the point of failure.
            • b] Database replication. To avoid catastrophic failure, another approach is to replicate the database at one or more locations. Thus, all data may be recorded to both sets of the database.
            • c] Backup facility. Another approach is to maintain a backup facility with a vendor who will process data in case of an emergency.

            Further information on backup and recovery is included under Disaster Recovery—D.11 of this module.

          • 4] Database administrator (DBA)—Individual responsible for maintaining the database and restricting access to the database to authorized personnel.
          • 5] Audit software—Usually used by auditors to test the database; see Auditing with Technology Module.
        • (d) Advantages of database systems
          • 1] Data independence—Data can be used relatively easily by differing applications.
          • 2] Minimal data redundancy—The manner in which data is structured results in information being recorded in only one place, thus making updating much easier than is the case with traditional file systems.
          • 3] Data sharing—The sharing of data between individuals and applications is relatively easy.
          • 4] Reduced program maintenance.
          • 5] Commercial applications are available for modification to a company's needs.
        • (e) Disadvantages of database systems
          • 1] Need for specialized personnel with database expertise
          • 2] Installation of database is costly
          • 3] Conversion of traditional file systems (legacy systems) is costly
          • 4] Comprehensive backup and recovery procedures are necessary.

C. Characteristics of IT Systems—Specific

1. Types of Networks
   1. Background
      • (1) A network is a group of interconnected computers and terminals.
      • (2) The development of telecommunications—The electronic transmission of information by radio, fiber optics, wire, microwave, laser, and other electromagnetic systems—has made possible the electronic transfer of information between networks of computers. This topic is discussed in detail later in this module.
   2. Classified by geographical scope
      • (1) Personal area network (PAN)—A computer network that is centered around an individual and the personal communication devices he/she uses. PANs can be associated with both wireless and wired communication devices (e.g., the Bluetooth devices we use with our mobile phones for driving; the USB devices that we connect to our computers).
      • (2) Local area networks (LAN)—Privately owned networks within a single building or campus of up to a few miles in size. Because this topic has been emphasized in AICPA materials, it is discussed further later in this module.
      • (3) Metropolitan area network (MAN)—A larger version of a LAN. For example, it might include a group of nearby offices within a city.
      • (4) Wide area networks (WAN)—Networks that span a large geographical area, often a country or continent. It is composed of a collection of computers and other hardware and software for running user programs.
   3. Classified by ownership
      • (1) Private—One in which network resources are usually dedicated to a small number of applications or a restricted set of users, as in a corporation's network.
        • (a) A typical approach is to lease telephone lines that are dedicated to the network's use.
        • (b) Also, traditional EDI systems (discussed below) use a private network.
        • (c) Advantages: Secure, flexible, performance often exceeds that of public.
        • (d) Disadvantage: Costly
      • (2) Public—Resources are owned by third-party companies and leased to users on a usage basis (also referred to as public-switched networks [PSN]).
        • (a) Access is typically through dial-up circuits.
        • (b) Example: Applications using the Internet.
        • (c) Advantages and disadvantage: In general, the opposite of those for private networks, but certainly a significant disadvantage is that they are less secure.
          • 1] Improvements in Internet communications will decrease the disadvantages and will lead to a dramatic increase in the use of public networks (e.g., rapid increases in the use of Internet-based electronic commerce).
      • (3) Cloud computing/cloud services—The use and access of multiple server-based computational resources via a digital network (WAN, Internet connection using the World Wide Web, etc.). A user accesses the server resources using a computer, netbook, tablet computer, smart phone, or other device. With cloud computing, applications are provided and managed by the cloud server and data is stored remotely in the cloud configuration. Users do not download and install applications on their own device or computer; all processing and storage is maintained by the cloud server. Cloud services may be offered by a cloud provider or by a private organization.
        • (a) Risks of cloud computing
          • 1] Information security and privacy—users must rely on the cloud providers' data access controls.
          • 2] Continuity of services—user problems may occur if the cloud provider has disruptions in service.
          • 3] Migration—users may have difficulty in changing cloud providers because there are no data standards.
   4. Classified by use of Internet

      General: The following all use the Internet. They have in common that data communications are ordinarily through Hypertext Markup Language (HTML) and/or Extensible Markup Language (XML)—languages used to create and format documents, link documents to other Web pages, and communicate between Web browsers. XML is increasingly replacing HTML in Internet applications due to its superior ability to tag (i.e., label) and format documents that are communicated among trading partners.

      Extensible Business Reporting Language (XBRL) is an XML-based language being developed specifically for the automation of business information requirements, such as the preparation, sharing, and analysis of financial reports, statements, and audit schedules. XBRL is used in filings with the SEC that are made available on EDGAR, the SEC's Electronic Data Gathering and Retrieval database.

      • (1) Internet—An international collection of networks made up of independently owned computers that operate as a large computing network. Internetwork communication requires the use of a common set of rules, or protocols (TCP), and a shared routing system (IP).
        • (a) Primary applications of the Internet include
          • 1] E-mail
          • 2] News dissemination
          • 3] Remote log-in of computers
          • 4] File transfer among computers
          • 5] Electronic commerce
          • 6] Videoconferencing
          • 7] Groupware systems
        • (b) The internet has facilitated the advent of social media which can have a significant effect on consumer behavior. As a result, most businesses attempt to monitor and influence their reputations in the social media space.
        • (c) Terminology
          • 1] Hypertext Transfer Protocol (HTTP)—The primary Internet protocol for data communication on the World Wide Web.
          • 2] Uniform Resource Locator (URL)—A standard for finding a document by typing in an address (e.g., www.azdiamondbacks.com). URLs work in much the same way as addresses on mail processed by the postal department.
          • 3] World Wide Web (the web or WWW)—A framework for accessing linked resources (e.g., documents, pictures, music files, videos, etc.) spread out over the millions of machines all over the Internet.
          • 4] Web browser—Client software (e.g., Internet explorer, Firefox, Chrome, Mosaic, etc.) that provides the user with the ability to locate and display web resources.
          • 5] Web servers—The software that “serves,” (i.e., makes available) web resources to software clients. web servers (e.g., Apache and Internet Information Server [IIS]) typically run on “server” hardware. However, many computing devices today support their own web server software.
          • 6] Firewall—A method for protecting an organization's computers and computer information from outsiders. A firewall consists of security algorithms and router communications protocols that prevent outsiders from tapping into corporate database and e-mail systems.
          • 7] Router—A communications interface device that connects two networks and determines the best way for data packets to move forward to their destinations.
          • 8] Bridge—A device that divides a LAN into two segments, selectively forwarding traffic across the network boundary it defines; similar to a switch.
          • 9] Switch—A device that channels incoming data from any of multiple input ports to the specific output port that will take the data toward its intended destination.
          • 10] Gateway—A combination of hardware and software that links to different types of networks. For examples, gateways between e-mail systems allow users of differing e-mail systems to exchange messages.
          • 11] Proxy server—A server that saves and serves copies of web pages to those who request them (e.g., potential customers). When a web page is requested, the proxy server is able to access that page either through its cache (reserve of web pages already sent or loaded) or by obtaining it through the original server. A proxy server can both increase efficiency of Internet operations and help assure data security.
          • 12] Web 2.0—2nd generation of the web. Refers to era of web-based collaboration and community-generated content via web-based software tools such as
            • a] Blog—An asynchronous discussion, or web log, led by a moderator that typically focuses on a single topic. Similar to an electronic bulletin board. Blogs are an efficient way to share information, views, and opinions.
            • b] Wiki—An information-gathering and knowledge-sharing website that is developed collaboratively by a community or group, all of whom can freely add, modify, or delete content.
            • c] Twitter—A micro-variation of a blog. Restricts input (tweets) to 140 characters. Commonly used to “follow” friends and celebrities. Increasingly companies are using Twitter to inform followers.
            • d] RSS (Really Simple Syndication)/ATOM Feeds—An XML application that facilitates the sharing and syndication of website content by subscription. RSS feeds are automatically checked by RSS-enabled client software (including most browsers and RSS readers) for new website content on a regular basis.
          • 13] TCP/IP (Transmission Control Protocol/Internet Protocol)—The basic communication language or protocol of the Internet. It has two layers. The higher layer assembles messages or files into smaller packets that are transmitted over the Internet. The lower layer assigns IP addresses and insures that messages are delivered to the appropriate computer.
          • 14] IP address—The number that identifies a machine as unique on the Internet.
          • 15] ISP (Internet Service Provider)—An entity that provides access to the Internet.
        • (d) The nature of the Internet has resulted in the spread of a series of malicious programs (often through email) that may adversely affect computer operations, including
          • 1] Virus—A program (or piece of code) that requests the computer operating system to perform certain activities not authorized by the computer user. Viruses can be easily transmitted through use of files that contain macros that are sent as attachment to e-mail messages.
            • a] Macro—A stored set of instructions and functions that are organized to perform a repetitive task and can be easily activated, often by a simple keystroke combination. Most macros serve valid purposes, but those associated with viruses cause problems.
            • b] Unexpected changes in, or losses of, data may be an indication of the existence of a virus on one's computer.
            • c] E-mail attachments and public domain software (generally downloadable from the Internet at no cost to users) are notorious sources of viruses.
          • 2] Trojan horse—A malicious, security-breaking program that is disguised as something benign, such as a game, but actually is intended to cause IT damage.
          • 3] Worm—A program that propagates itself over a network, reproducing itself as it goes.
          • 4] Antivirus software—Is used to attempt to avoid the above types of problems. But the rapid development of new forms of viruses, Trojan horses, and worms results in a situation in which antivirus software developers are always behind the developers.
          • 5] Botnet—A network of computers that are controlled by computer code, called a “bot,” that is designed to perform a repetitive task such as sending spam, spreading a virus, or creating a distributed denial of service attack.
      • (2) Intranet—A local network, usually limited to an organization, that uses internet-based technology to communicate within the organization.
      • (3) Extranet—Similar to an intranet, but includes an organization's external customers and/or suppliers in the network.
   5. Database client-server architecture

      General: When considering networks, it is helpful to consider their architecture (design). Bear in mind that the architecture must divide the following responsibilities (1) input, (2) processing, and (3) storage. In general, the client-server model may be viewed as one in which communications ordinarily take the form of a request message from the client to the server asking for some service to be performed. A “client” may be viewed as the computer or workstation of an individual user. The server is a high-capacity computer that contains the network software and may provide a variety of services ranging from simply “serving” files to a client to performing analyses.

      • (1) Overall client-server systems—A networked computing model (usually a LAN) in which database software on a server performs database commands sent to it from client computers

        

      • (2) Subtypes of client/server architectures
        • (a) File servers—The file server manages file operations and is shared by each of the client PCs (ordinarily attached to a LAN). The three responsibilities (input/output, processing, and storage) are divided in a manner in which most input/output, and processing occurs on client computers rather than on the server. The file server acts simply as a shared data storage device, with all data manipulations performed by client PCs.
        • (b) Database servers—Similar to file servers, but the server here contains the database management system and thus performs more of the processing.

          NOTE: The above two architectures are referred to as “two-tier” architecture—client tier and server database tier.

        • (c) Three-tier architectures—A client/server configuration that includes three tiers. The change from the above systems is that this architecture includes another server layer in addition to the two tiers discussed above. For example, application programs (e.g., a transaction processing monitor that controls the input of transactions to the database) may reside on the additional server rather than on the individual clients. This system of adding additional servers may generalize to additional tiers and thus become n-tier architecture. Examples of other servers that may be added are as follows:
          • 1] Print server—Make shared printers available to various clients.
          • 2] Communications server—May serve a variety of tasks, such as acting as a gateway (i.e., means of entrance) to the internet or to the corporate intranet.
          • 3] Fax server—Allow clients on the network to share the hardware for incoming and outgoing fax transmissions.
          • 4] Web server—Stores and serves web pages on request.
      • (3) Distributed systems—These systems connect all company locations to form a distributed network in which each location has its own input/output, processing, and storage capabilities. These local computers also pass data among themselves and possibly to a server (often referred to as a “host” in this context) for further processing. An illustration of this type of system is presented in the database section of this outline.
2. Local Area Networks (LANs)—Privately owned networks within a single building or campus of up to a few miles in size.
   1. Software
      • (1) Software allows devices to function cooperatively and share network resources such as printers and disk storage space.
      • (2) Common services
        • (a) Network server
        • (b) File server
        • (c) Print server
        • (d) Communications server
   2. Hardware components
      • (1) Workstations—Ordinarily microcomputers.
      • (2) Peripherals—For example, printers, network attached storage (NAS) devices, optical scanners, fax board.
      • (3) Transmission media—Physical path that connect components of LAN, ordinarily twisted-pair wire, coaxial cable, or optical fiber. LANs that are connected wirelessly are called WLANs or WiFi networks.
      • (4) Network interface cards—Connect workstation and transmission media.
   3. Control implications
      • (1) General controls are often weak (e.g., controls over development and modification of programs, access and computer operations).
      • (2) Controls often rely upon end users, who may not be control conscious.
      • (3) Often users may not be provided adequate resources for problem resolution, troubleshooting and recovery support.
      • (4) Controlling access and gaining accountability through logging of transactions enforces a segregation of duties.
      • (5) Good management controls are essential—for example, access codes, passwords.
      • (6) LAN software ordinarily does not provide security features available in larger scale environments.

      NOTE: Tests of controls may address whether controls related to the above are effective.

   4. LANs generally make possible the computer audit techniques that may be performed either by internal auditors or external auditors.
3. Microcomputers and Portable Computing Devices
   1. The proliferation of microcomputers (e.g., personal computers [PCs], laptop computers) has had a profound effect on information systems. A small-business client will probably use a PC to run a commercially purchased general ledger package (off-the-shelf software). Segregation of duties becomes especially difficult in such an environment because one individual may perform all recordkeeping (processing) as well as maintain other nonrecordkeeping responsibilities.
   2. A larger client may use a network of PCs that may or may not be linked to a large corporate mainframe computer. In all systems, management policies should be in place regarding the development and modification of programs and data files.
   3. Regardless of the system, the control objectives remain the same. When small computers are involved, the following points need to be considered:
      • (1) Security—Security over small computers, while still important, may not be as critical as security over the data and any in-house developed software. Most companies can easily replace the hardware, but may suffer a severe setback if the data and/or in-house developed software is lost. Access to the software installation files should be controlled and backup copies should be made. Access to the hard drive must be restricted since anyone turning on the power switch can read the data stored on those files. Also, a control problem may exist because the computer operator often understands the system and also has access to the input data. The management of the company may need to become more directly involved in supervision when a lack of segregation of duties exists in data processing.
      • (2) Verification of processing—Periodically, an independent verification of the applications being processed on the small computer system should be made to prevent the system from being used for personal projects. Also, verification helps prevent errors in internally developed software from going undetected. Controls should be in operation to assure the accuracy of in-house created spreadsheets and databases.
      • (3) Personnel—Centralized authorization to purchase hardware and software should be required to ensure that appropriate purchasing decisions are made, including decisions that minimize software and hardware compatibility difficulties. Software piracy and viruses may be controlled by prohibiting the loading of unauthorized software and data on company-owned computers.
        • (a) Software is copyrighted, and violation of copyright laws may result in litigation against the company.
        • (b) A company may control possible software piracy (the use of unlicensed software) by employees with procedures such as:
          • 1] Establishing a corporate software policy
          • 2] Maintaining a log of all software purchase
          • 3] Auditing individual computers to identify installed software
        • (c) Portable computing devices—Portable computing devices (e.g., laptop computers, tablets, smart phones, etc.) often contain sensitive information that must be secured. Accordingly, access to the devices should be secured with passwords and/or biometrics. Disk drives should be encrypted and particularly sensitive data should not be allowed to be downloaded on portable devices.
4. End-User Computing (EUC)—The end user is responsible for the development and execution of the computer application that generates the information used by that same end user.
   1. User substantially eliminates many of the services offered by an MIS department.
   2. Risks include
      • (1) End-user applications are not always adequately tested before implemented.
      • (2) More client personnel need to understand control concepts.
      • (3) Management often does not review the results of applications appropriately.
      • (4) Old or existing applications may not be updated for current applicability and accuracy.
   3. Overall physical access controls become more difficult when companies leave a controlled MIS environment and become more dependent upon individual users for controls.
   4. Control implications
      • (1) Require applications to be adequately tested before they are implemented
      • (2) Require adequate documentation
      • (3) Physical access controls, including
        • (a) Clamps or chains to prevent removal of hard disks or internal boards
        • (b) Diskless workstations that require download of files
        • (c) Regular backup
        • (d) Security software to limit access to those who know user ID and password
        • (e) Control over access from outside
        • (f) Commitment to security matters written into job descriptions, employee contracts, and personnel evaluation procedures
      • (4) Control access to appropriate users
        • (a) Passwords and user IDs
        • (b) Menus for EUC access to database
        • (c) Protect system by restricting user ability to load data
        • (d) When end user uploads data, require appropriate validation, authorization, and reporting control
        • (e) Independent review of transactions
        • (f) Record access to company databases by EUC applications.
      • (5) Control use of incorrect versions of data files.
        • (a) Use control totals for batch processing of uploaded data.
      • (6) Require backup of files.
      • (7) Provide applications controls (e.g., edit checks, range tests, reasonableness checks).
      • (8) Support programmed or user reconciliations to provide assurance that processing is correct.

      NOTE: Since end-user computing relies upon microcomputers, the controls here required for microcomputers and EUC are similar. Also, tests of controls may address whether controls related to the above are effective.

5. Electronic Commerce
   1. General: Electronic commerce involves individuals and organizations engaging in a variety of electronic transactions with computers and telecommunication networks. The networks involved may be publicly available (e.g., the Internet) or private to the individuals and organizations involved (e.g., through telephone lines privately leased by the parties involved). Wide acceptance of the Internet (more specifically, that portion of the Internet referred to as the World Wide Web, or the web) is currently leading to a great expansion in electronic commerce.
   2. Five areas of risk associated with electronic commerce IT systems (as well as to varying degrees with other IT systems) are (1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality. See Section E.1 of this module for a discussion.
   3. Use of the web is growing rapidly as both the number and types of electronic transactions increase. However, many believe that risks such as those listed above are currently impairing its growth.
      • (1) As discussed further in the Reporting Module, the AICPA and the Canadian Institute of Chartered Accountants have developed a form of assurance referred to as the “WebTrust Seal of Assurance” that tells potential customers that the firm has evaluated a website's business practices and controls to determine whether they are in conformity with WebTrust principles.
      • (2) Digital certificates, also referred to as digital IDs, are a means of assuring data integrity.
        • (a) A digital certificate (signature) allows an individual to digitally sign a message so the recipient knows that it actually came from that individual and was not modified in any manner.
        • (b) Ordinarily the message is encrypted and the recipient decrypts it and is able to read the contents.
      • (3) Encryption—The conversion of data into a form called a cipher text, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form so it can be understood. The conversion is performed using an algorithm and key which only the users control.
        • (a) Algorithm—A detailed sequence of actions to perform to accomplish some task (in this case to encrypt and/or decode data).
        • (b) Key—In the content of encryption, a value that must be fed into the algorithm used to decode an encrypted message in order to reproduce the original plain text.
        • (c) Private key system—An encryption system in which both the sender and receiver have access to the electronic key, but do not allow others access. The primary disadvantage is that both parties must have the key.
        • (d) Encryption is important in a variety of contexts, including any time two or more computers are used to communicate with one another, and even to keep private information on one computer.
        • (e) The machine instructions necessary to encrypt and decrypt data constitute system overhead; that is, they slow down the rate of processing.
      • (4) To assure continuity in the event of a natural disaster, firms should establish off-site mirrored Web servers.
   4. Electronic funds transfer (EFT)—Making cash payments between two or more organizations or individuals electronically rather than by using checks (or cash).
      • (1) Banks first became heavily involved with EFT; it is now a major part of most types of electronic commerce.
      • (2) EFT systems are vulnerable to the risk of unauthorized access to proprietary data and to the risk of fraudulent fund transfers; controls include
        • (a) Control of physical access to network facilities.
        • (b) Electronic identification should be required for all network terminals authorized to use EFT.
        • (c) Access should be controlled through passwords.
        • (d) Encryption should be used to secure stored data and data being transmitted. See Section C.5.c.(3) for more information on encryption.
   5. Electronic data interchange (EDI)—The electronic exchange of business transactions, in a standard format, from one entity's computer to another entity's computer through an electronic communications network.
      • (1) Traditionally, the definition of electronic commerce has focused on EDI. Currently, web-based commerce is replacing a portion of these EDI systems.
      • (2) Risks related to EDI
        • (a) EDI is commonly used for sales and purchasing, and related accounts. The speed at which transactions occur often reduces amounts receivable (payables) due to electronic processing of receipts (payments). Another effect is to make preventive controls particularly desirable, since detective controls may be too late.
        • (b) In these systems, documents such as purchase orders, invoices, shipping forms, bills of lading, and checks are replaced by electronic transactions.
          • 1] For example, in electronic funds transfer systems, a form of EDI, electronic transactions replace checks as a means of payment. As discussed below, EDI is often conducted on private networks.
          • 2] To determine that transactions are properly processed, effective audit trails for both internal auditors and external auditors include activity logs, including processed and failed transactions, network and sender/recipient acknowledgment of receipt of transactions, and proper time sequence of processing.
          • 3] In some EDI applications, portions of the documentation of transactions are retained for only a short period of time; this may require auditors to pay particular attention to controls over the transactions and to test controls on a timely basis when records remain available.
      • (3) Methods of communication between trading partners
        • (a) Point-to-point—A direct computer-to-computer private network link
          • 1] Automakers and governments have traditionally used this method.
          • 2] Advantages
            • a] No reliance on third parties for computer processing.
            • b] Organization controls who has access to the network.
            • c] Organization can enforce proprietary (its own) software standard in dealings with all trading partners.
            • d] Timeliness of delivery may be improved since no third party is involved.
          • 3] Disadvantages
            • a] Must establish connection with each trading partner
            • b] High initial cost
            • c] Computer scheduling issues
            • d] Need for common protocols between partners
            • e] Need for hardware and software compatibility
        • (b) Value-added network (VAN)
          • 1] A VAN is a privately owned network that routes the EDI transactions between trading partners and in many cases provides translation, storage, and other processing. It is designed and maintained by an independent company that offers specialized support to improve the transmission effectiveness of a network. It alleviates problems related to interorganizational communication that results from the use of differing hardware and software.
          • 2] A VAN receives data from the sender, determines the intended recipient, and places data in the recipient's electronic mailbox.
          • 3] Advantages
            • a] Reduces communication and data protocol problems since VANs can deal with differing protocols (eliminating need for trading partners to agree on them).
            • b] Partners do not have to establish the numerous point-to-point connections.
            • c] Reduces scheduling problems since receiver can request delivery of transactions when it wishes.
            • d] In some cases, VAN translates application to a standard format the partner does not have to reformat.
            • e] VAN can provide increased security.
          • 4] Disadvantages
            • a] Cost of VAN
            • b] Dependence upon VAN's systems and controls
            • c] Possible loss of data confidentiality
        • (c) Public networks—For example, the Internet-based commerce solutions described earlier
          • 1] Advantages
            • a] Avoids cost of proprietary lines
            • b] Avoids cost of VAN
            • c] Directly communicates transactions to trading partners
            • d] Software is being developed which allows communication between differing systems.
          • 2] Disadvantages
            • a] Possible loss of data confidentiality on the Internet
            • b] Computer or transmission disruption
            • c] Hackers and viruses
            • d] Attempted electronic frauds
        • (d) Proprietary networks—In some circumstances (e.g., health care, banking) organizations have developed their own network for their own transactions. These systems are costly to develop and operate (because of proprietary lines), although they are often extremely reliable.
      • (4) Controls required for other network systems are required for EDI systems. In addition, disappearance of “paper transactions” and the direct interrelationship with another organization's computer makes various authentication and encryption controls particularly important for these transactions.
        • (a) Authentication—Controls must exist over the origin, proper submission, and proper delivery of EDI communications. Receiver of the message must have proof of the origin of the message, as well as its proper submission and delivery.
        • (b) Packets—A block of data that is transmitted from one computer to another. It contains data and authentication information.
        • (c) Encryption—The conversion of plain text data into cipher text data used by an algorithm and key which only the users control. See Section C.5.c.(3) for more information on encryption.
      • (5) The AICPA Auditing Procedures Study, Audit Implications of EDI, lists the following benefits and exposures of EDI:
        • (a) Benefits
          • 1] Quick response and access to information
          • 2] Cost efficiency
          • 3] Reduced paperwork
          • 4] Accuracy and reduced errors and error-correction costs
          • 5] Better communications and customer service
          • 6] Necessary to remain competitive
        • (b) Exposures
          • 1] Total dependence upon computer system for operation
          • 2] Possible loss of confidentiality of sensitive information
          • 3] Increased opportunity for unauthorized transactions and fraud
          • 4] Concentration of control among a few people involved in EDI
          • 5] Reliance on third parties (trading partners, VAN)
          • 6] Data processing, application and communications errors
          • 7] Potential legal liability due to errors
          • 8] Potential loss of audit trails and information needed by management due to limited retention policies
          • 9] Reliance on trading partner's system
6. Telecommunications—The electronic transmission of information by radio, wire, fiber optic, coaxial cable, microwave, laser, or other electromagnetic system.
   1. Transmitted information—Voice, data, video, fax, other
   2. Hardware involved:
      • (1) Computers for communications control and switching
      • (2) Transmission facilities such as copper wire, fiber optic cables, microwave stations and communications satellites
      • (3) Modems may be used to provide compatibility of format, speed, etc.
   3. Software controls and monitors the hardware, formats information, adds appropriate control information, performs switching operations, provides security, and supports the management of communications.
   4. While telecommunications is not an end in itself, it enables technologies such as the following:
      • (1) Electronic data interchange
      • (2) Electronic funds transfer
      • (3) Point of sale systems
      • (4) Commercial databases
      • (5) Airline reservation systems
   5. Controls needed
      • (1) System integrity at remote sites
      • (2) Data entry
      • (3) Central computer security
      • (4) Dial-in security
      • (5) Transmission accuracy and completeness
      • (6) Physical security over telecommunications facilities

   NOTE: Tests of controls may address whether controls related to the above are effective.

7. Computer Service Organizations (Bureaus, Centers)—Computer service organizations record and process data for companies. These organizations allow companies (users) to do away with part of the data-processing function. While many computer service organizations simply record and process relatively routine transactions for a client (e.g., prepare payroll journals and payroll checks), a VAN is a service organization that takes a broader role of providing network, storing, and forwarding (mailbox) services for the companies involved in an EDI system.

   NOW REVIEW MULTIPLE-CHOICE QUESTIONS 53 THROUGH 96

D. Control Objectives for Information and Related Technology (COBIT)

1. The Information Systems Audit and Control Association (ISACA) has developed a framework to assist enterprises in achieving their objectives for governance and management of enterprise IT. The current version of the framework (COBIT 5) is business-oriented in that it provides a systematic way of integrating IT with business strategy and governance. COBIT 5 takes a stakeholder approach to addressing information needs and incorporates the following 5 principles:
   1. Meeting stakeholder needs.
   2. Covering the enterprise end-to-end.
   3. Applying a single integrated framework.
   4. Enabling a holistic approach.
   5. Separating governance from management.

   The factors that individually and collectively influence whether something will work in an organization are referred to as the COBIT 5 enablers. They include:

   1. Processes—an organized set of practices and activities to achieve certain objectives.
   2. Organizational structures—the key decision-making entities in an organization.
   3. Culture, ethics, and behavior of individuals and the organization.
   4. Principles, policies and frameworks—the vehicle to translate the desired behavior into guidance for day-to-day management.
   5. Information produced and used by the enterprise.
   6. Services, infrastructure and applications—the infrastructure, technology, and applications that provide the enterprise with information technology processing and servicers.
   7. People, skills, and competencies required for successful completion of all activities and for making correct decisions.

E. IT Risks and Internal Control

1. Principles of a Reliable System and Examples of Overall Risks
   1. A reliable system is one that is capable of operating without material error, fault, or failure during a specified period in a specified environment.
   2. One framework for analyzing a reliable system is presented by the AICPA's Trust Services. Trust Services, which provide assurance on information systems, use a framework with five principles of a reliable system—(1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality. Accordingly, when a principle is not met a risk exists.

   

   NOTE: Make certain that you are familiar not only with the above principles, but are familiar with the nature of the various risks relating to computer processing.

2. Control Environment
   1. Recall the principles of the control environment:
      • (1) Commitment to integrity and ethical values
      • (2) Board demonstrates independence and exercises oversight
      • (3) Appropriate structures, reporting lines, and authorities and responsibilities
      • (4) Commitment to attract, develop, and retain competent personnel
      • (5) Hold individuals accountable for internal control responsibilities
   2. Although all five principles may be affected by computer processing, the organizational structure is modified to include an information systems department (EDP department). It is helpful to keep in mind that the information systems department is involved with two distinct functions—systems development and data processing.
   3. Steps in the system development lifecycle:
      • (1) Software concept—identify the need for the new system.
      • (2) Requirements analysis—determine the needs of the users.
      • (3) Architectural design—determining the hardware, software, people, etc. needed.
      • (4) Coding and debugging—acquiring and testing the software.
      • (5) System testing—testing and evaluating the functionality of the system.
   4. Organizational structure
      • (1) Segregation controls
        • (a) Segregate functions between information systems department and user departments.
          • 1] User departments are the other departments of the company that utilize the data prepared by the information systems department.
        • (b) Do not allow the information systems department to initiate or authorize transactions.
        • (c) At a minimum, segregate programming, data entry, operations, and the library function within the information systems department.
        • (d) A more complete segregation of key functions within the information systems department may be possible; one way to separate key functions is as follows:

          

          • 1] Systems analysis—The systems analyst analyzes the present user environment and requirements and may (1) recommend specific changes, (2) recommend the purchase of a new system, or (3) design a new information system. The analyst is in constant contact with user departments and programming staff to ensure the users' actual and ongoing needs are being met. A system flowchart is a tool used by the analyst to define the systems requirements.
          • 2] Systems programming—The systems programmer is responsible for implementing, modifying, and debugging the software necessary for making the hardware work (such as the operating system, telecommunications monitor, and the database management system). For some companies the term “software engineer” is viewed as similar or identical to that of systems programmer. For others, the software engineer is involved with the creation of designs used by programmers.
          • 3] Applications programming—The applications programmer is responsible for writing, testing, and debugging the application programs from the specifications (whether general or specific) provided by the systems analyst. A program flowchart is one tool used by the applications programmer to define the program logic.
          • 4] Database administration—In a database environment, a database administrator (DBA) is responsible for maintaining the database and restricting access to the database to authorized personnel.
          • 5] Data preparation—Data may be prepared by user departments and input by key to storage devices.
          • 6] Operations—The operator is responsible for the daily computer operations of both the hardware and the software. The operator supervises operations on the operator's console, accepts any required input, and distributes any generated output. The operator should have adequate documentation available to run the program (a run manual), but should not have detailed program information.
            • a] Help desks are usually a responsibility of operations because of the operational nature of their functions (for example, assisting users with systems problems and obtaining technical support/vendor assistance).
          • 7] Data library—The librarian is responsible for custody of the removable media (i.e., magnetic tapes or disks) and for the maintenance of program and system documentation. In many systems, much of the library function is maintained and performed electronically by the computer.
          • 8] Data control—The control group acts as liaison between users and the processing center. This group records input data in a control log, follows the progress of processing, distributes output, and ensures compliance with control totals.

            Ideally, in a large system, all of the above key functions should be segregated; in a small computer environment, many of the key functions are concentrated in a small number of employees. For purposes of the CPA exam remember that, at a minimum, an attempt should be made to segregate programming, operations, and the library functions. Large organizations typically have a chief information officer (CIO) that oversees all information technology and activities.

        • (e) Electronic commerce has resulted in a number of new web-related positions, including
          • 1] Web administrator (web manager)—Responsible for overseeing the development, planning, and the implementation of a website. Ordinarily a managerial position.
          • 2] Web master—Responsible for providing expertise and leadership in the development of a website, including the design, analysis, security, maintenance, content development, and updates.
          • 3] Web designer—Responsible for creating the visual content of the website.
          • 4] Web coordinator—Responsible for the daily operations of the website.
          • 5] Internet developer—Responsible for writing programs for commercial use. Similar to a software engineer or systems programmer.
          • 6] Intranet/Extranet developer—Responsible for writing programs based on the needs of the company.
3. Risk Assessment
   1. Changes in computerized information systems and in operations may increase the risk of improper financial reporting.
4. Information and Communication
   1. The computerized accounting system is affected by whether the company uses small computers and/or a complex mainframe system.
      • (1) For small computer systems, purchased commercial “off-the-shelf” software may be used.
        • (a) Controls within the software may be well known.
        • (b) Analysis of “exception reports” generated during processing is important to determine that exceptions are properly handled.
      • (2) For complex mainframe systems a significant portion of the software is ordinarily developed within the company by information systems personnel.
        • (a) Controls within the software are unknown to the auditor prior to testing.
        • (b) As with small computer systems, analysis of exception reports is important, but controls over the generation of such reports must ordinarily be tested to a greater extent.
5. Monitoring
   1. Proper monitoring of a computerized system will require adequate computer skills to evaluate the propriety of processing of computerized applications.
   2. A common method of monitoring for inappropriate access is review of system-access log.
   3. IT can also facilitate monitoring.
      • (1) IT can constantly evaluate data and transactions based on established criteria and highlight items that appear to be inconsistent or unusual.
      • (2) IT can capture samples of items for audit by internal auditors.
6. Control Activities—Overall
   1. Control activities in which a computer is involved may be divided into the following categories:
      • (1) Computer general control activities.
      • (2) Computer application control activities. Programmed application control activities. Manual follow-up of computer exception reports.
      • (3) User control activities to test the completeness and accuracy of computer processed controls.

   The following illustration, adapted from the AICPA Audit Guide, Consideration of Internal Control in a Financial Statement Audit, summarizes the relationships among the controls.

   

   * Section below in which control discussion is presented.

7. Computer General Control Activities

   NOTE: General control activities affect all computer applications. There are four types of general controls—(a) developing new programs and systems, (b) changing existing programs and systems, (c) controlling access to programs and data, and (d) controlling computer operations.

   1. Developing new programs and systems
      • (1) Segregation controls
        • (a) User departments participate in systems design.
        • (b) Both users and information systems personnel test new systems.
        • (c) Management, users, and information systems personnel approve new systems before they are placed into operation.
        • (d) All master and transaction file conversions should be controlled to prevent unauthorized changes and to verify the accuracy of the results.
        • (e) Programs and systems should be properly documented (see Section F).
      • (2) Computer hardware is extremely reliable. This is primarily due to the chip technology. However, it is also due to the controls built into the hardware and systems software to provide for a self-diagnostic mechanism to detect and prevent equipment failures. The following are examples of such controls:
        • (a) Parity check—A special bit is added to each character that can detect if the hardware loses a bit during the internal movement of a character.
        • (b) Echo check—Primarily used in telecommunications transmissions. During the sending and receiving of characters, the receiving hardware repeats back to the sending hardware what it received and the sending hardware automatically resends any characters that were received incorrectly.
        • (c) Diagnostic routines—Hardware or software supplied by the manufacturer to check the internal operations and devices within the computer system. These routines are often activated when the system is booted up.
        • (d) Boundary protection—Most CPUs have multiple jobs running simultaneously (multiprogramming environment). To ensure that these simultaneous jobs cannot destroy or change the allocated memory of another job, the systems software contains boundary protection controls.
        • (e) Periodic maintenance—The system should be examined periodically (often weekly) by a qualified service technician.
      • (3) Documentation. Systems and programs should be adequately documented. System specification documents should detail such matters as performance levels, reliability, security and privacy, constraints and limitations, functional capabilities, and data structure and elements.
   2. Changing existing programs and systems
      • (1) Suggestions for changes (from users and information system personnel) should be documented in a change request log.
      • (2) Proper change control procedures (also referred to as modification controls) should be in place.
        • (a) The information systems manager should review all changes.
        • (b) The modified program should be appropriately tested (often using test data).
        • (c) Details of all changes should be documented.
        • (d) A code comparison program may be used to compare source and/or object codes of a controlled copy of a program with the program currently being used to process data.
          • 1] This will identify any unauthorized changes (this approach may also be used by CPAs).
   3. Controlling access to programs and data
      • (1) Segregation controls
        • (a) Access to program documentation should be limited to those persons who require it in the performance of their duties.
        • (b) Access to data files and programs should be limited to those individuals authorized to process data.
        • (c) Access to computer hardware should be limited to authorized individuals such as computer operators and their supervisors.
      • (2) Physical access to computer facility
        • (a) Limited physical access—The physical facility that houses the computer equipment, files, and documentation should have controls to limit access only to authorized individuals. Possible controls include using a guard, automated key cards, and manual key locks, as well as the new access devices that permit access through fingerprints or palm prints.
        • (b) Visitor entry logs—Used to document those who have had access to the area.
      • (3) Hardware and software access controls
        • (a) Access control software (user identification)—The most used control is a combination of a unique identification code and a confidential password.
          • 1] Passwords should be made up of a combination of alphabetic, numeric, and symbol elements.
          • 2] Passwords should be changed periodically.
          • 3] Passwords should be disabled promptly when an employee leaves the company.
        • (b) Call back—Call back is a specialized form of user identification in which the user dials the system, identifies him/herself, and is disconnected from the system. Then either (1) an individual manually finds the authorized telephone number or (2) the system automatically finds the authorized telephone number of the individual and calls back.
        • (c) Encryption—Data is encoded when stored in computer files and/or before transmission to or from remote locations (e.g., through use of modems and telephone lines). This coding protects data, since to use the data unauthorized users must not only obtain access, but must also translate the coded form of the data. Encryption performed by physically secure hardware (often special-purpose computers) is ordinarily more secure, but more costly than that performed by software. See Section C.5.c.(3) for more information on encryption.
   4. Controlling computer operations
      • (1) Segregation controls
        • (a) Operators should have access to an operations manual that contains the instructions for processing programs and solving routine operational program issues, but not with detailed program documentation.
        • (b) The control group should monitor the operator's activities and jobs should be scheduled.
      • (2) Other controls
        • (a) Backup and recovery—Discussed in Section D.11 in this module
        • (b) Contingency processing—Detailed contingency processing plans should be developed to prepare for system failures. The plans should detail the responsibilities of individuals, as well as the alternate processing sites that should be utilized. Backup facilities with a vendor may be used to provide contingent sites in case of an emergency. This topic is discussed further in Section D.11 of this module.
        • (c) Internal and external labels—External labels are gummed-paper labels attached to storage media which identify the file. Internal labels perform the same function through the use of machine readable identification in the first record of a file. The use of labels allows the computer operator to determine whether the correct file has been selected for processing.
8. Computer Application Control Activities—Programmed Control Activities

   NOTE: Programmed application controls apply to a specific application rather than multiple applications. These controls operate to assure the proper input and processing of data. The input step converts human-readable data into computer-readable data. Ensuring the integrity of the data in the computer is critical during processing. The candidate should be prepared to identify the following common controls in a multiple-choice question.

   1. Input controls
      • (1) Overall controls
        • (a) Inputs should be properly authorized and approved.
        • (b) The system should verify all significant data fields used to record information (editing the data).
        • (c) Conversion of data into machine-readable form should be controlled and verified for accuracy.
      • (2) Input validation (edit) controls
        • (a) Preprinted form—Information is preassigned a place and a format on the input form.
        • (b) Check digit—An extra digit added to an identification number to detect certain types of data transmission errors. For example, a bank may add a check digit to individuals' 7-digit account numbers. The computer will calculate the correct check digit based on performing predetermined mathematical operations on the 7-digit account number and will then compare it to the check digit.
        • (c) Control, batch, or proof total—A total of one numerical field for all the records of a batch that normally would be added, (e.g., total sales dollars).
        • (d) Hash total—A control total where the total is meaningless for financial purposes (e.g., a mathematical sum of employee social security numbers).
        • (e) Record count—A control total of the total records processed.
        • (f) Limit (reasonableness) test—A test of the reasonableness of a field of data, given a predetermined upper and/or lower limit (e.g., for a field that indicates auditing exam scores, a limit check would test for scores over 100).
        • (g) Menu driven input—As input is entered, the operator responds to a menu prompting the proper response (e.g., What score did you get on the Auditing part of the CPA Exam [75–100]?).
        • (h) Field check—A control that limits the types of characters accepted into a specific data field (e.g., a pay rate should include only numerical data).
        • (i) Validity check—A control that allows only “valid” transactions or data to be entered into the system (e.g., a field indicating sex of an individual where 1 = female and 2 = male—if the field is coded in any other manner it would not be accepted).
        • (j) Missing data check—A control that searches for blanks inappropriately existing in input data (e.g., if an employee's division number were left blank an error message would result). (k) Field size check—A control of an exact number of characters to be input (e.g., if part numbers all have 6 digits, an error message would result if more or less than 6 characters were input).
        • (l) Logic check—Ensures that illogical combinations of input are not accepted (e.g., if the Tuba City branch has no company officers, an error message would result if two fields for a specified employee indicated that the employee worked as an officer in Tuba City).
        • (m) Redundant data check—Uses two identifiers in each transaction record (e.g., customer account number and the first five letters of customer's name) to confirm that the correct master file record is being updated.
        • (n) Closed-loop verification—A control that allows data entry personnel to check the accuracy of input data. For example, the system might retrieve an account name of a record that is being updated, and display it on the operator's terminal. This control may be used instead of a redundant data check.
      • (3) Processing controls

        Overall: When the input has been accepted by the computer, it usually is processed through multiple steps. Processing controls are essential to ensure the integrity of data. Essentially all of the controls listed for input may also be incorporated during processing. For example, processed information should include limit tests, record counts, and control totals. In addition, external labels should be used on removable media, with internal header and trailer labels used to determine that all information on a file has been read.

        NOTE: Previously, the professional standards divided application controls into three categories—input, processing, and output. The current categories of application controls (programmed and manual) and user controls have replaced that breakdown. As an aid to discussing controls we distinguish between input and processing above. User control activities include the essentials of the previous “output” controls.

9. Application Controls—Manual Follow-Up of Computer Exception Reports
   1. These controls involve employee (operator and/or control group) follow-up of items listed on computer exception reports. Their effectiveness depends on the effectiveness of both the programmed control activities that produce the reports and the manual follow-up activities.
10. User Control Activities to Test the Completeness and Accuracy of Computer-Processed Controls
    1. These manual controls, previously referred to as output controls, include
       • (1) Checks of computer output against source documents, control totals, or other input to provide assurance that programmed aspects of the financial reporting system and control activities have operated effectively.
       • (2) Reviewing computer processing logs to determine that all of the correct computer jobs executed properly.
       • (3) Maintaining proper procedures and communications specifying authorized recipients of output.
    2. These procedures are often performed by both the control group and users.
    3. In some systems, user departments evaluate the reliability of output from the computer by extensive review and testing; in others, users merely test the overall reasonableness of the output.
11. Disaster Recovery and Business Continuity
    1. A plan should allow the firm to
       • (1) Minimize the extent of disruption, damage, and loss.
       • (2) Establish an alternate (temporary) method for processing information.
       • (3) Resume normal operations as quickly as possible.
       • (4) Train and familiarize personnel to perform emergency operations.
    2. A plan should include priorities, insurance, backup approaches, specific assignments, period testing and updating, and documentation, as described below.
       • (1) Priorities—Which applications are most critical?
       • (2) Insurance to defer costs
       • (3) Backup approaches
         • (a) Batch systems—The most common approach is the grandfather-father-son method. A master file (e.g., accounts receivable) is updated with the day's transaction files (e.g., files of cash receipts and credit sales). After the update, the new file master file is the son. The file from which the father was developed with the transaction files of the appropriate day is the grandfather. The grandfather and son files are stored in different locations. If the son were destroyed, for example, it could be reconstructed by rerunning the father file and the related transaction files.
         • (b) Online databases and master file systems
           • 1] Checkpoint—Similar to grandfather-father-son, but at certain points, “checkpoints,” the system makes a copy of the database and this “checkpoint” file is stored on a separate disk or tape. If a problem occurs the system is restarted at the last checkpoint and updated with subsequent transactions.
           • 2] Rollback—As a part of recovery, to undo changes made to a database to a point at which it was functioning properly
           • 3] Backup facilities
             • a] Reciprocal agreement—An agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster. This is sometimes referred to as a mutual aid pact.
             • b] Hot site—A commercial disaster recovery service that allows a business to continue computer operations in the event of computer disaster. For example, if a company's data processing center becomes inoperable, that enterprise can move all processing to a hot site that has all the equipment needed to continue operation. This is also referred to as a recovery operations center (ROC) approach.
             • c] Cold site—Similar to a hot site, but the customer provides and installs the equipment needed to continue operations. A cold site is less expensive, but takes longer to get in full operation after a disaster. This is sometimes referred to as an “empty shell” in that the “shell” is available and ready to receive whatever hardware the temporary user needs.
             • d] Internal site—Large organizations with multiple data processing centers sometimes rely upon their own sites for backup in the event of a disaster.

               NOTE: Be aware that most approaches to control for catastrophic failures rely upon backup of the entire system in one form or another. Also, various combinations of the above approaches may be used.

             • e] Mirrored web server—An exact copy of a website, which is the best way to back up the website.
       • (4) Specific assignments, including having individuals involved with
         • (a) Arranging for new facilities.
         • (b) Computer operations.
         • (c) Installing software.
         • (d) Establishing data communications facilities.
         • (e) Recovering vital records.
         • (f) Arranging for forms and supplies.
       • (5) Periodic testing and updating of plan
       • (6) Documentation of plan

F. Flowcharting

General: Flowcharts analytically describe some aspect of an information system. Flowcharting is a procedure to graphically show the sequential flow of data and/or operations. The data and operations portrayed include document preparation, authorization, storage, and decision making. The more common flowcharting symbols are illustrated below. Knowledge of them would help with occasional multiple-choice questions and with problems that present a detailed flowchart that must be analyzed.

1. Common Flowcharting Symbols

   

2. Types and Definitions
   1. System flowchart—A graphic representation of a data-processing application that depicts the interaction of all the computer programs for a given system, rather than the logic for an individual computer program.
   2. Program flowchart—A graphic representation of the logic (processing steps) of a computer program.
   3. Internal control (audit) flowchart or document flowchart—A graphic representation of the flow of documents from one department to another, showing the source flow and final disposition of the various copies of all documents. Most flowcharts on the CPA exam have been of this type.
3. Other Documentation Charting Techniques
   1. Decision table—Decision tables use a matrix format that lists sets of conditions, and the actions that result from various combinations of these conditions. See Module 3 on internal control in the Auditing and Attestation volume for an example of a decision table.
   2. Data flow diagram (DFD)—Presents logical flows of data and functions in a system. For example, a data flow diagram for the delivery of goods to a customer would include a symbol for the warehouse from which the goods are shipped and a symbol representing the customer. It would not emphasize details such as computer processing and paper outputs.

      NOW REVIEW MULTIPLE-CHOICE QUESTIONS 142 THROUGH 149

KEY TERMS

Because the content of this module is largely terminology, a set of key terms is not provided.

Multiple-Choice Questions (1–149)

A. Information Systems within a Business

1. A software package that is used with a large set of organized data that presents the computer as an expert on a particular topic is referred to as a(n)

1. Data mining.
2. Expert system.
3. Artificial intelligence.
4. Virtual reality.

2. Computer memory which is used to store programs that must be accessed immediately by the central processing unit is

1. Primary storage.
2. Secondary storage.
3. Tertiary storage.
4. Tape storage.

3. The most common output device is a(n)

1. Mouse.
2. Printer.
3. Expert system.
4. Keyboard.

4. The part of the computer that does most of the data processing is referred to as the

1. Analyzer.
2. Compiler.
3. CPU.
4. Printer.

5. An “office suite” of software is least likely to include a(n)

1. Database.
2. Operating system.
3. Spreadsheet.
4. Word processing.

6. Software that performs a variety of general technical computer-controlling operations is a(n)

1. Integrated “suite.”
2. Shareware.
3. Database.
4. Operating system.

7. Which of the following is not a part of the central processing unit?

1. Control unit.
2. Arithmetic unit.
3. Logic unit.
4. Printer unit.

8. MIPS stands for

1. Memory in protocol standards.
2. Millions of instructions per second.
3. Mitigating individualistic personnel standards.
4. Multiple input physical savings.

9. Which of the following represents a type of application software that a large client is most likely to use?

1. Enterprise resource planning.
2. Operating system.
3. Central processing unit.
4. Value-added network.

10. Which of the following characteristics distinguishes computer processing from manual processing?

1. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
2. Errors or fraud in computer processing will be detected soon after their occurrences.
3. The potential for systematic error is ordinarily greater in manual processing than in computerized processing.
4. Most computer systems are designed so that transaction trails useful for audit purposes do not exist.

11. A general type of IT system that is designed to improve the productivity of daily office work is referred to as a(n)

1. Office automation system.
2. Transaction processing system.
3. Decision support system.
4. Executive information system.

12. The Systems Development Life Cycle (SDLC) is the traditional methodology for developing information systems. In which phase of the SDLC would the activity of identifying the problem(s) that need to be solved most likely occur?

1. Analysis.
2. Implementaion.
3. Planning.
4. Development.

13. Samco Inc. is in the process of designing a new customer relations system. In which phase of the development life-cycle would a needs assessment most likely be performed?

1. Analysis.
2. Design.
3. Development.
4. Testing.

14. Which of the following system implementation models has the advantage of achieving a full operational test of the new system before it is implemented?

1. Parallel implementation.
2. Plunge implementation.
3. Pilot implementation.
4. Phased implementation.

B. Characteristics of IT Systems—General

15. Which computer application is most frequently used on mainframe computers?

1. Databases.
2. Graphics.
3. Spreadsheets.
4. Word processing.

16. Which computer application is most frequently used to analyze numbers and financial information?

1. Computer graphics programs.
2. WAN applications.
3. Spreadsheets.
4. Word processing programs.

17. Analysis of data in a database using tools which look for trends or anomalies without knowledge in advance of the meaning of the data is referred to as

1. Artificial intelligence.
2. Data mining.
3. Virtual reality.
4. Transitory analysis.

18. The most common type of primary storage in a computer is referred to as

1. CMAN.
2. RAM.
3. ROM.
4. Flash memory.

19. A set of step-by-step procedures used to accomplish a task is a(n)

1. Algorithm.
2. Compilation master.
3. Linux.
4. Transistor.

20. Which of the following compiles a complete translation of a program in a high-level computer language before the program is run for the first time?

1. Visual Basic.
2. Java.
3. Algorithm.
4. Compiler.

21. GUI is the abbreviation for

1. Grandfather, Uncle, Individual.
2. Graphical User Interface.
3. Graphics Utilization Institutes.
4. Grand Union Internet.

22. Unix is a(n)

1. Operating system.
2. Singular disk drive.
3. Central processing unit.
4. Logic unit.

23. In a spreadsheet, each specific cell may be identified by a specific

1. Address.
2. Column.
3. Row.
4. Diagonal.

24. In a spreadsheet, which of the following is correct concerning rows and columns?

Rows	Columns
a. Numbered	Numbered
b. Numbered	Lettered
c. Lettered	Numbered
d. Lettered	Lettered

25. Which of the following is least likely to be considered an advantage of a database?

1. Easy to store large quantities of information.
2. Easy to retrieve information quickly.
3. Easy to organize and reorganize information.
4. Easy to distribute information to every possible user.

26. Most current computers process data using which of the following formats?

1. Analog.
2. Digital.
3. Memory enhanced.
4. Organic.

27. Which term below describes the technology that allows multiple operating systems to run simultaneously on a single computer?

1. Client.
2. Mainframe.
3. Linux.
4. Virtualization.

28. What type of secondary storage device requires no moving parts for read/write operations?

1. Magnetic tape.
2. Compact discs.
3. Solid State drives.
4. RAID.

29. Another term for cloud-based storage is

1. RAID.
2. Solid state storage.
3. Analog.
4. Storage-as-a-Service.

30. The wireless input device that is used for inventory control and similar to bar-codes technology but does not require line-of sight access is

1. MICR.
2. RFID.
3. Touch screen.
4. Point-of-sale recorders.

31. The 2nd generation programming language that is generally specific to a computer architecture (i.e., it is not portable) is

1. Binary.
2. Assembly language.
3. COBOL.
4. C++.

32. The online analytical processing term that represents a combination of systems that help aggregate, access, and analyze business data and assist in the business decision-making process is

1. Artificial intelligence.
2. Data mart.
3. Decision support system.
4. Business intelligence.

33. What is the hierarchy of data organization, from smallest to largest unit, for a relational database?

1. Bit, byte, field, record, table, database.
2. Byte, bit, record, field, table, database.
3. Byte, bit, table, field, record, database.
4. Database, table, field, record, byte, bit.

34. A current day instruction to a computer such as “Extract all Customers where ‘Name’ is Smith” would most likely relate to a

1. First generation programming language.
2. Fourth generation programming language.
3. Seventh generation programming language.
4. Ninth generation programming language.

35. Several language interfaces exist in a database management system. These typically include a data definition language (DDL), a data control language (DCL), a data manipulation language (DML), and a database query language (DQL). What language interface would a database administrator use to establish the structure of database tables?

1. DDL.
2. DCL.
3. DML.
4. DQL.

36. Users making database queries often need to combine several tables to get the information they want. One approach to combining tables is known as

1. Joining.
2. Merging.
3. Projecting.
4. Pointing.

37. User acceptance testing is more important in an object-oriented development process than in a traditional environment because of the implications of the

1. Absence of traditional design documents.
2. Lack of a tracking system for changes.
3. Potential for continuous monitoring.
4. Inheritance of properties in hierarchies.

38. A company's management has expressed concern over the varied system architectures that the organization uses. Potential security and control concerns would include all of the following except:

1. Users may have different user ID codes and passwords to remember for the several systems that they use.
2. There are difficulties in developing uniform security standards for the various platforms.
3. Backup file storage administration is often decentralized.
4. Having data distributed across many computers throughout the organization increases the risk that a single disaster would destroy large portions of the organization's data.

39. All of the following are methods for distributing a relational database across multiple servers except:

1. Snapshot (making a copy of the database for distribution).
2. Replication (creating and maintaining replica copies at multiple locations).
3. Normalization (separating the database into logical tables for easier user processing).
4. Fragmentation (separating the database into parts and distributing where they are needed).

40. Client/server architecture may potentially involve a variety of hardware, systems software, and application software from many vendors. The best way to protect a client/server system from unauthorized access is through

1. A combination of application and general access control techniques.
2. Use of a commercially available authentication system.
3. Encryption of all network traffic.
4. Thorough testing and evaluation of remote procedure calls.

41. What technology is needed in order to convert a paper document into a computer file?

1. Optical character recognition.
2. Electronic data interchange.
3. Bar-coding scanning.
4. Joining and merging.

42. Unauthorized alteration of online records can be prevented by employing

1. Key verification.
2. Computer sequence checks.
3. Computer matching.
4. Database access controls.

43. A manufacturer of complex electronic equipment such as oscilloscopes and microscopes has been shipping its products with thick paper manuals but wants to reduce the cost of producing and shipping this documentation. Of the following, the best medium for the manufacturer to use to accomplish this is

1. Write-once-read-many.
2. Digital audio tape.
3. Compact disc/read-only memory.
4. Computer-output-to-microform.

44. Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because

1. Errors in some transactions may cause rejection of other transactions in the batch.
2. The identification of errors in input data typically is not part of the program.
3. There are time delays in processing transactions in a batch system.
4. The processing of transactions in a batch system is not uniform.

45. Which of the following is not a characteristic of a batch processed computer system?

1. The collection of like transactions which are sorted and processed sequentially against a master file.
2. Keypunching of transactions, followed by machine processing.
3. The production of numerous printouts.
4. The posting of a transaction, as it occurs, to several files, without intermediate printouts.

46. Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a

1. Report of all missing sales invoices.
2. File of all rejected sales transactions.
3. Printout of all user code numbers and passwords.
4. List of all voided shipping documents.

47. First Federal S & L has an online real-time system, with terminals installed in all of its branches. This system will not accept a customer's cash withdrawal instructions in excess of $1,000 without the use of a “terminal audit key.” After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by

1. Online recording of the transaction on an audit override sheet.
2. Increasing the dollar amount to $1,500.
3. Requiring manual, rather than online, recording of all such transactions.
4. Using parallel simulation.

48. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's sales transaction tape are electronically sorted by customer number and are subjected to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this tape most likely would be a

1. Report showing exceptions and control totals.
2. Printout of the updated inventory records.
3. Report showing overdue accounts receivable.
4. Printout of the sales price master file.

49. Where disk files are used, the grandfather-father-son updating backup concept is relatively difficult to implement because the

1. Location of information points on disks is an extremely time-consuming task.
2. Magnetic fields and other environmental factors cause off-site storage to be impractical.
3. Information must be dumped in the form of hard copy if it is to be reviewed before used in updating.
4. Process of updating old records is destructive.

**50. In a computerized system, procedure or problem-oriented language is converted to machine language through a(n)

1. Interpreter.
2. Verifier.
3. Compiler.
4. Converter.

51. What type of computer system is characterized by data that is assembled from more than one location and records that are updated immediately?

1. Microcomputer system.
2. Minicomputer system.
3. Batch processing system.
4. Online real-time system.

52. Which of the following characteristics distinguishes electronic data interchange (EDI) from other forms of electronic commerce?

1. EDI transactions are formatted using the standards that are uniform worldwide.
2. EDI transactions need not comply with generally accepted accounting principles.
3. EDI transactions ordinarily are processed without the Internet.
4. EDI transactions are usually recorded without security and privacy concerns.

C. Characteristics of IT Systems—Specific

53. LAN is the abbreviation for

1. Large Area Network.
2. Local Area Network.
3. Longitudinal Analogue Network.
4. Low Analytical Nets.

54. A computer that is designed to provide software and other applications to other computers is referred to as a

1. Microcomputer.
2. Network computer.
3. Server.
4. Supercomputer.

55. Which is least likely to be considered a component of a computer network?

1. Applications programs.
2. Computers.
3. Software.
4. Routers.

56. The network most frequently used for private operations designed to link computers within widely separated portions of an organization is referred to as a(n)

1. Bulletin board service.
2. Local area network.
3. Wide area network.
4. Zero base network.

57. A set of rules for exchanging data between two computers is a

1. Communicator.
2. Operating system.
3. Protocol.
4. Transmission speed.

58. A web page is most frequently created using

1. Java or C++.
2. Visual Basic.
3. SQL.
4. HTML or XML.

59. Laptop computers provide automation outside of the normal office location. Which of the following would provide the least security for sensitive data stored on a laptop computer?

1. Encryption of data files on the laptop computer.
2. Setting up a password for the screensaver program on the laptop computer.
3. Using a laptop computer with a removable hard disk drive.
4. Using a locking device that can secure the laptop computer to an immovable object.

60. When developing a new computer system that will handle customer orders and process customer payments, a high-level systems design phase would include determination of which of the following?

1. How the new system will affect current inventory and general ledger systems.
2. How the file layouts will be structured for the customer order records.
3. Whether to purchase a turn-key system or modify an existing system.
4. Whether formal approval by top management is needed for the new system.

**61. A company using EDI made it a practice to track the functional acknowledgments from trading partners and to issue warning messages if acknowledgments did not occur within a reasonable length of time. What risk was the company attempting to address by this practice?

1. Transactions that have not originated from a legitimate trading partner may be inserted into the EDI network.
2. Transmission of EDI transactions to trading partners may sometimes fail.
3. There may be disagreement between the parties as to whether the EDI transactions form a legal contract.
4. EDI data may not be accurately and completely processed by the EDI software.

62. Management is concerned that data uploaded from a microcomputer to the company's mainframe system in batch processing may be erroneous. Which of the following controls would best address this issue?

1. The mainframe computer should be backed up on a regular basis.
2. Two persons should be present at the microcomputer when it is uploading data.
3. The mainframe computer should subject the data to the same edits and validation routines that online data entry would require.
4. The users should be required to review a random sample of processed data.

Items 63 and 64 are based on the following information:

One major category of computer viruses is programs that attach themselves to other programs, thus infecting the other programs. While many of these viruses are relatively harmless, some have the potential to cause significant damage.

63. Which of the following is an indication that a computer virus of this category is present?

1. Frequent power surges that harm computer equipment.
2. Unexplainable losses of or changes to data.
3. Inadequate backup, recovery, and contingency plans.
4. Numerous copyright violations due to unauthorized use of purchased software.

64. Which of the following operating procedures increases an organization's exposure to computer viruses?

1. Encryption of data files.
2. Frequent backup of files.
3. Downloading public-domain software from electronic bulletin boards.
4. Installing original copies of purchased software on hard disk drives.

65. Which of the following is a risk that is higher when an electronic funds transfer (EFT) system is used?

1. Improper change control procedures.
2. Unauthorized access and activity.
3. Insufficient online edit checks.
4. Inadequate backups and disaster recovery procedures.

66. The use of message encryption software

1. Guarantees the secrecy of data.
2. Requires manual distribution of keys.
3. Increases system overhead.
4. Reduces the need for periodic password changes.

**67. A company's management is concerned about computer data eavesdropping and wants to maintain the confidentiality of its information as it is transmitted. The company should utilize

1. Data encryption.
2. Dial-back systems.
3. Message acknowledgement procedures.
4. Password codes.

68. Which of the following is likely to be a benefit of electronic data interchange (EDI)?

1. Increased transmission speed of actual documents.
2. Improved business relationships with trading partners.
3. Decreased liability related to protection of proprietary business data.
4. Decreased requirements for backup and contingency planning.

69. The internal auditor is reviewing a new policy on electronic mail. Appropriate elements of such a policy would include all of the following except:

1. Erasing all employee's electronic mail immediately upon employment termination.
2. Encrypting electronic mail messages when transmitted over phone lines.
3. Limiting the number of electronic mail packages adopted by the organization.
4. Directing that personnel do not send highly sensitive or confidential messages using electronic mail.

70. Which of the following risks is most likely to be encountered in an end-user computing (EUC) environment as compared to a mainframe computer system?

1. Inability to afford adequate uninterruptible power supply systems.
2. User input screens without a graphical user interface (GUI).
3. Applications that are difficult to integrate with other information systems.
4. Lack of adequate utility programs.

71. Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system using paper transactions?

1. Unauthorized access and activity.
2. Duplicate transaction processing.
3. Higher cost per transaction.
4. Inadequate backup and recovery capabilities.

72. Methods to minimize the installation of unlicensed microcomputer software include all of the following except:

1. Employee awareness programs.
2. Regular audits for unlicensed software.
3. Regular monitoring of network access and start-up scripts.
4. An organizational policy that includes software licensing requirements.

73. In traditional information systems, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of

1. User management.
2. Systems programmers.
3. Data entry clerks.
4. Tape librarians.

74. An auditor is least likely to find that a client's data is input through

1. Magnetic tape reader.
2. Dynamic linking character reader.
3. Point-of-sale recorders.
4. Touch sensitive screens.

75. End-user computing is an example of which of the following?

1. Client/server processing.
2. A distributed system.
3. Data mining.
4. Decentralized processing.

76. End-user computing is most likely to occur on which of the following types of computers?

1. Mainframe.
2. Minicomputers.
3. Personal computers.
4. Personal reference assistants.

77. Which of the following statements is correct regarding the Internet as a commercially viable network?

1. Organizations must use firewalls if they wish to maintain security over internal data.
2. Companies must apply to the Internet to gain permission to create a homepage to engage in electronic commerce.
3. Companies that wish to engage in electronic commerce on the Internet must meet required security standards established by the coalition of Internet providers.
4. All of the above.

78. To reduce security exposure when transmitting proprietary data over communication lines, a company should use

1. Asynchronous modems.
2. Authentic techniques.
3. Call-back procedures.
4. Cryptographic devices.

79. Securing client/server systems is a complex task because of all of the following factors except:

1. The use of relational databases.
2. The number of access points.
3. Concurrent operation of multiple user sessions.
4. Widespread data access and update capabilities.

80. Which of the following would an auditor ordinarily consider the greatest risk regarding an entity's use of electronic data interchange (EDI)?

1. Authorization of EDI transactions.
2. Duplication of EDI transmissions.
3. Improper distribution of EDI transactions.
4. Elimination of paper documents.

81. Which of the following characteristics distinguish electronic data interchange (EDI) from other forms of electronic commerce?

1. The cost of sending EDI transactions using a value-added network (VAN) is less than the cost of using the Internet.
2. Software maintenance contracts are unnecessary because translation software for EDI transactions need not be updated.
3. EDI commerce is ordinarily conducted without establishing legally binding contracts between trading partners.
4. EDI transactions are formatted using strict standards that have been agreed to worldwide.

82. Which of the following is considered a component of a local area network?

1. Program flowchart.
2. Loop verification.
3. Transmission media.
4. Input routine.

83. Which of the following represents an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment?

1. Redundant data checks are needed to verify that individual EDI transactions are not recorded twice.
2. Internal audit work is needed because the potential for random data entry errors is increased.
3. Translation software is needed to convert transactions from the entity's internal format to a standard EDI format.
4. More supervisory personnel are needed because the amount of data entry is greater in an EDI system.

84. Many entities use the Internet as a network to transmit electronic data interchange (EDI) transactions. An advantage of using the Internet for electronic commerce rather than a traditional value-added network (VAN) is that the Internet

1. Permits EDI transactions to be sent to trading partners as transactions occur.
2. Automatically batches EDI transactions to multiple trading partners.
3. Possesses superior characteristics regarding disaster recovery.
4. Converts EDI transactions to a standard format without translation software.

85. Which of the following is not considered an exposure involved with electronic data interchange (EDI) systems as compared to other systems?

1. Increased reliance upon computer systems.
2. Delayed transaction processing time.
3. Possible loss of confidentiality of information.
4. Increased reliance upon third parties.

86. Which of the following statements is correct concerning internal control when a client is using an electronic data interchange system for its sales?

1. Controls should be established over determining that all suppliers are included in the system.
2. Encryption controls may help to assure that messages are unreadable to unauthorized persons.
3. A value-added-network (VAN) must be used to assure proper control.
4. Attention must be paid to both the electronic and “paper” versions of transactions.

87. Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files?

1. Random error associated with processing similar transactions in different ways is usually greater.
2. It is usually more difficult to compare recorded accountability with physical count of assets.
3. Attention is focused on the accuracy of the programming process rather than errors in individual transactions.
4. It is usually easier for unauthorized persons to access and alter the files.

88. Which of the following is usually a benefit of transmitting transactions in an electronic data interchange (EDI) environment?

1. A compressed business cycle with lower year-end receivables balances.
2. A reduced need to test computer controls related to sales and collections transactions.
3. An increased opportunity to apply statistical sampling techniques to account balances.
4. No need to rely on third-party service providers to ensure security.

89. Which of the following is a network node that is used to improve network traffic and to set up as a boundary that prevents traffic from one segment to cross over to another?

1. Router.
2. Gateway.
3. Firewall.
4. Heuristic.

90. Which of the following is an example of how specific controls in a database environment may differ from controls in a nondatabase environment?

1. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access.
2. Controls over data sharing by diverse users within an entity should be the same for every user.
3. The employee who manages the computer hardware should also develop and debug the computer programs.
4. Controls can provide assurance that all processed transactions are authorized, but cannot verify that all authorized transactions are processed.

91. A retail entity uses electronic data interchange (EDI) in executing and recording most of its purchase transactions. The entity's auditor recognized that the documentation of the transactions will be retained for only a short period of time. To compensate for this limitation, the auditor most likely would

1. Increase the sample of EDI transactions to be selected for cutoff tests.
2. Perform tests several times during the year, rather than only at year-end.
3. Plan to make a 100% count of the entity's inventory at or near the year-end.
4. Decrease the assessed level of control risk for the existence or occurrence assertion.

92. Which of the following is an encryption feature that can be used to authenticate the originator of a document and ensure that the message is intact and has not been tampered with?

1. Heuristic terminal.
2. Perimeter switch.
3. Default settings.
4. Digital signatures.

93. In building an electronic data interchange (EDI) system, what process is used to determine which elements in the entity's computer system correspond to the standard data elements?

1. Mapping.
2. Translation.
3. Encryption.
4. Decoding.

94. Which of the following passwords would be most difficult to crack?

1. OrCa!FlSi
2. language
3. 12 HOUSE 24
4. pass56word

95. Which of the following is a password security problem?

1. Users are assigned passwords when accounts are created, but do not change them.
2. Users have accounts on several systems with different passwords.
3. Users copy their passwords on note paper, which is kept in their wallets.
4. Users select passwords that are not listed in any online dictionary.

96. Many of the Web 2.0 applications rely on an XML-based application that facilitates the sharing and syndication of web content, by subscription, Which of the applications below represents this XML application?

1. Wiki.
2. Blog.
3. RSS/Atom Feeds.
4. Twitter.

D. Control Objectives for Information and Related Technology (COBIT)

97. Which of the following is not one of the five principles of COBIT 5?

1. Meeting stakeholder needs.
2. Business processes.
3. Covering the enterprise end-to-end.
4. Applying a single integrated framework.

98. The Control Objectives for Information and Related Technology (COBIT) framework has been established by:

1. The American Institute of Certified Public Accountants.
2. The Information Technology Institute.
3. The Information Systems Audit and Control Association.
4. The Committee of Sponsoring Organizations.

E. IT Risk and Internal Control

99. Which of the following procedures would an entity most likely include in its computer disaster recovery plan?

1. Develop an auxiliary power supply to provide uninterrupted electricity.
2. Store duplicate copies of critical files in a location away from the computer center.
3. Maintain a listing of entity passwords with the network manager.
4. Translate data for storage purposes with a cryptographic secret code.

100. A company is concerned that a power outage or disaster could impair the computer hardware's ability to function as designed. The company desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The company most likely should consider a

1. Cold site.
2. Cool site.
3. Warm site.
4. Hot site.

101. Which of the following procedures would an entity most likely include in its disaster recovery plan?

1. Convert all data from EDI format to an internal company format.
2. Maintain a Trojan horse program to prevent illicit activity.
3. Develop an auxiliary power supply to provide uninterrupted electricity.
4. Store duplicate copies of files in a location away from the computer center.

102. Almost all commercially marketed software is

103. A widely used disaster recovery approach includes

1. Encryption.
2. Firewalls.
3. Regular backups.
4. Surge protectors.

104. A “hot site” is most frequently associated with

1. Disaster recovery.
2. Online relational database design.
3. Source programs.
4. Temperature control for computer.

105. Output controls ensure that the results of computer processing are accurate, complete, and properly distributed. Which of the following is not a typical output control?

1. Reviewing the computer processing logs to determine that all of the correct computer jobs executed properly.
2. Matching input data with information on master files and placing unmatched items in a suspense file.
3. Periodically reconciling output reports to make sure that totals, formats, and critical details are correct and agree with input.
4. Maintaining formal procedures and documentation specifying authorized recipients of output reports, checks, or other critical documents.

106. Minimizing the likelihood of unauthorized editing of production programs, job control language, and operating system software can best be accomplished by

1. Database access reviews.
2. Compliance reviews.
3. Good change-control procedures.
4. Effective network security software.

107. Some companies have replaced mainframe computers with microcomputers and networks because the smaller computers could do the same work at less cost. Assuming that management of a company decided to launch a downsizing project, what should be done with respect to mainframe applications such as the general ledger system?

1. Plan for rapid conversion of all mainframe applications to run on a microcomputer network.
2. Consider the general ledger system as an initial candidate for conversion.
3. Defer any modification of the general ledger system until it is clearly inadequate.
4. Integrate downsized applications with stable mainframe applications.

108. A corporation receives the majority of its revenue from top-secret military contracts with the government. Which of the following would be of greatest concern to an auditor reviewing a policy about selling the company's used microcomputers to outside parties?

1. Whether deleted files on the hard disk drive have been completely erased.
2. Whether the computer has viruses.
3. Whether all software on the computer is properly licensed.
4. Whether the computer has terminal emulation software on it.

109. A manufacturer is considering using bar-code identification for recording information on parts used by the manufacturer. A reason to use bar codes rather than other means of identification is to ensure that

1. The movement of all parts is recorded.
2. The movement of parts is easily and quickly recorded.
3. Vendors use the same part numbers.
4. Vendors use the same identification methods.

110. A company often revises its production processes. The changes may entail revisions to processing programs. Ensuring that changes have a minimal impact on processing and result in minimal risk to the system is a function of

1. Security administration.
2. Change control.
3. Problem tracking.
4. Problem-escalation procedures.

111. Pirated software obtained through the Internet may lead to civil lawsuits or criminal prosecution. Of the following, which would reduce an organization's risk in this area?

1. Maintain a log of all software purchases.
2. Audit individual computers to identify software on the computers.
3. Establish a corporate software policy.
4. Provide original software diskettes to each user.
   1. I and IV only.
   2. I, II, and III only.
   3. II and IV only.
   4. II and III only.

112. Good planning will help an organization restore computer operations after a processing outage. Good recovery planning should ensure that

1. Backup/restart procedures have been built into job streams and programs.
2. Change control procedures cannot be bypassed by operating personnel.
3. Planned changes in equipment capacities are compatible with projected workloads.
4. Service level agreements with owners of applications are documented.

113. In a large organization, the biggest risk in not having an adequately staffed information center help desk is

1. Increased difficulty in performing application audits.
2. Inadequate documentation for application systems.
3. Increased likelihood of use of unauthorized program code.
4. Persistent errors in user interaction with systems.

114. To properly control access to accounting database files, the database administrator should ensure that database system features are in place to permit

1. Read-only access to the database files.
2. Updating from privileged utilities.
3. Access only to authorized logical views.
4. User updates of their access profiles.

115. When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the

1. Lack of sales invoice documents as an audit trail.
2. Potential for computer disruptions in recording sales.
3. Inability to establish an integrated test facility.
4. Frequency of archiving and data retention.

116. Which of the following statements is correct concerning internal control in an electronic data interchange (EDI) system?

1. Preventive controls generally are more important than detective controls in EDI systems.
2. Control objectives for EDI systems generally are different from the objectives for other information systems.
3. Internal controls in EDI systems rarely permit control risk to be assessed at below the maximum.
4. Internal controls related to the segregation of duties generally are the most important controls in EDI systems.

117. Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?

1. When the confidentiality of data is the primary risk, message authentication is the preferred control rather than encryption.
2. Encryption performed by physically secure hardware devices is more secure than encryption performed by software.
3. Message authentication in EDI systems performs the same function as segregation of duties in other information systems.
4. Security at the transaction phase in EDI systems is not necessary because problems at that level will usually be identified by the service provider.

118. Which of the following is an essential element of the audit trail in an electronic data interchange (EDI) system?

1. Disaster recovery plans that ensure proper backup of files.
2. Encrypted hash totals that authenticate messages.
3. Activity logs that indicate failed transactions.
4. Hardware security modules that store sensitive data.

119. Which of the following are essential elements of the audit trail in an electronic data interchange (EDI) system?

1. Network and sender/recipient acknowledgments.
2. Message directories and header segments.
3. Contingency and disaster recovery plans.
4. Trading partner security and mailbox codes.

120. To avoid invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as

1. Optical character recognition.
2. A check digit.
3. A dependency check.
4. A format check.

121. Preventing someone with sufficient technical skill from circumventing security procedures and making changes to production programs is best accomplished by

1. Reviewing reports of jobs completed.
2. Comparing production programs with independently controlled copies.
3. Running test data periodically.
4. Providing suitable segregation of duties.

122. Computer program libraries can best be kept secure by

1. Installing a logging system for program access.
2. Monitoring physical access to program library media.
3. Restricting physical and logical access.
4. Denying access from remote terminals.

123. Which of the following security controls would best prevent unauthorized access to sensitive data through an unattended data terminal directly connected to a mainframe?

1. Use of a screen saver with a password.
2. Use of workstation scripts.
3. Encryption of data files.
4. Automatic log-off of inactive users.

124. An entity has the following invoices in a batch:

Which of the following most likely represents a hash total?

1. FGHK80
2. 4
3. 204
4. 810

125. A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error?

1. Check digit verification.
2. Record count.
3. Hash total.
4. Redundant data check.

126. In entering the billing address for a new client in Emil Company's computerized database, a clerk erroneously entered a nonexistent zip code. As a result, the first month's bill mailed to the new client was returned to Emil Company. Which one of the following would most likely have led to discovery of the error at the time of entry into Emil Company's computerized database?

1. Limit test.
2. Validity test.
3. Parity test.
4. Record count test.

127. Which of the following controls is a processing control designed to ensure the reliability and accuracy of data processing?

128. Which of the following activities would most likely be performed in the information systems department?

1. Initiation of changes to master records.
2. Conversion of information to machine-readable form.
3. Correction of transactional errors.
4. Initiation of changes to existing applications.

129. The use of a header label in conjunction with magnetic tape is most likely to prevent errors by the

1. Computer operator.
2. Keypunch operator.
3. Computer programmer.
4. Maintenance technician.

130. For the accounting system of Acme Company, the amounts of cash disbursements entered into a terminal are transmitted to the computer that immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables the operator to

1. Establish the validity of the account number.
2. Verify the amount was entered accurately.
3. Verify the authorization of the disbursement.
4. Prevent the overpayment of the account.

131. When computer programs or files can be accessed from terminals, users should be required to enter a(n)

1. Parity check.
2. Personal identification code.
3. Self-diagnosis test.
4. Echo check.

132. The possibility of erasing a large amount of information stored on magnetic tape most likely would be reduced by the use of

1. File protection rings.
2. Check digits.
3. Completeness tests.
4. Conversion verification.

133. Which of the following controls most likely would assure that an entity can reconstruct its financial records?

1. Hardware controls are built into the computer by the computer manufacturer.
2. Backup diskettes or tapes of files are stored away from originals.
3. Personnel who are independent of data input perform parallel simulations.
4. System flowcharts provide accurate descriptions of input and output operations.

134. Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission?

1. Hash total.
2. Parity check.
3. Encryption.
4. Check digit.

135. Which of the following is an example of a validity check?

1. The computer ensures that a numerical amount in a record does not exceed some predetermined amount.
2. As the computer corrects errors and data are successfully resubmitted to the system, the causes of the errors are printed out.
3. The computer flags any transmission for which the control field value did not match that of an existing file record.
4. After data for a transaction are entered, the computer sends certain data back to the terminal for comparison with data originally sent.

136. Which of the following is a computer test made to ascertain whether a given characteristic belongs to the group?

1. Parity check.
2. Validity check.
3. Echo check.
4. Limit check.

137. A control feature in an electronic data processing system requires the central processing unit (CPU) to send signals to the printer to activate the print mechanism for each character. The print mechanism, just prior to printing, sends a signal back to the CPU verifying that the proper print position has been activated. This type of hardware control is referred to as

1. Echo control.
2. Validity control.
3. Signal control.
4. Check digit control.

138. Which of the following is an example of a check digit?

1. An agreement of the total number of employees to the total number of checks printed by the computer.
2. An algebraically determined number produced by the other digits of the employee number.
3. A logic test that ensures all employee numbers are nine digits.
4. A limit check that an employee's hours do not exceed fifty hours per workweek.

139. Which of the following most likely represents a significant deficiency in internal control?

1. The systems analyst reviews applications of data processing and maintains systems documentation.
2. The systems programmer designs systems for computerized applications and maintains output controls.
3. The control clerk establishes control over data received by the information systems department and reconciles control totals after processing.
4. The accounts payable clerk prepares data for computer processing and enters the data into the computer.

140. Internal control is ineffective when computer department personnel

1. Participate in computer software acquisition decisions.
2. Design documentation for computerized systems.
3. Originate changes in master files.
4. Provide physical security for program files.

141. Which of the following activities most likely would detect whether payroll data were altered during processing?

1. Monitor authorized distribution of data control sheets.
2. Use test data to verify the performance of edit routines.
3. Examine source documents for approval by supervisors.
4. Segregate duties between approval of hardware and software specifications.

F. Flowcharting

142. Which of the following tools would best give a graphical representation of a sequence of activities and decisions?

1. Flowchart.
2. Control chart.
3. Histogram.
4. Run chart.

Items 143 and 144 are based on the following flowchart of a client's revenue cycle:

143. Symbol A most likely represents the

1. Remittance advice file.
2. Receiving report file.
3. Accounts receivable master file.
4. Cash disbursements transaction file.

144. Symbol B most likely represents

1. Customer orders.
2. Receiving reports.
3. Customer checks.
4. Sales invoices.

145. An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the auditor's

1. Assessment of control risk.
2. Identification of weaknesses in the system.
3. Assessment of the control environment's effectiveness.
4. Understanding of the system.

Item 146 is based on the following flowchart:

146. The above flowchart depicts

1. Program code checking.
2. Parallel simulation.
3. Integrated test facility.
4. Controlled reprocessing.

Item 147 is based on the following flowchart:

147. In a credit sales and cash receipts system flowchart, symbol X could represent

1. Auditor's test data.
2. Remittance advices.
3. Error reports.
4. Credit authorization forms.

148. Which of the following symbolic representations indicate that a file has been consulted?

149. A well-prepared flowchart should make it easier for the auditor to

1. Prepare audit procedure manuals.
2. Prepare detailed job descriptions.
3. Trace the origin and disposition of documents.
4. Assess the degree of accuracy of financial data.

Multiple-Choice Answers and Explanations

Answers

Explanations

1. (b) The requirement is to identify a type of software package that uses a large set of organized data that presents the computer as an expert on a particular topic. Answer (b) is correct because an expert system presents the computer as such an expert. Answer (a) is incorrect because data mining uses tools which look for trends or anomalies without advance knowledge of the meaning of the data. Answer (c) is incorrect because artificial intelligence is a branch of computer science that involves computer programs that can solve specific problems creatively. Answer (d) is incorrect because virtual reality involves computer creation of an artificial, three-dimension world that may be interacted with.

2. (a) The requirement is to identify the type of computer memory used to store programs that must be accessed immediately by the central processing unit. Answer (a) is correct because primary memory is quickly accessed and generally used to store programs that must be accessed immediately. Answer (b) is incorrect because secondary storage is accessed less quickly. Answer (c) is incorrect because the term tertiary storage has no meaning in information technology. Answer (d) is incorrect because tape storage requires relatively long access times.

3. (b) The requirement is to identify the most common output device. Answer (b) is correct because a printer is a common output device and because the other replies represent input, not output devices.

4. (c) The requirement is to identify the part of the computer that does most of the data processing. Answer (c) is correct because the CPU, the central processing unit, does the primary processing for a computer. Answer (a) is incorrect because the word “analyter” has no meaning in information technology. Answer (b) is incorrect because a compiler is used to compile a particular type of computer program. Answer (d) is incorrect because a printer is an output device.

5. (b) The requirement is to identify the software least likely to be included in an “office suite” of software. Answer (b), operating systems, (e.g., Windows, Linux, Unix) is not ordinarily included in an office suite. Answers (a), (c) and (d) are all incorrect because databases, spreadsheets, and word processing software are often included.

6. (d) The requirement is to identify the software that performs a variety of technical operations. Answer (d) is correct because an operating system controls the execution of computer programs and may provide various services. Answer (a) is incorrect because an integrated “suite” (e.g., Microsoft Office) is a series of applications such as a word processor, database, and spreadsheet. Answer (b) is incorrect because shareware is generally considered to be software made available at a low, or no, cost to users. Answer (c) is incorrect because a database system deals with more specific technical processing.

7. (d) The requirement is to identify the part listed that is not considered a part of the central processing unit. Answer (d) is correct because the printer is a separate output device. Answers (a), (b), and (c) are all incorrect because a computer includes control, arithmetic, and logic units.

8. (b) The requirement is to identify the meaning of MIPS. Answer (b) is correct because MIPS is an abbreviation for millions of instructions per second, a unit for measuring the execution speed of computers. Answers (a), (c), and (d) all include combinations of words with no particular meaning in information technology.

9. (a) The requirement is to identify the type of applications software that a large client is most likely to use. Answer (a) is correct because enterprise resource planning (ERP) software is a form of applications software that provides relatively complete information systems for large and medium size organizations. Answer (b) is incorrect because a computer operating system is considered systems software, not applications software. Answer (c) is incorrect because the central processing unit is the principal hardware component of a computer, not software. Answer (d) is incorrect because a value-added network is a privately owned network whose services are sold to the public.

10. (a) The requirement is to identify a characteristic that distinguishes computer processing from manual processing. Answer (a) is correct because the high degree of accuracy of computer computation virtually eliminates the occurrence of computational errors. Answer (b) is incorrect because errors or fraud in computer processing may or may not be detected, depending upon the effectiveness of an entity's internal control. Answer (c) is incorrect because a programming error will result in a high level of systematic error in a computerized system and therefore, such errors may occur in either a manual or a computerized system. Answer (d) is incorrect because most computer systems are designed to include transaction trails.

11. (a) The requirement is to identify the type of general IT system that is designed to improve productivity by supporting the daily work of employees. Answer (a) is correct because office automation systems include the software tools of daily work, including word processing programs, spreadsheets, email, and electronic calendars. Answer (b) is incorrect because transaction processing systems are designed to improve the efficiency of processing transactions. Answer (c) is incorrect because decision support systems are used to solve nonstructured problems. Answer (d) is incorrect because executive information systems are specifically designed to support executive work.

12. (c) The requirement is to identify the phase of the SDLC where analysts identify the problem(s) of an existing information system. Answer (c) is correct because planning is the first phase of the SDLC and this information is needed before most of the analysis phase activities can be initiated. Answer (a) is incorrect because analysis phase activities are generally dependent on knowing exactly what problem(s) need to be solved before an effort is made to determine the requirements of a new system. Answer (b) is incorrect because implementation is the phase where the new system is put into operation. Answer (d) is incorrect because development is the phase of the SDLC where the new system design is transformed into an actual system.

13. (a) The requirement is to identify the phase in which a needs assessment is most likely to be performed. Answer (a) is correct because in the analysis phase the team attempts to get an understanding of the requirements of the system. Answers (b), (c) and (d) are incorrect because these phases occur after the requirements have been determined.

14. (a) The requirement is to identify the implementation model that has the advantage of a full operational test of the system before it is implemented. Answer (a) is correct because with parallel implementation both systems are operated until it is determined that the new system is operating properly. Answer (b) is incorrect because with the plunge model the new system is put into operation without a full operational test. Answer (c) is incorrect because with pilot implementation the system is only tested with a pilot group. Answer (d) is incorrect because with the phased implementation the system is phased in over time.

15. (a) The requirement is to identify the most frequently used mainframe computer application. Answer (a) is correct because mainframe computers (the largest and most powerful computers available at a particular point in time) are generally used to store and process extremely large computer databases. Answers (b), (c), and (d) are all incorrect because they are less frequent mainframe computer applications.

16. (c) The requirement is to identify the computer application most frequently used to analyze numbers and financial information. Answer (c) is correct because the purpose of a spreadsheet is generally to process numbers and financial information; for example, spreadsheets are often used to perform “what if” analysis which makes various assumptions with respect to a particular situation. Answer (a) is incorrect because while computer graphics programs may present numbers and financial information, they do not in general process them to the extent of spreadsheets. Answer (b) is incorrect because a WAN is a wide area network, and not an application used to analyze numbers and financial information. Answer (d) is incorrect because the emphasis of word processing programs is not ordinarily on processing numbers and financial information.

17. (b) The requirement is to identify the type of analysis that uses a database and tools to look for trends or anomalies, without knowledge in advance of the meaning of the data. Answer (b) is correct because data mining uses tools which look for trends or anomalies without such advance knowledge. Answer (a) is incorrect because artificial intelligence is a branch of computer science that involves computer programs that can solve specific problems creatively. Answer (c) is incorrect because virtual reality involves computer creation of an artificial, three-dimension world that may be interacted with. Answer (d) is incorrect because the term transitory analysis has no meaning relating to information technology.

18. (b) The requirement is to identify the most common type of primary storage in a computer. Answer (b) is correct because RAM (Random Access Memory) is the most common computer memory which can be used by programs to perform necessary tasks; RAM allows information to be stored or accessed in any order and all storage locations are equally accessible. Answer (a) is incorrect because CMAN has no meaning in information technology. Answer (c) is incorrect because ROM (Read Only Memory) is memory whose contents can be accessed and read but cannot be changed. Answer (d) is incorrect because it is a nonvolatile storage that can be electrically erased and programmed anew that is less common than RAM.

19. (a) The requirement is to identify a set of step-by-step procedures that are used to accomplish a task. Answer (a) is correct because an algorithm uses a step-by-step approach to accomplish a task. Answer (b) is incorrect because the term “compilation master” has no meaning in information technology. Answer (c) is incorrect because Linux is a form of operating system. Answer (d) is incorrect because the term “transitor” has no meaning in information technology.

20. (d) The requirement is to identify the item that compiles a complex translation of a program in a high-level computer language before the program is run for the first time. Answer (d) is correct because a compiler decodes instructions written in a higher order language and produces an assembly language program. Answers (a) and (b) are incorrect because Visual Basic and JAVA are programming languages. Answer (c) is incorrect because an algorithm is a “step-by-step” approach used to accomplish a particular task.

21. (b) The requirement is to identify the meaning of the abbreviation GUI. Answer (b), graphical user interface, is correct. The other replies all represent combinations of words with no meaning in information technology.

22. (a) The requirement is to identify the nature of Unix. Answer (a) is correct because Unix is a powerful operating system, originally developed by AT&T Bell Labs, that is used by many users of high-end computing hardware. Answers (b), (c), and (d) are all incorrect because Unix is not a singular disk drive, a central processing unit, or a logic unit.

23. (a) The requirement is to identify how each specific cell within a spreadsheet is identified. Answer (a) is correct because each cell has an address, composed of a combination of its column and row in the spreadsheet. Answer (b) is incorrect because the column portion of the address is not specific to the cell. Answer (c) is incorrect because the row portion of the address is not specific to the cell. Answer (d) is incorrect because no diagonal is ordinarily used to identify a particular cell.

24. (b) The requirement is to identify whether rows and columns of a spreadsheet are numbered or lettered. Answer (b) is correct because rows are numbered and columns are lettered. The other replies are all incorrect because they include incorrect combinations of “numbered” and “lettered.”

25. (d) The requirement is to identify what is least likely to be considered an advantage of a database. Answer (d) is correct because a database itself does not make it easy to distribute information to every possible user—information must still be distributed either electronically or physically. Answer (a) is incorrect because a database is used to store large quantities of information. Answer (b) is incorrect because information may ordinarily be required quickly from a database. Answer (c) is incorrect because specific normalization rules have been identified for organizing information within a database.

26. (b) The requirement is to identify the most frequent current format for computer processing of data. Answer (b) is correct because most current computers process data using a digital approach in that they represent information by numerical (binary) digits. Answer (a) is incorrect because analog computers, which represent information by variable quantities (e.g., positions or voltages), are less frequent in practice than digital computers. Answer (c) is incorrect because “memory enhanced” is not a format for processing information. Answer (d) is incorrect because “organic” is not a format for processing information.

27. (d) The requirement is to identify the computer technology that is being widely adopted by organizations to lower computer hardware costs and to reduce energy costs by allowing multiple operating systems to coexist and operate simultaneously on the same machine. Answer (d) is correct because virtualization software allows a single computer to run multiple operating systems simultaneously. Answer (a) is incorrect because a client is a computing device that connects to a server or mainframe. Answer (b) is incorrect because a mainframe typically runs a single operating system but serves clients. Answer (c) is incorrect because Linux is an operating system, not a hardware device.

28. (c) The requirement is to identify the secondary storage technology that essentially has no moving parts. Answer (c) is correct because solid state devices store data on microchips and not a medium that must move to write or read data. Answer (a) is incorrect as the magnetic tape drive must spin for read/write operations. Answer (b) is incorrect as CDs and DVDs must also spin and use a moveable read/write head for operation. Answer (d) is incorrect as RAID devices are typically hard disk drives that must also spin and use a moveable read/write head for operations.

29. (d) The requirement is to identify another term for cloud-based storage. Answer (d) is correct because Storage-as-a-Service is another term for cloud-based storage. Answer (a) is incorrect as RAID is disk storage that is directly attached to a computing device. Answer (b) is incorrect as solid state storage is usually associated with a storage device that is directly attached to a computing device. Answer (c) is incorrect as analog refers to the representation of data.

30. (b) The requirement is to identify the wireless technology that is being used for inventory control that does not require line-of-sight access to the inventory. Answer (b) is the correct answer as Radio Frequency Identification (RFID) tags do not need to be seen by RFID readers to work. Answer (a) is incorrect as MICR technology requires items (documents) to pass through a read/write device. Answer (c) is incorrect as touch screen technology is not considered a wireless technology. Answer (d) is incorrect as current point-of-sale scanners must “see” the barcode to read it.

31. (b) The requirement is to distinguish between the various generations of programming languages. Answer (b) is correct as it is the only 2nd generation language listed. Answer (a) is incorrect as binary is considered machine language, the 1st generation programming language. Answer (c) is incorrect as COBOL is a 3rd generation programming language. Answer (d) is incorrect as it is also considered a higher-level, or 3rd generation programming language.

32. (d) The requirement is to distinguish among the OLAP technologies. Answer (d) is correct as business intelligence is the combination of systems that help aggregate, access, and analyze business data. Answer (a) is incorrect as artificial intelligence deals with relatively structured decision making in many areas, not specifically business. Answer (b) is incorrect as a data mart may be used in the process of business intelligence. Answer (c) is incorrect as decision support systems are used in a variety of business and nonbusiness decision-making situations.

33. (a) The requirement here is to identify the hierarchy of data with respect to relational databases. Answer (a) is the correct representation of data, from smallest to largest, for relational databases.

34. (b) The requirement is to identify the generation of programming language most likely to include an instruction such as “Extract all Customers where ‘Name’ is Smith” Answer (b) is correct because fourth generation programs ordinarily include instructions relatively close to human languages—such as the instruction in this question. Answer (a) is incorrect because first generation instructions are in terms of “1's” and “0's.” Answers (c) and (d) are incorrect because seventh and ninth generation programming languages have not yet been developed (a few fifth generation languages with extensive visual and graphic interfaces are currently in process).

35. (a) The requirement is to identify the language interface used to establish the structure of database tables. Answer (a) is correct because DDL is used to define (i.e., determine) the database. Answer (b) is incorrect because DCL is used to specify privileges and security rules. Answer (c) is incorrect because DML provides programmers with a facility to update the database. Answer (d) is incorrect because DQL is used for ad hoc queries.

36. (a) The requirement is to identify the function used in a database query to combine several tables. Answer (a) is correct because joining is the combining of one or more tables based on matching criteria. For example, if a supplier table contains information about suppliers and a parts table contains information about parts, the two tables could be joined on supplier number (assuming both tables contained this attribute) to give information about the supplier of particular parts. Answers (b), (c), and (d) are all incorrect.

37. (d) The requirement is to identify a reason that user acceptance testing is more important in an object-oriented development process than in a traditional environment. Answer (d) is correct because user acceptance testing is more important in object-oriented development because of the fact that all objects in a class inherit the properties of the hierarchy, which means that changes to one object may affect other objects, which increases the importance of user acceptance testing to verify correct functioning of the whole system. Answer (a) is incorrect because instead of traditional design documents, items such as the business model, narratives of process functions, iterative development screens, computer processes and reports, and product description guides are produced in object-oriented development, but the existence of specific documents does not affect the importance of user acceptance testing. Answer (b) is incorrect because in general, object-oriented development systems do include tracking systems for changes made to objects and hierarchies. Answer (c) is incorrect; because object-oriented systems are usually developed in client/server environments there is the potential for continuous monitoring of system use, but continuous monitoring typically occurs during system operation, not during development.

38. (d) The requirement is to identify the reply that does not represent a potential security and control concern. Answer (d) is correct because the distribution of data actually decreases this risk so this would not cause a control concern; it is a potential advantage to distributed systems of various architectures versus centralized data in a single mainframe computer. Answer (a) is incorrect because password proliferation is a considerable security concern because users will be tempted to write their passwords down or make them overly simplistic. Answer (b) is incorrect because consistent security across varied platforms is often challenging because of the different security features of the various systems and the decentralized nature of those controlling security administration. Answer (c) is incorrect because under centralized control, management can feel more confident that backup file storage is being uniformly controlled. Decentralization of this function may lead to lack of consistency and difficulty in monitoring compliance.

39. (c) The requirement is to determine which answer is not a method for distributing a relational database across multiple servers. Answer (c) is correct because normalization is a process of database design, not distribution. Answer (a) is incorrect because making a copy of the database for distribution is a viable method for the described distribution. Answer (b) is incorrect because creating and maintaining replica copies at multiple locations is a viable method for the described distribution. Answer (d) is incorrect because separating the database into parts and distributing where they are needed is a viable method for the described distribution.

40. (a) The requirement is to identify the best way to protect a client/server system from unauthorized access. Answer (a) is correct because since there is no perfect solution, this is the best way. Answer (b) is incorrect because authentication systems, such as Kerberos, are only a part of the solution. Answer (c) is incorrect because this only affects general access control techniques. Answer (d) is incorrect because testing and evaluation of remote procedure calls may be a small part of an overall security review.

41. (a) The requirement is to identify the technology needed to convert a paper document into a computer file. Answer (a) is correct because optical character recognition (OCR) software converts images of paper documents, as read by a scanning device, into text document computer files. Answer (b) is incorrect because electronic data interchange involves electronic transactions between trading partners. Answer (c) is incorrect because bar-code scanning reads price and item information, but does not convert a paper document into a computer file. Answer (d) is incorrect because joining and merging are processes applied to computer files.

42. (d) The requirement is to identify the best method for preventing unauthorized alteration of online records. Answer (d) is correct because users can gain access to databases from terminals only through established recognition and authorization procedures, thus unauthorized access is prevented. Answer (a) is incorrect because key verification ensures the accuracy of selected fields by requiring a second keying of them, ordinarily by another individual. Answer (b) is incorrect because sequence checks are used to ensure the completeness of input or update data by checking the use of preassigned document serial numbers. Answer (c) is incorrect because computer matching entails checking selected fields of input data with information held in a suspense master file.

43. (c) The requirement is to identify a way of eliminating thick paper manuals and reducing costs. Answer (c) is correct since a compact disc/read-only memory (CD-ROM) would be cheaper to produce and ship than the existing paper, yet would permit large volumes of text and images to be reproduced. Answer (a) is incorrect because write-once-read-many (WORM) is an optical storage technique often used as an archival medium. Answer (b) is incorrect because digital audio tape is primarily used as a backup medium in imaging systems and as a master for CD-ROM. Answer (d) is incorrect because computer-output-to-microform is used for frequent access to archived documents such as canceled checks in banking applications.

44. (c) The requirement is to identify a reason that misstatements in a batch computer system may not be detected immediately. Answer (c) is correct because batch programs are run periodically and thereby result in delays in processing; accordingly, detection of misstatements may be delayed. Answer (a) is incorrect because errors will be detected in the batch. Answer (b) is incorrect because the identification of errors in input data is typically included as a part of a batch program. Answer (d) is incorrect because a batch system will ordinarily process transactions in a uniform manner.

45. (d) The requirement is to determine which answer is not a characteristic of a batch processed computer system. Simultaneous posting to several files is most frequently related to an online real-time system, not a batch system. Answer (a) is incorrect since a batch system may process sequentially against a master file. Answer (b) is incorrect because keypunching is followed by machine processing in batch systems. Answer (c) is incorrect because the numerous batches ordinarily result in numerous printouts.

46. (b) The requirement is to identify the most likely direct output of an edit check included in an online sales order processing system. Edit checks are used to screen incoming data against established standards of validity, with data that pass all edit checks viewed as “valid” and then processed. Answer (b) is correct because an edit check will ordinarily create an output file of rejected transactions. Answer (a) is incorrect because sales invoices may not have been prepared at the point of the sales order processing and because the answer is much less complete than answer (b). Answer (c) is incorrect because while periodic printouts of user code numbers and passwords should be prepared, this is not a primary purpose of an edit check. Answer (d) is incorrect because shipping documents will not ordinarily be prepared at this point and because the answer is much less complete than answer (b).

47. (a) The requirement is to determine a control which will strengthen an online real-time cash withdrawal system. Answer (a) is correct because documentation of all situations in which the “terminal audit key” has been used will improve the audit trail. Answer (b) is incorrect because increasing the dollar amount required for use of the key will simply reduce the number of times it is used (and allow larger withdrawals to be made without any required special authorization). Answer (c) is incorrect because there is no reason to believe that a manual system will be more effective than an online system. Answer (d) is incorrect because parallel simulation, running the data through alternate software, would seem to have no particular advantage for processing these large withdrawals.

48. (a) The requirement is to identify a direct output of a sorting, editing, and updating program. Answer (a) is correct because the program will output both exceptions and control totals to determine whether all transactions have been processed properly. Answers (b), (c), and (d) are all incorrect because while a program such as this may output such schedules, this will occur after exceptions are cleared and control totals are reconciled.

49. (d) The requirement is to determine why the grandfather-father-son updating backup concept is relatively difficult to implement for disk files. Answer (d) is correct because updating destroys the old records. Answer (a) is incorrect because the location of information points on disks is not an extremely time consuming task if the disks have been properly organized and maintained. Answer (b) is incorrect because off-site storage through disks is possible, though costly. Answer (c) is incorrect because information need not be dumped in the form of hard copy.

50. (c) The requirement is to determine the item which converts problem-oriented language to machine language. A compiler produces a machine-language object program from a source-program (i.e., problem oriented) language. Answer (a) is incorrect because an interpreter is used to make punched cards easily readable to people. Answer (b) is incorrect because a verifier is used to test whether key punching errors exist on punched cards. Answer (d) is incorrect because a converter changes a program from one form of problem oriented language to another, related form (e.g., from one form of COBOL to another form of COBOL).

51. (d) The requirement is to determine the type of computer system characterized by more than one location and records that are updated immediately. Answer (d) is correct because online real-time systems typically allow access from multiple locations, and always have the immediate update of records. Answers (a) and (b) are incorrect because small computers often are limited to one location, and they may or may not allow immediate updating for particular applications. Answer (c) is incorrect because batch processing is a method which does not update records immediately (e.g., processing the “batch” of the firm's daily sales each evening, not at the moment they occur).

52. (a) The requirement is to identify a characteristic that distinguishes electronic data interchange (EDI) from other forms of electronic commerce. Answer (a) is correct because EDI transactions are ordinarily formatted using one of the available uniform worldwide sets of standards. Answer (b) is incorrect because, when financial statements are prepared, EDI transactions must follow generally accepted accounting principles. Answer (c) is incorrect because EDI transactions may or may not be processed using the Internet. Answer (d) is incorrect because security and privacy are considered when recording EDI transactions. See the Auditing Procedure Study Audit Implications of EDI for more information on electronic data interchange.

53. (b) The requirement is to identify the meaning of the abbreviation LAN. Answer (b) is correct because LAN is the abbreviation for local area network. A local area network is a computer network for communication between computers. For example, a local area network may connect computers, word processors and other electronic office equipment to create a communication system within an office. Answers (a), (c) and (d) are all incorrect because they are combinations of words that have no specific meaning in information technology.

54. (c) The requirement is to identify the type of computer that is designed to provide software and other applications to other computers. Answer (c) is correct because a server provides other computers (“clients”) with access to files and printers as shared resources to a computer network. Answer (a) is incorrect because a microcomputer is a small digital computer based on a microprocessor and designed to be used by one person at a time. Answer (b) is incorrect because a network computer is a low-cost personal computer for business networks that is configured with only essential equipment. Answer (d) is incorrect because a supercomputer is a mainframe computer that is one of the most powerful available at a given time.

55. (a) The requirement is to identify the item least likely to be considered a component of a computer network. Answer (a) is least likely because application program is a program that gives a computer instructions that provide the user with tools to accomplish a specific task (e.g., a word processing application). Answer (b) is incorrect because computers are an integral part of a computer network. Answer (c) is incorrect because software is required for operation of the network. Answer (d) is incorrect because routers are used to forward data within a computer network.

56. (c) The requirement is to identify the type of network used to link widely separated portions of an organization. Answer (c) is correct because a wide area network is used to span a wide geographical space to link together portions of an organization. Answer (a) is incorrect because a bulletin board is a computer that is running software that allows users to leave messages and access information of general interest. Answer (b) is incorrect because a local area network's coverage is restricted to a relatively small geographical area. Answer (d) is incorrect because the term “zero base network” has no meaning in information technology.

57. (c) The requirement is to identify a set of rules for exchanging data between two computers. Answer (c) is correct because a protocol is such a set of rules. Answer (a) is incorrect because the term “communicator” is very general and has no specific meaning in this context. Answer (b) is incorrect because while an operating system controls the execution of computer programs and may provide various services related to computers, it is not a set of rules for exchanging data. Answer (d) is incorrect because transmission speed is the speed at which computer processing occurs.

58. (d) The requirement is to identify the approach most frequently used to create a webpage. Answer (d) is correct because HTML (hypertext markup language) or XML (extensible markup language) are used to develop hypertext documents such as webpages. Answers (a), (b), and (c) are all incorrect because while such tools may be used on webpage creation, they are not as fundamentally related as are HTML or XML.

59. (b) The requirement is to identify the reply that would provide the least security for sensitive data stored on a laptop computer. Answer (b) is correct because password protection for a screensaver program can be easily bypassed. Answer (a) is incorrect because data encryption provides adequate security for laptop computers. Answer (c) is incorrect because removable hard drives would provide adequate security. Answer (d) is incorrect because security is promoted by physically locking the laptop computer to an immovable object.

60. (c) The requirement is to identify the most likely procedure to be included in the high-level systems design phase of a computer system that will handle customer orders and process customer payments. Answer (c) is correct because the determination of what type of system to obtain is made during the high-level design phase. Answer (a) is incorrect because the effect of the new system would be part of the feasibility study. Answer (b) is incorrect because the file layouts are part of the detailed design phase. Answer (d) is incorrect because formal approval is made during the request for the systems design phase.

61. (b) The requirement is to identify the risk being controlled when a company using EDI makes it a practice to track the functional acknowledgments from trading partners. Answer (b) is correct because tracking of customers' functional acknowledgments, when required, will help to ensure successful transmission of EDI transactions. Answer (a) is incorrect because to address this issue, unauthorized access to the EDI system should be prevented, procedures should be in place to ensure the effective use of passwords, and data integrity and privacy should be maintained through the use of encryption and authentication measures. Answer (c) is incorrect because contractual agreements should exist between the company and the EDI trading partners. Answer (d) is incorrect because the risk that EDI data may not be completely and accurately processed is primarily controlled by the system.

62. (c) The requirement is to identify the best control to assure that data uploaded from a microcomputer to the company's mainframe system in batch processing is properly handled. Answer (c) is correct because this could help prevent data errors. Answer (a) is incorrect because while this practice is a wise control, it does not address the issue of upload-data integrity. Backups cannot prevent or detect data-upload problems, but can only help correct data errors that a poor upload caused. Answer (b) is incorrect because this control may be somewhat helpful in preventing fraud in data uploads, but it is of little use in preventing errors. Answer (d) is incorrect because this control is detective in nature, but the error could have already caused erroneous reports and management decisions. Having users try to find errors in uploaded data would be costly.

63. (b) The requirement is to identify the most likely indication that a computer virus is present. Answer (b) is correct because unexplainable losses of or changes to data files are symptomatic of a virus attack. Answer (a) is incorrect because power surges are symptomatic of hardware or environmental (power supply) problems. Answer (c) is incorrect because inadequate backup, recovery, and contingency plans are symptomatic of operating policy and/or compliance problems. Answer (d) is incorrect because copyright violations are symptomatic of operating policy and/or compliance problems.

64. (c) The requirement is to identify the operating procedure most likely to increase an organization's exposure to computer viruses. Answer (c) is correct because there is a risk that downloaded public-domain software may be contaminated with a virus. Answers (a) and (b) are incorrect because viruses are spread through the distribution of computer programs. Answer (d) is incorrect because original copies of purchased software should be virus-free and cannot legally be shared.

65. (b) The requirement is to identify the risk that increases when an EFT system is used. Answer (b) is correct because unauthorized access is a risk which is higher in an EFT environment. Answers (a), (c), and (d) are all incorrect because this is a risk which is common to each IT environment.

66. (c) The requirement is to identify the statement that is correct concerning message encryption software. Answer (c) is correct because the machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down. Answer (a) is incorrect because no encryption approach absolutely guarantees the secrecy of data in transmission although encryption approaches are considered to be less amenable to being broken than others. Answer (b) is incorrect because keys may be distributed manually, but they may also be distributed electronically via secure key transporters. Answer (d) is incorrect because using encryption software does not reduce the need for periodic password changes because passwords are the typical means of validating users' access to unencrypted data.

67. (a) The requirement is to identify the method to prevent data eavesdropping. Answer (a) is correct because data encryption prevents eavesdropping by using codes to ensure that data transmissions are protected from unauthorized tampering or electronic eavesdropping. Answer (b) is incorrect because dial back systems ensure that data are received from a valid source. Answer (c) is incorrect because message acknowledgment procedures help ensure that data were received by the intended party. Answer (d) is incorrect because password codes are designed to prevent unauthorized access to terminals or systems.

68. (b) The requirement is to identify a likely benefit of EDI. Answer (b) is correct because improved business relationships with trading partners is a benefit of EDI. Answer (a) is incorrect because EDI transmits document data, not the actual document. Answer (c) is incorrect because liability issues related to protection of proprietary business data are a major legal implication of EDI. Answer (d) is incorrect because EDI backup and contingency planning requirements are not diminished.

69. (a) The requirement is to identify the least likely part of a company's policy on electronic mail. Answer (a) is correct because the company should have access to the business-related e-mail that is left behind. Access to e-mail can also be critical in business or possible criminal investigations. The privacy concerns of the individual case must be mitigated by compelling business interests: the need to follow up on business e-mail and to assist in investigations. Answer (b) is incorrect because encryption helps prevent eavesdropping by unauthorized persons trying to compromise e-mail messages. Answer (c) is incorrect because limiting the number of packages would decrease the number of administrators who might have access to all messages. Answer (d) is incorrect because controlling the transmission of confidential information by e-mail will help avoid theft of information through intrusion by outsiders.

70. (c) The requirement is to identify the most likely risk relating to end-user computing as compared to a mainframe computer system. Answer (c) is correct because this risk is considered unique to end-user computing (EUC) system development. Answer (a) is incorrect because this risk relates to both traditional information systems and end-user computing (EUC) environments. Answer (b) is incorrect because this risk relates to both traditional information systems and end-user computing (EUC) environments. Answer (d) is incorrect because this risk relates to all computing environments.

71. (c) The requirement is to identify the risk that is not greater in an EFT environment as compared to a manual system using paper transactions. Answer (c) is correct because per transaction costs are lower with electronic funds transfer. Answer (a) is incorrect because this is a major risk factor inherent to electronic funds transfer (EFT). Answer (b) is incorrect because this is another inherent risk factor. Answer (d) is incorrect because this is a critical risk factor.

72. (c) The requirement is to identify the reply that is not a method to minimize the risk of installation of unlicensed microcomputer software. Answer (c) is correct because this technique will not affect introduction of unlicensed software. Answer (a) is incorrect because this technique works. Answer (b) is incorrect because such audits are a must to test the other controls that should be in place. Answer (d) is incorrect because the basis for all good controls is a written policy.

73. (a) The requirement is to determine whose responsibility it is to back up software and data files in distributed or cooperative systems. Answer (a) is correct because in distributed or cooperative systems, the responsibility for ensuring that adequate backups are taken is the responsibility of user management because the systems are under the control of users. Answer (b) is incorrect because in distributed environments, there will be no systems programmers comparable to those at central sites for traditional systems. Answer (c) is incorrect because in distributed environments, there may be no data entry clerks because users are typically performing their own data entry. Answer (d) is incorrect because in distributed environments, there are no tape librarians.

74. (b) The requirement is to identify the least likely way that a client's data will be input. Answer (b) is correct because the term “dynamic linking character reader” is a combination of terms that has no real meaning. The other three terms all represent methods of data input.

75. (d) The requirement is to identify what end-user computing is an example of. Answer (d) is correct because end-user computing involves individual users performing the development and execution of computer applications in a decentralized manner. Answer (a) is incorrect because client/server processing involves a networked model, rather than an end-user approach. Answer (b) is incorrect because a distributed system involves networked computers processing transactions for a single (or related) database. Answer (c) is incorrect because using sophisticated techniques from statistics, artificial intelligence, and computer graphics to explain, confirm, and explore relationships among data may be performed in many environments.

76. (c) The requirement is to identify the type of computer that end-user computing is most likely to occur on. Answer (c) is correct because end-user computing involves individual users performing the development and execution of computer applications in a decentralized manner and these individuals are most likely to be using personal computers. Answers (a) and (b) are incorrect because they represent computers less frequently used by end users. Answer (d) is incorrect because “personal reference assistants” is a term not used in information technology.

77. (a) The requirement is to identify the correct statement regarding the Internet as a commercially viable network. Answer (a) is correct because companies that wish to maintain adequate security must use firewalls to protect data from being accessed by unauthorized users. Answer (b) is incorrect because anyone can establish a homepage on the Internet without obtaining permission. Answer (c) is incorrect because there are no such security standards for connecting to the Internet.

78. (d) The requirement is to identify a method of reducing security exposure when transmitting proprietary data over communication lines. Answer (d) is correct because cryptographic devices protect data in transmission over communication lines. Answer (a) is incorrect because asynchronous modems handle data streams from peripheral devices to a central processor. Answer (b) is incorrect because authentication techniques confirm that valid users have access to the system. Answer (c) is incorrect because callback procedures are used to ensure incoming calls are from authorized locations.

79. (a) The requirement is to identify the reply which is not a reason that securing client/server systems is a complex task. Answer (a) is correct because client/server implementation does not necessarily use relational databases. Answers (b), (c), and (d) are all incorrect because the number of access points, concurrent operation by multiple users, and widespread data access and update capabilities make securing such systems complex.

80. (c) The requirement is to identify what an auditor would ordinarily consider the greatest risk regarding an entity's use of electronic data interchange (EDI). Answer (c) is correct because an EDI system must include controls to make certain that EDI transactions are processed by the proper entity, using the proper accounts. Answers (a) and (b) are incorrect because authorization of EDI transactions and duplication of EDI transmissions ordinarily pose no greater risk than for other systems. Answer (d) is incorrect because the elimination of paper documents in and of itself does not propose a great risk.

81. (d) The requirement is to identify the characteristic that distinguishes electronic data interchange (EDI) from other forms of electronic commerce. Answer (d) is correct because standards for EDI transactions, within any one group of trading partners, have been agreed upon so as to allow the system to function efficiently. Answer (a) is incorrect because the cost of EDI transaction using a VAN will often exceed the cost of using the Internet. Answer (b) is incorrect because software maintenance contracts are often necessary. Answer (c) is incorrect because EDI commerce involves legally binding contracts between trading partners.

82. (c) The requirement is to identify a component of a local area network. Answer (c) is correct because a local area network requires that data be transmitted from one computer to another through some form of transmission media. Answers (a), (b), and (d) are all general replies that are not requirements of a local area network.

83. (c) The requirement is to identify an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment. Answer (c) is correct because such transactions must be translated to allow transmission. Answer (a) is incorrect because no particular controls are required for redundant data checks under EDI as compared to a traditional paper environment. Answer (b) is incorrect because there need be no increase in random data entry errors under EDI. Answer (d) is incorrect because since computer controls are ordinarily heavily relied upon under EDI, often fewer supervisory personnel are needed.

84. (a) The requirement is to identify an advantage of using the Internet for electronic commerce EDI transactions as compared to a value-added network (VAN). Answer (a) is correct because such simultaneous processing of transactions is more likely under an Internet system in which lines are often available at a fixed or nearly fixed rate. Answer (b) is incorrect because the Internet itself will not automatically prepare such batches. Answer (c) is incorrect because an Internet system will not ordinarily have superior characteristics regarding disaster recovery. Answer (d) is incorrect because translation software is needed both for Internet and VAN systems.

85. (b) The requirement is to identify the statement which does not represent an exposure involved with electronic data interchange (EDI) systems. Answer (b) is correct because EDI ordinarily decreases transaction processing time; it does not delay transaction processing time. Answer (a) is incorrect because increased reliance upon both one's own computers and those of other parties are involved in EDI. Answer (c) is incorrect because involvement with other parties in EDI systems may result in the loss of confidentiality of information. Answer (d) is incorrect because EDI systems involve third parties such as customers, suppliers, and those involved with the computer network, and accordingly result in increased reliance upon their proper performance of their functions.

86. (b) The requirement is to identify the correct statement concerning internal control when a client uses an electronic data interchange system for processing its sales. Answer (b) is correct because encryption controls are designed to assure that messages are unreadable to unauthorized persons and to thereby control the transactions. Answer (a) is incorrect because suppliers are not ordinarily included in a company's sales controls and because even in a purchasing EDI system all suppliers need not be included. Answer (c) is incorrect because a value-added-network that provides network services may or may not be used in an EDI system. Answer (d) is incorrect because “paper” versions of transactions typically disappear in an EDI system.

87. (d) The requirement is to identify the statement that represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files. Answer (d) is correct because persons with computer skills may be able to improperly access and alter microcomputer files. When a system is prepared manually such manipulations may be more obvious. Answer (a) is incorrect because random error is more closely associated with manual processing than with computer processing. Answer (b) is incorrect because comparing recorded accountability with the physical count of assets should not be affected by whether a manual or a microcomputer system is being used. Answer (c) is incorrect because the accuracy of the programming process is not generally tested when microcomputers are used.

88. (a) The requirement is to identify a benefit of transmitting transactions in an electronic data interchange (EDI) environment. Answer (a) is correct because the speed at which transactions can occur and be processed electronically results in lower year-end receivables since payments occur so quickly. Answer (b) is incorrect because an EDI environment requires many controls related to sales and collections. Answer (c) is incorrect because sampling may or may not be used in such circumstances. Answer (d) is incorrect because third-party service providers are often involved in such transactions—accordingly they are relied upon. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.

89. (c) The requirement is to identify the network node that is used to improve network traffic and to set up as a boundary that prevents traffic from one segment to cross over to another. Answer (c) is correct because a firewall is a computer that provides a defense between one network (inside the firewall) and another network (outside the firewall) that could pose a threat to the inside network. Answer (a) is incorrect because a router is a computer that determines the best way for data to move forward to their destination. Answer (b) is incorrect because a gateway is a communications interface device that allows a local area network to be connected to external networks and to communicate with external computers and databases. Answer (d) is incorrect because a heuristic is a simplified rule to help an individual make decisions.

90. (a) The requirement is to identify the best example of how specific controls in a database environment may differ from controls in a nondatabase environment. Answer (a) is correct because a primary control within a database environment is to appropriately control access and updating by the many users; in most nondatabase environments there are ordinarily far fewer users who are able to directly access and update data. Answer (b) is incorrect because controls over data sharing differ among users for both database and nondatabase environments. Answer (c) is incorrect because under both database and nondatabase systems, the programmer should debug the program. Answer (d) is incorrect because controls can verify that authorized transactions are processed under either a database or nondatabase environment.

91. (b) The requirement is to identify an effective audit approach in an EDI environment in which documentation of transactions will be retained for only a short period of time. Answer (b) is correct because performing tests throughout the year will allow the auditor to examine transaction documentation before the transactions are destroyed. Answer (a) is incorrect because if documentation relating to the transactions is not maintained, it will be impossible to perform such cutoff tests. Answer (d) is incorrect because such a situation need not lead to a 100% count of inventory at or near year-end. Answer (d) is incorrect because an increase in the assessed level of control risk rather than a decrease is more likely.

92. (d) The requirement is to identify the encryption feature that can be used to authenticate the originator of a document and to ensure that the message is intact and has not been tampered with. Answer (d) is correct because digital signatures are used in electronic commerce to authenticate the originator and to ensure that the message has not been tampered with. Answers (a), (b), and (c) are all incorrect because they do not directly deal with such authentication.

93. (a) The requirement is to identify the process used in building an electronic data interchange (EDI) system to determine that elements in the entity's computer system correspond to the standard data elements. Answer (a) is correct because mapping, or “data mapping,” is the processes of selecting the appropriate data fields from the various application databases and passing them to the EDI translation software. Answer (b) is incorrect because translation involves the actual modification of the data into a standard format that is used by the EDI system. Answer (c) is incorrect because encryption is a technique for protecting information within a computer system in which an algorithm transforms that data to render it unintelligible; the process can be reversed to regenerate the original data for further processing. Answer (d) is incorrect because decoding is the process of making data intelligible. See the Auditing Procedure Study Audit Implications of EDI for more information on electronic data interchange.

94. (a) The requirement is to identify the password that would be most difficult to crack. A password is a secret series of characters that enables a user to access a file, computer, or program; ideally, the password should be something nobody could guess. Answer (a) is correct because OrCA!FlSi does not seem like a password that one would guess or even recall if seen briefly. Answers (b), (c), and (d) are all incorrect because they represent passwords that would be easier to identify.

95. (a) The requirement is to determine which reply represents a password security problem. A password is a secret series of characters that enables a user to access a file, computer, or program; ideally the password should be something that nobody could guess. Answer (a) is correct because individuals have a tendency to not change passwords, and over time, others may be able to identify them. Answer (b) is incorrect because using different passwords for different accounts on several systems represents a control (assuming the user can remember them). Answer (c) is incorrect because copying of passwords to a secure location (e.g., a wallet) does not ordinarily represent a security problem. Answer (d) is incorrect because passwords should be kept secret and not listed in an online dictionary.

96. (c) The requirement is to distinguish between the Web 2.0 applications. Answer (c) is correct because RSS feeds (and Atom feeds) are XML applications that are designed specifically for sharing and syndication of web content. The acronym RSS refers to Really Simple Syndication. (Atom feeds are similar to RSS feeds). Answer (a) is incorrect because a wiki is a collaboratively-developed information sharing website. Answer (b) is incorrect because a blog is a moderator-led electronic discussion. Answer (d) is incorrect because Twitter is similar to a blog but restricts input to 140 characters per entry.

97. (b) The requirement is to identify the item that is not a COBIT 5 principle. Answer (b) is correct because business processes is not one of the five principles of COBIT 5. The five principles include: (1) Meeting stakeholder needs, (2) Covering the enterprise end-to-end, (3) Applying a single integrated framework, (4) Enabling a holistic approach, and (5) Separating governance from management.

98. (c) The requirement is to identify the organization that developed the COBIT framework. Answer (c) is correct because the COBIT framework was created by The Information Systems Audit and Control Association.

99. (b) The requirement is to identify the most likely procedure to be included in a computer disaster recovery plan. Answer (b) is correct because duplicate copies of critical files will allow an entity to reconstruct the data whose original files have been lost or damaged. Answer (a) is incorrect because an auxiliary power supply will provide uninterrupted electricity to avoid the need for a recovery since it may reduce the likelihood of such a disaster. Answer (c) is incorrect because simply maintaining passwords will not allow the entity to reconstruct data after a disaster has occurred. Answer (d) is incorrect because while cryptography will enhance the security of files from unintended uses, it is not a primary method to recover from a computer disaster.

100. (d) The requirement is to identify the type of backup site a company would most likely consider when there is concern about a power outage and desires for a fully configured and ready to operate system. Answer (d) is correct because a hot site is a site that is already configured to meet a user's requirements. Answer (a) is incorrect because a cold site is a facility that provides everything necessary to quickly install computer equipment but doesn't have the computers installed. Answers (b) and (c) are incorrect because they represent terms not frequently used in such circumstances.

101. (d) The requirement is to identify the procedure an entity would most likely include in its disaster recovery plan. Answer (d) is correct because storing duplicate copies of files in a different location will allow recovery of contaminated original files. Answer (a) is incorrect because converting all data from EDI format to an internal company format is ordinarily inefficient, and not a disaster recovery plan. Answer (b) is incorrect because a Trojan horse program (one which masquerades as a benign application but actually causes damage) ordinarily causes illicit activity, it does not prevent illicit activity. Answer (c) is incorrect because an auxiliary power supply is meant to prevent disaster, not recover from disaster.

102. (b) The requirement is to determine whether almost all commercially marketed software is copyrighted, copy protected, or both. Answer (b) is correct because while almost all such software is copyrighted, much of it is not copy protected. Answer (a) is incorrect because it suggests that almost all such software is copy protected. Answer (c) is incorrect both because it suggests that such software is not copyrighted and that it is copy protected. Answer (d) is incorrect because it suggests that such software is not copyrighted.

103. (c) The requirement is to identify a widely used disaster recovery approach. Answer (c) is correct because regular backups (copying) of data allows recovery when original records are damaged. Answer (a) is incorrect because encryption is used with a goal of making files impossible to read by those other than the intended users. Answer (b) is incorrect because firewalls are designed to control any possible inappropriate communication between computers within one system and those on the outside. Answer (d) is incorrect because surge protectors are electrical devices inserted in a power line to protect equipment from sudden fluctuations in current, and thereby prevent disasters, not recover from them.

104. (a) The requirement is to identify what a “hot site” is most frequently associated with. Answer (a) is correct because a hot site is a commercial disaster recovery service that allows a business to continue computer operations in the event of computer disaster. For example, if a company's data processing center become inoperable, that enterprise can move all processing to a hot site that has all the equipment needed to continue operation. Answer (b) is incorrect because a hot site is not frequently associated with online relational database design. Answer (c) is incorrect because source programs (programs written in a language from which statements are translated into machine language) are not directly related to a hot site. Answer (d) is incorrect because when used in information technology, the term hot site is not directly related to temperature control for computers.

105. (b) The requirement is to determine which reply is not a typical output control. Answer (b) is correct because matching the input data with information held on master or suspense files is a processing control, not an output control, to ensure that data are complete and accurate during updating. Answer (a) is incorrect because a review of the computer processing logs is an output control to ensure that data are accurate and complete. Answer (c) is incorrect because periodic reconciliation of output reports is an output control to ensure that data are accurate and complete. Answer (d) is incorrect because maintaining formal procedures and documentation specifying authorized recipients is an output control to ensure proper distribution.

106. (c) The requirement is to identify the best way to minimize the likelihood of unauthorized editing of production programs, job control language, and operating system software. Answer (c) is correct because program change control comprises: (1) maintaining records of change authorizations, code changes, and test results; (2) adhering to a systems development methodology (including documentation; (3) authorizing changeovers of subsidiary and headquarters' interfaces; and (4) restricting access to authorized source and executable codes. Answer (a) is incorrect because the purpose of database reviews is to determine if (1) users have gained access to database areas for which they have no authorization; and (2) authorized users can access the database using programs that provide them with unauthorized privileges to view and/or change information. Answer (b) is incorrect because the purpose of compliance reviews is to determine whether an organization has complied with applicable internal and external procedures and regulations. Answer (d) is incorrect because the purpose of network security software is to provide logical controls over the network.

107. (d) The requirement is to determine the most likely actions relating to mainframe applications when a company decides to launch a downsizing project. Answer (d) is correct because mainframe applications represent a significant investment and may still provide adequate service. The fact that mainframes can provide a stable platform for enterprise applications may be an advantage while exploring other nonmainframe options. Answer (a) is incorrect because the costs of converting mainframe applications to a microcomputer network and retraining the personnel who would rewrite and maintain them preclude any rapid transition. Answer (b) is incorrect because general ledger programs that aggregate business data on a regular basis will be among the last to be converted. Answer (c) is incorrect because incremental modifications may have high paybacks.

108. (a) The requirement is to identify the greatest concern relating to a client's setting of used microcomputers when that corporation receives the majority of its revenue from top-secret military contracts with the government. Answer (a) is correct because while most delete programs erase file pointers, they do not remove the underlying data. The company must use special utilities that fully erase the data; this is especially important because of the potential for top-secret data on the microcomputers. This risk is the largest because it could cause them to lose military contract business. Answer (b) is incorrect because while it could create a liability for the company if a virus destroyed the purchasing party's data or programs the purchasing party should use antiviral software to detect and eliminate any viruses. This concern, while important, is not as serious as the one in answer (a). Answer (c) is incorrect because the purchasing party has a responsibility to insure that all their software is properly licensed. If the company represented that all the software was properly licensed, this could create a liability. However, this liability is not as serious as the implication from answer (a). Answer (d) is incorrect because terminal emulation software is widely available.

109. (b) The requirement is to identify a reason to use bar codes rather than other means of identifying information on parts. Answer (b) is correct because a reason to use bar codes rather than other means of identification is to record the movement of parts with minimal labor costs. Answer (a) is incorrect because the movement of parts can escape being recorded with any identification method. Answer (c) is incorrect because each vendor has its own part-numbering scheme, which is unlikely to correspond to the buyer's scheme. Answer (d) is incorrect because each vendor has its own identification method, although vendors in the same industry often cooperate to minimize the number of bar code systems they use.

110. (b) The requirement is to identify the function that ensures that changes in processing programs have a minimal impact on processing and result in minimal risk to the system. Answer (b) is correct because change control is the process of authorizing, developing, testing, and installing coded changes so as to minimize the impact on processing and the risk to the system. Answer (a) is incorrect because security administration is not involved as directly applicable as is change control. Answer (c) is incorrect because problem tracking is the process of collecting operational data about processes so that they can be analyzed for corrective action. Answer (d) is incorrect because problem-escalation procedures are a means of categorizing problems or unusual circumstances so that the least skilled person can address them.

111. (b) The requirement is to identify the approach(es) that may reduce an organization's risk of civil lawsuit due to the use of pirated software. Answer (b) is correct because: (I) Maintaining a log protects an organization since a log documents software purchases. (II) Auditing individual computers will discourage illegal software usage. (III) Establishing a corporate software policy will discourage illegal software usage. (IV) Allowing users to keep original diskettes increases both the likelihood of illegal copies being made and the loss of diskettes. Answers (a), (c), and (d) are all incorrect.

112. (a) The requirement is to identify a benefit of good recovery planning. Answer (a) is correct because an essential component of a disaster recovery plan is that the need for backup/restart has been anticipated and provided for in the application systems. Answer (b) is incorrect because change control procedures should not be bypassed by operating personnel, but that is not generally a consideration in disaster recovery planning. Answer (c) is incorrect because planned changes in equipment capacities should be compatible with projected workloads, but that is not generally a consideration in disaster recovery planning. Answer (d) is incorrect because service level agreements with owners of critical applications should be adequate, but that is not generally a consideration in disaster recovery planning.

113. (d) The requirement is to identify the biggest risk in not having an adequately staffed information center help desk. Answer (d) is correct because not having such a help desk may lead to a situation in which users will unknowingly persist in making errors in their interaction with the information systems. Answer (a) is incorrect because application audits should be about the same difficulty with or without an adequately staffed help desk. Answer (b) is incorrect because the preparation of documentation is a development function, not a help desk function. Answer (c) is incorrect because the likelihood of use of unauthorized program code is a function of change control, not of a help desk.

114. (c) The requirement is to determine how a database administrator should ensure that the database system properly controls access to accounting database files. Answer (c) is correct because one security feature in database systems is their ability to let the database administrator restrict access on a logical view basis for each user. Answer (a) is incorrect because if the only access permitted is read-only, then there could no updating of database files Answer (b) is incorrect because permitting catalog updating from privileged software would be a breach of security, which might permit unauthorized access. Answer (d) is incorrect because updating of users' access profiles should be a function of a security officer, not the user.

115. (b) The requirement is to identify a major auditor concern when a client processes sales transactions on the Internet. Answer (b) is correct because computer disruptions may result in the incorrect recording of sales. Answer (a) is incorrect because electronic sales invoices may replace sales invoice documents in such an environment. Answer (c) is incorrect because there may or may not be a need to establish an integrated test facility in such circumstances. Answer (d) is incorrect because the frequency of archiving and data retention is not as important as is ensuring that such policies appropriately control system backup.

116. (a) The requirement is to identify the correct statement concerning internal control in an electronic data interchange (EDI) system. Answer (a) is correct because preventive controls are important and often cost-effective in an EDI environment so as to not allow the error to occur, and because detective controls may detect misstatements too late to allow proper correction. Answer (b) is incorrect because the control objectives under EDI systems generally remain the same as for other information systems. Answer (c) is incorrect because a well-controlled EDI system may allow control risk to be assessed below the maximum. Answer (d) is incorrect because the programmed nature of most EDI controls limits the possible segregation of duties within the system. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.

117. (b) The requirement is to identify the correct statement relating to the security of messages in an electronic data interchange (EDI) system. Answer (b) is correct because both the physical security of the hardware and the hardware itself create a situation in which the encryption is ordinarily more secure than encryption performed by software. Answer (a) is incorrect because message authentication deals with whether the message received is the same as that sent, and not as directly with confidentiality. Answer (c) is incorrect because message authentication deals most directly with whether changes have been made in the message sent, and not with the variety of other potential problems addressed by segregation of duties. Answer (d) is incorrect because security is necessary at the transaction phase in EDI systems. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.

118. (c) The requirement is to identify an essential element of the audit trail in an electronic data interchange (EDI) system. Answer (c) is correct because effective audit trails need to include activity logs, including processed and failed transactions, network and sender/recipient acknowledgments, and time sequence of processing. Answer (a) is incorrect because disaster recovery plans, while essential to the overall system, are not an essential element of the audit trail. Answer (b) is incorrect because encrypted hash totals deal less directly with the audit trail than do activity logs. Answer (d) is incorrect because hardware security modules that store sensitive data do not deal directly with the audit trail. See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.

119. (a) The requirement is to identify an essential element of the audit trail in an electronic data interchange (EDI) system. Answer (a) is correct because effective audit trails need to include activity logs, including processed and failed transactions, network and sender/recipient acknowledgments, and time sequence of processing. Answer (b) is incorrect because neither message directories nor header segments directly affect the audit trial. Answer (c) is incorrect because contingency and disaster recovery plans, while important, are not as directly related to the audit trail as are the acknowledgments suggested in answer (a). Answer (d) is incorrect because while knowing trading partner security and mailbox codes is essential, it is more closely related to overall security than is answer (a). See Auditing Procedure Study Audit Implications of EDI for information on electronic data interchange systems.

120. (b) The requirement is to identify the type of control that involves adding an extra number at the end of an account number and subjecting the new number to an algorithm. Answer (b) is correct because a check digit is an extra reference number that follows an identification code and bears a mathematical relationship to the other digits. Answer (a) is incorrect because optical character recognition involves a computer being able to “read in” printed data. Answer (c) is incorrect because a dependency check involves some form of check between differing related pieces of data. Answer (d) is incorrect because a format check involves determining whether the proper type of data has been input or processed (e.g., numerical data input under account withdrawal amount).

121. (d) The requirement is to identify the best control for preventing someone with sufficient technical skill from circumventing security procedures and making changes to production programs. Answer (d) is correct because a suitable segregation of duties will make such alteration impossible since when duties are separated, users cannot obtain the detailed knowledge of programs and computer operators cannot gain unsupervised access to production programs. Answers (a), (b), and (c) are all incorrect because the reviews of jobs processed, comparing programs with copies, and running attest data will all potentially disclose such alteration, but will not prevent it.

122. (c) The requirement is to identify the best method of keeping computer program libraries secure. Answer (c) is correct because restricting physical and logical access secures program libraries from unauthorized use in person or remotely via terminals. Answers (a) and (b) are incorrect because installing a logging system for program access or monitoring physical access would permit detection of unauthorized access but would not prevent it. Answer (d) is incorrect because denying all remote access via terminals would likely be inefficient and would not secure program libraries against physical access.

123. (d) The requirement is to identify the security control that would best prevent unauthorized access to sensitive data through an unattended data terminal directly connected to a mainframe. Answer (d) is correct because automatic log-off of inactive users may prevent the viewing of sensitive data on an unattended data terminal. Answer (a) is incorrect because data terminals do not normally use screen-saver protection, and because a screen saver would not prevent access. Answer (b) is incorrect because scripting is the use of a program to automate a process such as startup. Answer (c) is incorrect because encryption of data files will not prevent viewing of data on an unattended data terminal.

124. (d) The requirement is to identify the reply that most likely represents a hash total. A hash total is a control total where the total is meaningless for financial purposes, but has some meaning for processing purposes. Answer (d) is correct because 810 represents the sum of the invoice numbers. Answer (a) is incorrect because it appears to be an accumulation of all letters, plus a sum of the numbers. Answer (b) is more likely to be considered a record count. Answer (c) is incorrect because it is simply the invoice number of the last invoice in the batch.

125. (a) The requirement is to determine the type of control that would detect a miscoding of a product number on an order from a customer. Answer (a) is correct because a check digit is an extra digit added to an identification number to verify that the number is authorized and to thereby detect such coding errors. Answer (b) is incorrect because a record count involves a count of the number of records processed which is not being considered here. Answer (c) is incorrect because the term “hash total” ordinarily relates to a total of items and is meaningless for financial purposes (e.g., the total of the invoice numbers for a particular day's sales), but has some meaning for processing purposes. Answer (d) is incorrect because a redundant data check uses two identifiers in each transaction record to confirm that the correct master file record has been updated (e.g., the client account number and first several letters of the customer's name can be used to retrieve the correct customer master record from the accounts receivable file).

126. (b) The requirement is to identify the technique that would most likely detect a nonexistent zip code. Answer (b) is correct because a zip code that is nonexistent would not pass a validity test. It would not be a valid item. Answer (a) is incorrect because a limit test restricts the amount of a transaction that will be processed. Answer (c) is incorrect because a parity test prevents loss of digits in processing. Answer (d) is incorrect because a record count test helps prevent the loss of records.

127. (a) The requirement is to determine whether limit tests and validity check tests are processing controls designed to ensure the reliability and accuracy of data processing. Answer (a) is correct because both a limit test and a validity check test may serve as a control over either inputs or processing in an accounting system. A limit test will establish an upper and/or lower limit as reasonable, with results outside of those limits indicated (e.g., after net pay is calculated, an “error message” is printed for any employee with a weekly salary in excess of a certain amount). A validity check test allows only “valid” transactions or data to be processed in the system (e.g., during the processing of payroll, a control determines whether a paycheck is improperly issued to an ex-employee).

128. (b) The requirement is to identify the activity most likely to be performed in the information systems department. Answer (b) is correct because the conversion of information into machine-readable form is essential to the inputting of data; computer equipment is generally used to perform this function. Answer (a) is incorrect because under good internal control, the initiation of changes to master records should be authorized by functions independent of those which process the records. Answer (c) is incorrect because a separate function should exist to correct transactional errors. Answer (d) is incorrect because changes to computer applications should be initiated by the appropriate user group.

129. (a) The requirement is to determine the errors which a header label is likely to prevent. Since the header label is actually on the magnetic tape, it is the computer operator whose errors will be prevented. Answer (b) is incorrect because the keypunch operator deals with punch cards. Answer (c) is incorrect because the programmer will write the programs and not run them under good internal control. Answer (d) is incorrect because the maintenance technician will not run the magnetic tape.

130. (b) The requirement is to determine the purpose of programming computer to immediately transmit back to the terminal for display information that has been input on cash disbursements. Answer (b) is correct because the entry of disbursement amounts and the subsequent display of the amounts on the terminal screen will allow the operator to visually verify that the data provided to be input was entered accurately. Answer (a) is incorrect because displaying on the screen the data entered does not ensure the validity of the data, only that the data was entered correctly. Answer (c) is incorrect because no evidence has been provided as to whether the disbursement was authorized. Answer (d) is incorrect because the display of the amount will not be compared to a “correct” amount—only to the amount that was to be input.

131. (b) The requirement is to identify a useful control when computer programs or files can be accessed from terminals. Answer (b) is correct because use of personal identification codes (passwords) will limit access to the programs or files on the terminal to those who know the codes. Answers (a), (c), and (d) are all incorrect because while they list valid controls used in computer systems, none of them require entry of data by the user. A parity check control is a special bit added to each character stored in memory to help detect whether the hardware has lost a bit during the internal movement of that character. A self-diagnosis test is run on a computer to check the internal operations and devices within the computer system. An echo check is primarily used in telecommunications transmissions to determine whether the receiving hardware has received the information sent by the sending hardware.

132. (a) The requirement is to identify the item which would reduce the possibility of erasing a large amount of information stored on magnetic tape. Answer (a) is correct because a file protection ring is a control that ensures that an operator does not erase important information on a magnetic tape. Answer (b) is incorrect because a check digit is a digit added to an identification number to detect entry errors. Answer (c) is incorrect because a completeness test would generally be used to test whether all data were processed. Answer (d) is incorrect because conversion verification would address whether the conversion of data from one form to another (e.g., disk to magnetic tape) was complete.

133. (b) The requirement is to identify the controls most likely to assure that an entity can reconstruct its financial records. Answer (b) is correct because backup diskettes or tapes may be maintained that will provide the information needed to reconstruct financial records. Answer (a) is incorrect because while hardware controls are meant to assure the proper processing of data, when reconstruction is needed, hardware controls will not have the data necessary to reconstruct the financial records. Answer (c) is incorrect because parallel simulations will only occasionally be run and will not maintain adequate data to reconstruct records. Answer (d) is incorrect because while systems flowcharts will provide information on the design of the overall system, they will not assure the reconstruction of financial records.

134. (d) The requirement is to identify the type of input control that is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission. Answer (d) is correct because a check digit is an extra digit added to an identification number to detect such errors. Answer (a) is incorrect because the term “hash total” ordinarily relates to a total of items and is meaningless for financial purposes (e.g., the total of the invoice numbers for a particular day's sales), but has some meaning for processing purposes. Answer (b) is incorrect because a parity check is a process in which a computer reads or receives a set of characters and simultaneously sums the number of 1 bits in each character to verify that it is an even (or alternatively, odd) number. Answer (c) is incorrect because encryption involves a coding of data, ordinarily for purposes of ensuring privacy and accuracy of transmission.

135. (c) The requirement is to identify the best example of a validity check. A validity test compares data (for example, employee, vendor, and other codes) against a master file for authenticity. Answer (c) is correct because the computer flagging of inappropriate transactions due to data in a control field that did not match that of an existing file record is such a test. Answer (a) is incorrect because a limit test ensures that a numerical amount in a record does not exceed some predetermined amount. Answer (b) is incorrect because the resubmission of data is not a validity check. Answer (d) is incorrect because the reading back of data to the terminal is an echo check.

136. (b) The requirement is to identify the type of computer test made to ascertain whether a given characteristic belongs to a group. Answer (b) is correct because a validity check determines whether a character is legitimate per the given character set. Note the validity check determines whether a given character is within the desired group. Answer (a) is incorrect because a parity check is a summation check in which the binary digits of a character are added to determine whether the sum is odd or even. Another bit, the parity bit, is turned on or off so the total number of bits will be odd or even as required. Answer (c) is incorrect because an echo check is a hardware control wherein data is transmitted back to its source and compared to the original data to verify the transmission correctness. Answer (d) is incorrect because a limit or reasonableness check is a programmed control based on specified limits. For example, a calendar month cannot be numbered higher than twelve, or a week cannot have more than 168 hours.

137. (a) The requirement is to identify the type of hardware control that requires the CPU to send signals to the printer to activate the print mechanism for each character. Answer (a) is correct because an echo check or control consists of transmitting data back to the source unit for comparison with the original data that were transmitted. In this case, the print command is sent to the printer and then returned to the CPU to verify that the proper command was received. A validity check [answer (b)] consists of the examination of a bit pattern to determine that the combination is legitimate for the system character set (i.e., that the character represented by the bit combination is valid per the system). Answer (c), a signal control or signal check, appears to be a nonsense term. Answer (d), check digit control, is a programmed control wherein the last character or digit can be calculated from the previous digits.

138. (b) The requirement is to identify an example of a check digit. Answer (b) is correct because a check digit is an extra digit in an identification number, algebraically determined, that detects specified types of data input, transmission, or conversion errors. Answer (a) is incorrect because the agreement of the total number of employees to the checks printed is an example of a control total. Answer (c) is incorrect because ensuring that all employee numbers are nine digits could be considered a logic check, a field size check, or a missing data check. Answer (d) is incorrect because determining that no employee has more than fifty hours per workweek is a limit check.

139. (b) The requirement is to determine the most likely significant deficiency in internal control. Answer (b) is correct because the systems programmer should not maintain custody of output in a computerized system. At a minimum, the programming, operating, and library functions should be segregated in such computer systems.

140. (c) The requirement is to identify the weakness in internal control relating to a function performed by computer department personnel. Answer (c) is correct because individuals outside of the computer department should originate changes in master files; this separates the authorization of changes from the actual processing of records. Answer (a) is incorrect because participation of computer department personnel in making computer software acquisition decisions is often appropriate and desirable given their expertise in the area. Answer (b) is incorrect for similar reasons as (a). In addition, computer department personnel will often be able to effectively design the required documentation for computerized systems. Answer (d) is incorrect because the physical security for program files may appropriately be assigned to a library function within the computer department.

141. (b) The requirement is to identify the activity most likely to detect whether payroll data were altered during processing. Answer (b) is correct because test data may be used to provide evidence on whether edit routines (routines to check the validity and accuracy of input data) are operating and have not been altered. Answer (a) is incorrect because the distribution of any data control sheets will provide little information on altered data. Answer (c) is incorrect because the approval of source documents is not at issue—it is the alteration of payroll data. Answer (d) is incorrect because any segregation activities may eliminate future alterations, but would have little effect on prior alterations.

142. (a) The requirement is to identify the tool that would best give a graphical representation of a sequence of activities and decisions. Answer (a) is correct because a flowchart is a graphical representation of a sequence of activities and decisions. Answer (b) is incorrect because a control chart is used to monitor actual versus desired quality measurements during repetition operation. Answer (c) is incorrect because a histogram is a bar chart showing conformance to a standard bell curve. Answer (d) is incorrect because a run chart tracks the frequency or amount of a given variable over time.

143. (c) The requirement is to determine what the symbol A represents in the flowchart of a client's revenue cycle. Answer (c) is correct because the accounts receivable master file will be accessed during the revenue cycle and does not appear elsewhere on the flowchart. Answers (a), (b), and (d) are all incorrect because remittance advices, receiving reports, and cash disbursements transaction files are not a primary transaction file accessed during the revenue cycle.

144. (d) The requirement is to determine what the symbol B represents in the flowchart of a client's revenue cycle. Answer (d) is correct because it represents the only major document of the revenue cycle that is not presented elsewhere on the flowchart and because one would expect generation of a sales invoice in the cycle. Answer (a) is incorrect because the customer order appears in the top left portion of the flowchart. Answer (b) is incorrect because no receiving report is being generated during the revenue cycle. Answer (c) is incorrect because the customer's check (remittance) is represented on the top portion of the flowchart.

145. (d) The requirement is to identify the correct statement concerning an auditor's flowchart of a client's accounting system. Answer (d) is correct because a flowchart is a diagrammatic representation that depicts the auditor's understanding of the system. See AU 319 for various procedures auditors use to document their understanding of internal control. Answer (a) is incorrect because the flowchart depicts the auditor's understanding of the system, not the assessment of control risk. Answer (b) is incorrect because while the flowchart may be used to identify weaknesses, it depicts the entire system—strengths as well as weaknesses. Answer (c) is incorrect because the flowchart is of the accounting system, not of the control environment.

146. (b) The requirement is to determine the approach illustrated in the flowchart. Answer (b) is correct because parallel simulation involves processing actual client data through an auditor's program. Answer (a) is incorrect because program code checking involves an analysis of the client's actual program. Answer (c) is incorrect because an integrated test facility approach introduces dummy transactions into a system in the midst of live transaction processing and is usually built into the system during the original design. Answer (d) is incorrect because controlled reprocessing often includes using the auditor's copy of a client program, rather than the auditor's program.

147. (b) The requirement is to identify the item represented by the “X” on the flowchart. Answer (b) is correct because the existence of a credit memo, in addition to a sales invoice, would indicate that this portion of the flowchart deals with cash receipts; therefore, the “X” would represent the remittance advices. Thus, the receipt transactions are credited to the accounts receivable master file, and an updated master file, a register of receipts, and exception reports are generated. Answer (a) is incorrect because an auditor's test data will not result in an input into the transactions file. Answer (c) is incorrect because since no processing has occurred at the point in question—an error report is unlikely. Answer (d) is incorrect because credit authorization will generally occur prior to the preparation of credit memos.

148. (d) The requirement is to determine the symbolic representations that indicate that a file has been consulted. Answer (d) indicates that a manual operation (the trapezoid symbol) is accessing data from a file and returning the data to the file (i.e., “consulting” the file). Answer (a) is incorrect because it represents a processing step (the rectangle) being followed by a manual operation. Answer (b) is incorrect because it represents a document being filed. Answer (c) is incorrect because the diamond symbol represents a decision process.

149. (c) The requirement is to determine a benefit of a well-prepared flowchart. Answer (c) is correct because a flowchart may be used to document the auditor's understanding of the flow of transactions and documents. Answer (a) is incorrect because while an audit procedures manual may suggest the use of flowcharts, flowcharts will not in general be used to prepare such a manual. Answer (b) is less accurate than (c) because while it may be possible to obtain general information on various jobs, the flowchart will not allow one to obtain a detailed job description. Answer (d) is incorrect because a flowchart does not directly address the actual accuracy of financial data within a system.

Written Communication Task

Written Communication Task 1

Tintco, Inc. is a distributor of auto supplies. Currently, the corporation has a batch processing system for processing all transactions and maintaining its inventory records. Batches are processed monthly. George Wilson, the chief information officer for the corporation, is considering adopting an online, real-time processing system. He has asked you (a consultant) to prepare a memorandum describing the advantages of adopting such a system for the corporation.

To:	Mr. George Wilson, CIO Tintco, Inc.
From:	CPA Candidate

Written Communication Task Solution

Written Communication Task 1

To:	Mr. George Wilson, CIO Tintco, Inc.
From:	CPA Candidate

As you requested, this memorandum describes the advantages of implementing an online, real-time processing system for inventory. As you are aware, the firm currently uses a batch processing system that processes transactions monthly. The primary advantage of an online, real-time processing system is that it provides timely information for decision making. With your batch system you have current and accurate information about inventory only monthly when the records are updated. Therefore, decisions about ordering inventory, valuation of inventory, and company profitability are not based on timely information. As a result, management cannot do a very good job of managing inventory. If the company implements an online, real-time system, information about inventory levels, inventory investment, and cost of goods sold would be available on a continuous basis. As a result, business decisions will be based on accurate and timely information. This should result in much better decisions and better financial performance.

It is clear that an online, real-time inventory system is superior to your current batch processing system. If you would like to have additional information about implementation of a new inventory processing system, please contact me.