AIS CHAPTER 1,2,3,4,5,6,7,8,9,10,11,12
Order Goods-Activities
-Approve requests -Identify Suppliers -Consolidate requests -Send purchase orders
Invoice Processing-Voucher
-Disbursment voucher is also created when a supplier invoice is approved for payment -ADV: reduces number of checks, utilizes pre-sequential-numbered voucher control, allows for separation of invoice approval from payment
Order Goods-Source Documents
-Input: Purchase requisitions -Output: Purchase orders, Processed purchase requisition
Components of AIS
-People using the system -Procedures and Instructions -Data -Software -IT -Computers, peripherals, networks.... -Internal Control and Security
Shiping-Activities
-Pick -Pack -Ship
7) Which document should always be included with a merchandise shipment to a customer?
A) Packing slip
64) The accounts receivable management method typically used by credit card companies is
A) balance forward.
13) Which of the following is not a basic activity of the revenue cycle?
C) receiving
Data Manipulation Language (DML)
DBMS language that changes database content, including data element creations, updates, insertions, and deletions
Database
Data stored electronically in a database
magnetic tape
Data stored on a magnetic tape; tapes are popular back-up storage mediums
Program Flowcharts
Describes the sequences of logical operations performed in a computer program
What are the advantages (and/or disadvantages) of QBE compared to SQL?
QBE has more of a "point and click" feel, and allows the user to provide an example of what they want the answer to their query to look like. The QBE user doesn't need to learn SQL code in order to generate many useful queries. However, QBE can seem easier than it really is and may be more likely than SQL to cause a false sense of security for untrained users.
What does querying provide?
Querying provides the power of the relational database model
How would you row filter?
Select and include all columns from table. For example: Find the cash receipts from customer #2 (keeping all the details of those cash receipts)
13) Section 404 of the Sarbanes-Oxley Act requires that annual filings of publicly traded companies include a statement of management& responsibility for establishing and maintaining adequate internal control as well as an assessment of the effectiveness of that internal control.
TRUE
Turnaround Document
a record of company data sent to an external party and then returned by the external party for subsequent input to the system
Program flowchart
shows the sequence of logical operations a computer performs as it executes a program
EDI Advatages
-Reduction or elmination of data entry -Reduction fo errors, paper or paper processing and postage -Reduction on inventories
Each query statement follows the same structure:
-SELECT attribute name(s) -FROM table name(s) -WHERE criteria is met
Billing-Controls
-Separation of billing and shipping functions -Periodic reconciliation of invoices with sales orders, picking tickets, and shipping documents -Reconciliation of shipping documents to sales orders -Reconciliation of batch totals -Configuration of system to automatically enter pricing data -Restriction of access to pricing master data -Mailing of monthly statements to customers -Reconciliation of subsidiary accounts to general ledger -Segregation of duties of credit memo authorization from both sales order entry and customer account maintenance -Configuration of system to block credit memos unless there is either corresponding documentation of return of damaged goods or specific authorization by management
Approving Invoices Control
-Verification of invoice accuracy -Requiring detailed recepts for procurement card purchases -Evaluated receipt settlement -Restriction of access to supplier master data -Verification of freight bill and use of approed delivery channels -Data entry edit controls -Reconciliation of detailed AP records with the general ledger control account
Examples of questions for Proposition Relationship Query Types?
-What resources or resource types does the instigation event propose to increase or decrease? -What quantity of a resource or resource type is the proposed increase or decrease for an instigation event? -When did an instigation event propose to increase or decrease a specific resource or resource type?
Supply Chain
A chain of value chains form the upstream suppliers to the end consumers
Unintentional Acts
Accidents caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel Innocent errors or omissions Lost, erroneous, destroyed, or misplaced data Logic errors Systems that do not meet company needs or cannot handle intended tasks
111) The principle behind the "sandwich rule" states that A) flowcharts should leave as little white space as possible on each page to minimize waste. B) annotations should be placed between each key input and output symbol. C) every process symbol should be placed between an input and output symbol. D) flowcharts should use as many different types of symbols as possible to thoroughly document basic I/O functions.
C
113) The on-line storage symbol would be used to represent A) a deck of cards. B) a magnetic tape. C) an optical disk. D) a punched tape.
C
77) Which of the following would not appear in a HIPO chart of a payroll system? A) Data preparation B) Calculate gross pay C) Payroll master file D) Look up authorized deductions
C
BPD Activity in a process symbol
An activity in a process is represented by a rounded rectangle. An explanation of the activity is placed inside the rectangle
Highest Level of DFD is called a...
Context Diagram
Which of the following is an example of a detective control?
Continuous monitoring.
Resource Type Query Step 1:
Create query. Add InventoryType table. Add Description, UnitOfMeasure, and ListPrice to Field. <70 for criteria for ListPrice. Save query as InventoryListPriceLessThan70.
Query for Sales for a specific time period (e.g. for an income statement) Step 1:
Create query. Add Sale table. Add DollarTotal and Date to Field. Sum DollarTotal. Where for Date. "Between #5/1/2015# AND #5/7/2015#" for criteria for Date. Save query as SaleTotalMay1-7-2015.
How do you query for Sales Not made by E-10 using mathematical comparison on character attribute?
Create query. Add Sale table. Add SaleNumber, Amount, and SalesRepNumber to Field column. For SalesRepNumber, <>"E-10" for criteria. Save query as SalesNotByE10.
How do you query for Sales made before July 31 by Sales Rep E-10 using WITH operator?
Create query. Add sale table. Add Date and Amount to Field column. Where for Date. Sum for Amount. For Date, Between #7/15/2014# AND #7/31/2014# for criteria.
Unauthorized theft, use, access, modification copying or destruction of software, hardware, or data is called A. Technology fraud B. Hacking C. assets misappropriation D. Computer fraud
Computer fraud
Period Elements
Defines the time period
69) The off-line storage symbol could be used to represent data stored A) on a USB thumb drive. B) on a magnetic tape or disk. C) in paper form. D) on all of these named media.
D
It was 8:03 A.M. when Jiao Jan, the Network Administrator for South Asian Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded several files from the company's server. Using the notation for the time-based model of security, in this case
D > P
A ________ is a pictorial, analytical technique used to describe some aspect of an information System, in a clear concise and logical manner A. Flowchart B. BFD C. Context flow diagram D. Narrative
Flow chart
1. A DFD is a representation of which of the following? The logical operations performed by a computer program Flow of data in an organization Decision rules in a computer program Computer hardware configuration
Flow of data in an organization R
One type of business blueprint is CASE
False
Subsidiary to tactical systems development objectives are the strategic objectives
False
Three types of pressures
1. Financial 2. Emotional 3. Lifestyle
Documentation tools are important in 3 levels
1. You must be able to read documentation know know how the system works 2. You need to evaluate documentation to identify internal control strengths and weaknesses 3. You need to prepare documentation that shows how existing or proposed systems operate
Pressure
A person's incentive or motivation for committing fraud.
Which table do we need to Identify Customers with Credit Rating of "A" or "A+"?
Customer table
A law which requires publicly held companies to maintain adequate accounting system
FCPA
Financial Statements
Income Balance Sheet Cash Flow
Request Goods-Source Documents
Output: Purchase requisition
cyber-extortion
Threatening to harm a company or a person if a specified amount of money is not paid
System
Two or more interrelated components that interact to achieve goals
What must organizations ensure?
activities are in compliance with laws and regulations with jurisdiction over it and its operations
A synonym for batch serial numbers
batch sequence
Flowchart
graphical description of a system. An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an IS in a clear, concise, and logical manner; used to record how business processes are performed and how documents flow through an organization.
Virtualization
running multiple systems simultaneously on one physical computer
Throughput
the amount of work performed by a system during a given period of time
Database System
the database, the DBMS, and the application programs that access the database through the DBMS
Residual Risk
the risk that remains after management implements internal controls or some other response to risk
What is SQL statement for Resource Type Query?
SELECT Description, UnitOfMeasure, ListPrice FROM InventoryType WHERE ListPrice < 70;
What tables do you need to Query to identify date and location of Sales Call #44?
Sales Call Event
Cloud computing can potentially generate significant cost savings for an organization.
True
Systems design is a creative activity and can be viewed somewhat as an art
True
Statement on Auditing Standards (SAS) No. 94 requires auditors to:
Understand fraud Discuss the risk of misstatements Obtain information Identify, asses, and respond to risks Evaluate the results of the audit tests Document and communicate findings Incorporate a technology focus
podslurping
Using a small device with storage capacity (iPod, flash drive) to download unauthorized data from a computer
cross-footing balance test
a processing control which verifies accuracy by comparing two alternative ways of calculating the same total
Preventive, detective, or corrective: Batch controls
detective
The biggest cause of data breaches
employee negligence. Company employees are much more likely to commit Data fraud then outsiders are
System of internal controls must be designed so
employees are convinces that controls are meant to prevent difficulties or crises in operation
symmetric encryption systems
encryption systems that use the same key both to encrypt and to decrypt
A contract with an insurance company that provides a financial guarantee of the honesty of the individual who is named in the bond contract
fidelity bond
A special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization's information system, is known as a(n)
firewall.
Design view
for relational tables, a mode that displays details about the fields of a table and allows the user to specify various design parameters such as which fields comprise the primary key, whether a field is set to required data entry, and the data type for a field; for queries, a mode that depicts the logic of a query in QBE format
Referential Integrity Rule
foreign keys which link rows in one table to rows in another table must have values that correspond to the value of a primary key in another table
hijacking
gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge
Logical View
how people conceptually organize, view, and understand the relationships among data items
check digit verification
recalculating a check digit to verify that a data entry error has not been made
The steps that criminals take to study their target's physical layout to learn about the controls it has in place is called
reconnaissance.
The Trust Services Framework reliability principle that states access to the system and its data should be controlled and restricted to legitimate users is known as
security.
typosquatting/URL hijacking
setting up similarly named websites so that users making typograhical errors when entering a website name are sent to an invalid site
A control total fro items awaiting further processing
suspense account
A supervisor reviews his document frequently to dispose of partially processed transactions
suspense file
Belief System
system that describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values
computer instructions fraud
tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity
Conceptual-level Schema
the organization-wide view of the entire database that lists all data elements and the relationships between them
Audit Committee
the outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors
BETWEEN
used to define the range limits. The endpoints of the range are included.
shoulder surfing
when perpetrators looks over a persons shoulder in a public place to get information such as ATM pin numbers or user ID's and passwords
deep packet inspection
a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers
Data related to objects are called A) items B) methods C) attributes D) characteristics
C
Management should not...
spend more on the controls than the benefits to be received from the controls
Examples of Acquisition Cycle Agent Queries
-A list of all purchase agents, accounts payable clerks, inventory clerks, or supervisors for an enterprise -A list of employees that possess certain characteristics (e.g. all accounts payable clerks who have a specified minimum fidelity bond -A list of employees that live in a specified city or state -A list of all employee names and telephone numbers for an emergency phone tree
piggybacking
(1) tapping into a communications line and electronically latching onto a legitimate user who unknowingly carries the perpetrator into the system. (2) the clandestine use of a neighbor's WIFI network (3) an unauthorized person following an authorized person through a secure door, bypassing physical security controls
Query for number of sales calls made by each salesperson during a time period Step 1:
-Constrain Dates on sales calls: -Create query. Add SalesCall table. Add SalesCallID, Date, and SalesRepID to Field. "Between [begindate] AND [enddate]" for criteria for Date. Save query as SalesCallsforTimePeriod.
Query to find dollar value of sales of each inventory type for a given time period Step 2:
-Group by Item and Sum the Extended Sale Amounts: -Create query. Add StockflowExtendedSaleAmt table. Add ItemID, Description, and ExtSaleAmt to Field. Sum ExtSaleAmt. Save query as SumOfSaleDollarsByItem.
Importance and Uses of System Documentation
-Guideline and procedures for current employee to follow -Training of new employees -Review and evaluation of system effectiveness and controls -Modification of existing system -Proposed system
Billing-Activities
-Invoicing -Maintain Accounts Receivable
Key Activities of the Revenues Cycle
-Order Taking -Shipping -Billing -Collections
Examples of questions for Participation Relationship Query Types?
-Which agent(s) participated in a specified event? -How many events of a specified type has a specified agent participated? -What is the total dollar value of events of a specified type in which a specified agent has participated for a specified time period? -When did a specified event in which a specified agent participated occur? -Where did a specified event in which a specified agent participated occur?
What are examples of questions for a Stockflow Relationship Query Type?
-What resources or resource types were increased or decreased by an economic event? -What quantity of a resource or resource type was increased or decreased by an economic event? -What dollar value of a resource or resource type was increased or decreased by an economic event? -When did an event increase or decrease a specific resource or resource type? -Where did an event increase or decrease a specific resource or resource type?
Examples of questions for Reservation Relationship Query Types?
-What resources or resource types is a commitment event agreeing to increase or decrease? -What quantity of a resource or resource type is a commitment event agreeing to increase or decrease? -What dollar value of a resource or resource type is a commitment event agreeing to increase or decrease? -When did an event commit to increase or decrease a specific resource or resource type? -Where did an event commit to increase or decrease a specific resource or resource type?
Types of Flowcharts
1. Document 2. System 3. Program
64) Which of the following symbols should not be used to specify an input/output operation? A) Decision symbol B) Document symbol C) Off line storage symbol D) Communication link
A
85) Which of the following is not a specialized process symbol? A) The connector symbol B) The manual operation symbol C) The decision symbol D) The preparation symbol
A
89) Which of the following would not be appropriate to head a column in an analytic flowchart? A) Remittance advice B) Production department C) Purchasing department D) Cashier
A
97) The component of an audit whose objective is to establish the degree of reliance that can be placed on the organization's internal control structure is called A) the interim audit. B) the financial statement audit. C) work paper verification.D) the internal audit.
A
A design proposal explains that the system will include both manual and computer procedures for reconciling batch totals. This explanation A) shows internal control effectiveness exists at the cost of some efficiency B) is not accurate C) should not be included int he design proposal D) should be included in both the systems analysis report and the design proposal
A
BPEL is supported by the internationally recognized and leading IT open standards organization called A) OASIS B) OMG C) MDA D) QVT
A
From a cost standpoint, they phase of systems development in which major errors can become quite costly in later stages of development is A) systems analysis B) systems design C) systems implementation D) systems planning
A
Once system design alternatives have been laid out and documented, they must be evaluated. The primary criteria for selecting the alternative for implementation purposes should be A) cost versus benefits B) simplicity versus complexity C) user acceptance of the alternative D) feasibility
A
Rational Unified Process relies on a(n) A) iterative approach B) traditional approach C) object oriented approach D) it does not use any of these approaches
A
Systems design follows the "top-down approach". This means A) going from the general to the specific B) beginning with the needs and desires of top management and then considering other users' needs down to the "Factory-floor" level C) going from specific program code to general descriptions of the system D) starting with a central computer system and then implementing systems for individual departments
A
Systems development means defining, shaping, and reshaping the four enterprise architectural domains of A) business, information, application, and technical architectures B) business, software, implementation, and training architectures C) software, hardware, training, and maintenance architectures D) software, information, hardware, and reporting architecures
A
The main responsibility of the systems development steering committee is A) overall planning and control of the systems development effort within the organization B) to oversee the work of the systems analysis C) to become involved in the details of specific development projects D) to provide a positive image of the establishment of systems development
A
Committee of Sponsoring Organizations (COSO)
A private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
steganography program
A program that can merge confidential information with a seemingly harmless file, password protect the file, send it anywhere in the world, where the file is unlocked and the confidential information is reassembled. The host file can still be heard or viewed because humans are not sensitive enough to pick up the slight decrease in image or sound quality.
4) The cashier deposits checks in the bank for Very Large Corporation (VLC) and also prepares payments to vendors. Of the following, who is best to reconcile the bank statement to VLC's records on a regular basis?
A) Internal audit department
5) Which of the following documents normally triggers the billing process in the revenue cycle?
A) Packing slip received from the shipping department
6) Which of the following documents would normally trigger the process to record a customer payment?
A) Remittance advice
10) Which of the following is not one of the controls for the mail room where customer payments are commingled with other mail?
A) Requiring the controller to be personally present when mail is received and opened
What is the difference between an aggregation (vertical calculation) and a horizontal calculation?
An aggregation (vertical calculation) combines numbers within a single column into a calculation such as a sum, an average, a count, etc. A horizontal calculation combines numbers across columns within a single row.
Prompting
An online data entry control that uses the computer to control the data entry process. The system requests each required item of input data and then waits for an acceptable response before requesting the next required item
Other way data can be lost
As a result of negligence or carelessness. Hard drives with sensitive information that are donated or resold. deleting files does not erase them
How are data sources and destinations represented in a data flow diagram? As a square As a curved arrow As a circle As two parallel lines None of the above
As a square
Timely
Available to decision maker before it loses its capacity to influence decisions
Which of the following is not one of the responsibilities of auditors in detecting fraud, according to SAS No. 99? Evaluating the results of their audit tests Incorporating a technology focus Discussing the risks of material fraudulent misstatements Catching the perpetrators in the act of committing the fraud.
Catching the perpetrators in the act of committing the fraud.
Opportunity is the condition or situation that allows a perpetrator to: (Check all that apply.) a)Convert the theft into a personal gain b)Conceal the fraud c)Control those who may know of his or her actions d)Commit the fraud e)Convince the perpetrator that he or she will not be caught
Convert the theft into a personal gain Conceal the fraud Commit the fraud
Types of Fraud
Corruption Investment fraud Misappropriation of assets Fraudulent financial reporting
How do you query for Cash Receipts from Customer C-2 with row filtering?
Create query. Add Cash Receipts table. Add everything to Field columns. for CustomerNumber, ="C-2" for criteria. Save as CashReceiptsFromCustomerC-2.
How do you query for Cash Account# and Balances >=$50,000 using mathematical comparison operators?
Create query. Add Cash table. Add AccountNumber and Balance to Field column. For Balance, >=50000 for criteria. Save query as CashBalanceGreaterThanOrEqualTo50000.
How do you query for All detail of customers and their salespeople using inner join?
Create query. Add Customer and Salesperson tables. EmployeeNumber and SalespersonNumber should be joined. Add everything from both tables to Field column. Save query as CustomerSalespeopleDetails.
Query to Identify Customers with Credit Rating of "A" or "A+" Step 1:
Create query. Add Customer table. Add CustomerID, Name, Address, Telephone, and CreditRating to Field. "A" OR "A+" for criteria for CreditRating. Save query as CustomerCreditRatingAtLeastA.
How do you query for Inventory-Sale Line Item Extension using Horizontal calculation?
Create query. Add InventorySaleStockflow table. Add InventoryItemID, SaleNumber, Quantity, ActualPrice to Field column. In next Field column, click builder. Multiply Quantity and ActualPrice. Rename "LineExtention" before : equation. Save query as SaleInventoryLineExtentions.
How do you query for Sales made before July 31 by Sales Rep E-10 using AND operator?
Create query. Add sale table. Add SaleNumber, Amount, Date, and SalesRepNumber to Field column. For Date, <#7/31/2014# for criteria. For SalesRepNumber, "E-10" for criteria. Save query as SalesByE10beforeJuly31.
How do you query for Sales made before July 31 by Sales Rep E-10 using OR operator?
Create query. Add sale table. Add SaleNumber, Amount, Date, and SalesRepNumber to Field column. For Date, <#7/31/2014# for criteria. For SalesRepNumber, "E-10" for or. Save query as SalesByE10beforeJuly31.
Which of the following is not a goal of developing an overall systems plan and strategy? A) Duplication and wasted effort will be minimized B) The systems analysis phase will be minimized in favor of design and implementation when budget constraints are present C) Systems development in the organization will be consistent with the overall strategic plan of the organization D) Resources will be targeted to the subsystems where the needs are greatest
B
Which of the following is not an advantage of using purchased or "canned" software packages? A) they are less expensive B) they seldom meet all of a company's precisely C) they are already debugged D) they company can "test drive" the product before making a substantial investment
B
Which of the following is an example of how a perpetrator would rationalize the fraud A. Sense of dissatisfaction against the company B. Need to have additional funds to pay for gambling addiction C. There is lack of internal control in the company D. Belief that no one is going to be harmed
Belief that no one is going to be harmed
Logical operator
Boolean search terms used in queries to define which records are included in the query result; examples include AND, OR, and NOT
Flexible budget
Budget formula based on level of activity
In recent years, many of the attacks carried out by hackers have relied on this type of vulnerability in computer software.
Buffer overflow.
105) A decision table format generally uses a(n) A) &;OR&; premise. B) &t;SOME-MANY; premise. C) &t;IF-THEN; premise. D) &t;ALL-NONE; premise.
C
115) Which part of the Sarbanes-Oxley Act requires annual filings of publicly traded companies to include a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting? A) ISO 404 B) ANSI X3.5 C) Section 404 D) Section X3.5
C
119) The two categories of diagrams under the UML version 2.4 include ________ diagrams. A) structure and iteration B) behavior and iteration C) structure and behavior D) form and interaction
C
Items that should be provided in any detailed design proposal are A) the resumes and qualifications of systems analysts and designers B) discussions of similar systems that competitors have implemented C) specific volume and cost information D) critiques of problems encountered with the prior (or existing) system
C
MDA stands for A) model diagram assurance B) methods, development, assessment C) model driven architecture D) methods driving assessment
C
Definition Links
Defien different kids of realtionships between elements
Calculation Links
Define basic validation rules
Entity Element
Defines the company or entity
UML diagrams directly match objects in computer programs which greatly facilitate communication between the analysts, designers, and programmers A) forcing objects to be defined in numerous languages B) forcing all objects to be identified C) eliminating the need for an iterative approach D) eliminating a language gap between DFDs and programming code
D
Document and analytic flowcharts are optional tools in systems analysis
False
File analysis sheets show the relationship between the various kinds of files
False
OASIS stands for Organization for the Assessment of Structured Iterative Standards
False
Organizations are infrequently the target of deliberate attacks
False
Regarding general systems design considerations, implementing adequate controls is too often emphasized
False
Security is a technology issue and not just a management issue.
False
Social engineering attacks often take place over the Internet
False
The implementation stage of a system development project can be minimized when it involves an upgrade to an existing system
False
The use of prepackaged business process blueprints is seldom used in system design specifications or proposals
False
True or false. A system flowchart describes the specific logic used to perform a process shown on a program flowchart.
False
True or false. Corruption is misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk.
False
True or false. Few misappropriation frauds are self-perpetuating; that is, they do not require the perpetrator to continue the fraud scheme to avoid detection.
False
True or false. Flowcharts can be used to analyze how to improve business processes, but not document flows.
False
True or false. Fraud perpetrators are often referred to as blue-collar criminals.
False
True or false. If two or more data flows move together, two lines are used. If the data flow separately, a single line is used.
False
True or false. Investment fraud is dishonest conduct, such as bribery and bid rigging, by those in power that often involves illegitimate or immoral actions.
False
True or false. Most first-time, unprosecuted fraud perpetrators never commit another fraud.
False
True or false. Most white-collar criminals have a previous criminal record; and they were honest and respected members of their community.
False
True or false. Rarely do fraud perpetrators adopt a more lavish lifestyle that requires even greater amounts of money.
False
True or false. Small businesses are less vulnerable to fraud than large companies because small companies typically have more effective internal controls than larger companies.
False
True or false. The ACFE found that fraudulent financial reporting is as much as 17 times more likely than asset misappropriation.
False
Document or processing flow
Direction of processing or document flow; normal flow is down and to the right
REA stands for Resources, Enterprise, and Agents
False- resources-events-agents
RUP is an iterative development technique using prototype designs
False-does not use prototype designs
Object-oriented design and analysis relies on the identification of services and their attributes
False-focuses on defining objcts
A dedicated software package is intended for a large and diverse number of users
False-intended for narrow audience
In object-oriented design, objects are said to possess attributes, and attributes possess methods
False-objects are said to possess methods and attributes
Which of the following is not a guideline when preparing A data flow diagram? A. Subdivide the DFD B. Group transformation processes C. Give each process a sequential number D. Do not IGNORE any aspects of the system
Do not ignore any aspects of the system
The type of flow chart that depicts The flow of documents and data among areas of responsibility within an organization is called A. Program flow chart B. Business process flow chart C. System flowchart D. Document flowchart
Document flow chart
Which of the following flowcharts illustrates the flow of data among areas of responsibility in an organization? Program flowchart Computer configuration chart System flowchart Document flowchart
Document flowchart
Conceptually, what are the step for Accounts Payable query?
Dollar value of acquisitions of goods and services (except employee labor) not yet paid in full
Conceptually, what are the step for Accounts Receivable Query?
Dollar value of sales or service engagements for which cash receipt has not yet occurred in full, adjusted for any sale returns and sale discounts.
Structured systems analysis begins with computer program code and then, through a number of steps each decreasing in detail, ends with a general description of a particular system
False-starts with general description of a particular system and then proceeds through a logically related set of steps and ends with computer program code
Model driven architecture is the main architecture used in traditional systems design approaches
False-still in early stagse
Systems analysis is the first step in the systems development life cycle
False-the first stage is planning and analysis, and then design and implementation
True or false. A context diagram is the lowest-level DFD; it provides a low-level view of a system.
False.
Electronic input and output device
Electronic data entry and output symbols are used together to show a device used for both
data control group
People who ensure that source data is properly approved, monitor the flow of work, reconcile input and output, handle input errors to ensure their correction and resubmission, and distribute systems output.
Give an example of a query for which you would need to use a left join instead of an inner join.
Left joins keep unmatched values from the left table and fill in the corresponding information from the right table for those left table values that do have matches. Thus any example of joining two tables for which some values of the left table will have matches in the right table and some won't is appropriate. One example is a join of Employees and Training Courses the employees have taken (not all employees will have taken a training course buy you would still want them on the list so that it is clear they haven't taken any). Another example is a join of Library Book Borrowing and Library Book Return events, as some book borrowings will not yet have resulted in returns. Students may come up with a variety of other examples.
Which of the following classification of pressures motivate people to perpetrate employee fraud? (Check all that apply.) a) Financial pressures b)Emotional pressures c)Lifestyle pressures d)Industry pressures and conditions e)Management characteristics and pressures
Financial pressure Emotional pressure Lifestyle pressures
A well-known hacker started her own computer security consulting business. Many companies pay her to attempt to gain unauthorized access to their network. If she is successful, she offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid?
Penetration test.
This protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination.
Internet protocol
Understand the system
Interview users, developers and management or having them complete a questionnaire
Data Elements
Numeric or non numeric facts
Reporting Objectives
Objectives to help ensure that accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance
Which of the following are data flow diagram preparation guidelines? (Check all that apply.) a)Processes and data stores typically take their names from the data inflows or outflows. b)Data flows can only move in one direction. c)All data flows should come from, and go to, a transformation process, a data store, or a source or destination. d)In a DFD, you should always show how the system starts and stops.
Processes and data stores typically take their names from the data inflows or outflows. All data flows should come from, and go to, a transformation process, a data store, or a source or destination.
Employees at a large brokerage house used their employer's computer system to run a large and lucrative side business that their employer knew nothing about. This is an example of what type of fraud? a)Processor fraud b)Output fraud c)Input fraud d)Data fraud e)Computer instruction fraud
Processor fraud
True or false. Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources.
True
True or false. Researchers found significant psychological and demographic differences between violent and white-collar criminals.
True
NOT
identifies instances that do not meet one or more conditions
Billing-Threats
-Failure to bill -Billing Errors -Posting errors in AR -Inaccurate or invalid credit memos
The document that includes everything necessary to actually implement the design project is the details design proposal
True
The steering committee needs to approach systems development from a "long-run" view
True
The systems development strategic plan should identify specific areas to be given the highest priority
True
The whole concept of service-oriented architecture relies on small independent pieces of software called services
True
Timely detection of problems is not enough to protect organizations' information resources
True
True or false. A DFD consists of the following four basic elements: data sources and destinations, data flows, transformation processes, and data stores. Each is represented on a DFD by a different symbol
True
True or false. A significant contributor to most misappropriations is the absence of internal controls and/or the failure to enforce existing internal controls.
True
True or false. A typical organization loses 5% of its annual revenue to fraud, indicating yearly global fraud losses of over $3.7 trillion.
True
True or false. An internal control flowchart can be used to describe, analyze, and evaluate internal control strengths.
True
True or false. Both the company and its auditors have to document and test the company's internal controls
True
True or false. DFDs are subdivided into successively lower levels in order to provide ever-increasing amounts of detail.
True
True or false. Document flowcharts trace a document from its cradle to its grave, showing everything that happens as it flows through the system.
True
True or false. Documentation methods such as DFDs, BPDs, and flowcharts save both time and money, adding value to an organization.
True
True or false. Frequent "cook the books" schemes involve fictitiously inflating revenues, recognizing revenues before they are earned, delaying expenses to a later period, overstating inventories, and concealing liabilities
True
True or false. Management falsifies financial statements in order to deceive investors and creditors, increase a company's stock price, meet cash flow needs, or hide company losses and problems.
True
True or false. Misappropriation of assets is the theft of company assets by employees.
True
True or false. Since few perpetrators voluntarily stop their frauds, there are no small frauds—only large ones that are detected early.
True
True or false. The sheer magnitude of some frauds leads to their detection.
True
True or false: fraud can be prevented by eliminating or minimizing one or more fraud triangle elements
True
password cracking
When an intruder penetrates a system's defenses, steals the file containing valid passwords, decrypts them and uses them to gain access to programs, files and data
The type of flow chart that illustrates The relationship among system, Processing, storage, and output in an organization is called A. Internal control flow chart B. System flowchart C. Program flowchart D. Document flowchart
System flowchart
Expected Loss
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood).
Documentation
The narratives, flowcharts, diagrams, and other written materials that explain how a system works. It covers the who, what, when, where, why, and how of data entry, processing, storage, information output, and system controls.
Transformation processes
The processes that transform data from inputs to outputs are represented by circles. They are often referred to as bubbles.
Risk Appetite
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Internal Environment
The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
Which relational algebra operators apply when querying to Identify Customers with Credit Rating of "A" or "A+"?
Select
Which SQL statement will multiply Table A's Field P by Table A's Field Q?
Select (Field P * Field Q) From Table A;
SQL statement for Inner Join: Find all details of all customers and all available details of each customer's salesperson
Select * From Customer, Salesperson Where Customer.SP# = [Salesperson.Employee Number]; Select * From Customer INNER JOIN Salesperson ON Customer.SP# = [Salesperson.Employee Number];
Which of the following are flowchart preparation guidelines? (Check all that apply.) a)Show the final disposition of all the documents. b)Show data entered into, or retrieved from, a database as passing through a processing operation (computer program) first. c)Do not indicate on the flowchart who prepared the flowchart. d)Show where documents or processes originate, and data are processed, but do not show where data are stored or sent. e)Identify the business processes, documents, data flows, and data processing procedures to be flowcharted.
Show the final disposition of all the documents. Show data entered into, or retrieved from, a database as passing through a processing operation (computer program) first. Identify the business processes, documents, data flows, and data processing procedures to be flowcharted.
e-mail threats
Threats sent to victims by e-mail. The threats usually require some follow-up action, often at great expense to the victim.
Accounts Receivable Step 1:
Total Sales through Balance Sheet Date: Create new query. Add Sales table. Dollar Total and Date in Field. Sum for Dollar Total. Where for Date. <=[EndDate] for Date criteria. Save query as SumSalesThroughBSDate.
Computer professionals love the freedom of designing and building a new system from the ground up
True
Determining access method involves defining primary and secondary access keys
True
In a REA model, for each event there are two general categories of related attributes
True
It is important to design system reports that have appropriate titles and captions
True
Iterative or agile approaches to systems development require constant communication and require all phases of the systems life cycle to be carried on simultaneously
True
Management is typically responsible for selecting the best major system design from among several design alternatives
True
Object-oriented design focuses on defining objects and their actions as well as the data they use and how they collaborate with each other
True
RAD is an iterative development technique using prototype designs
True
RUP is a development framework involving 4 phases to help with iterative approaches to systems development
True
Ruby and Python are pure, native object-oriented languages.
True
Logic errors is what type of AIS threat A. Natural andpolitical disasters B. Software error and equipment malfunctions C. Intentional act D. Unintentional acts
Unintentional act
Systems design problems are much like other problems in life because there is no single solution which perfectly solves the problem
True
SQL view
a mode for viewing the underlying SQL statement for a query; even if a query was created in QBE mode, Microsoft Access generates a corresponding SQL statement that the user may view to evaluate the query's logic
Datasheet view
a mode that presents a relational table or a query result in row/column format
Strategic Master Plan
a multiple-year plan of the projects the company must complete to achieve its long-range goals
entity integrity rule
a non-null primary key ensures that every row in a table represents something and that it can be identified
Packet Filtering
a process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet
Zero-balance test
a processing control that verifies that the balance of a control account equals zero after all entries to it have been made
Exploit
a program designed to take advantage of a known vulnerability
time bomb / logic bomb
a program that lies idle until some specified circumstance or a particular time triggers it. once triggered, the program sabotages the system by destroying programs or data
Computer Incident Response Team (CIRT)
a team that is responsible for dealing with major security incidents
Hash total
a type of batch total generated by summing values for a field that would not usually be totaled
cross-site scripting (XSS)
a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website
evil twin
a wireless network with the same name (Service Set Identifier) as a legitimate wireless access point. users are connected to the twin because it has a stronger wireless signal or the twin disrupts or disables the legitimate access point. users are unaware that they connect to the evil twin and the perpetrator monitors the traffic looking for confidential information
Expression builder
an application within Microsoft Access that assists the user in creating horizontal calculations within queries
Foreign Key
an attribute in a table that is also a primary key in another table; used to link the two tables
Penetration Test
an authorized attempt to break into the organization's information system
Reasonableness Test
an edit check of the logical correctness of relationships among data items
Sequence Check
an edit check that determines if a transaction file is in the proper numerical or alphabetical sequence
Limit Check
an edit check that tests a numerical amount against a fixed value
Range Check
an edit check that tests whether a data item falls within predetermined upper and lower limits
completeness check (or test)
an edit check that verifies that all data required have been entered
Validity Check
an edit test that compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists
Digital Certificate
an electronic document that certifies the identity of the owner of a particular public key and contains that party's public key
Chief Compliance Officer
an employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings
Parity bit
an extra bit added to every character; used to check transmission accuracy
external-level schema
an individual user's view of portions of a database; also called a subschema
closed-loop verification
an input validation method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data
The security technology that evaluates IP packet traffic patterns in order to identify attacks against a system is known as
an intrusion prevention system.
Certificate Authority
an organization that issues public and private keys and records the public key in a digital certificate
Systems Integrator
an outside party hired to manage a company's systems development effort
Business Intelligence
analyzing large amounts of data for strategic decision making
The expectation of a given transaction or event at a particular time
anticipation
threat/event
any potential adverse occurrence or unwanted event that could injure the AIS or the organization
malware
any software that is used to do harm
computer fraud
any type of fraud that requires computer technology to perpetrate
A technique for internal control analysis
application controls matrix
Revenue cycle control objectives:
customers authorized; prices and terms authorized; all shipments result in billing to customer; billings accurately and promptly classified, summarized, and reported
Controls may also be classified as being primarily:
preventative - prevent error, detective - uncover error, corrective - correct error
What is ERM?
process applied in strategy setting designed to identify potential events, manage risk, and provide reasonable assurance to achieving entity objectives
packet sniffers
programs that capture data from information packets as they travel over the internet or company networks. captured data is sifted to find confidential or proprietary information
The steps that criminals take to trick an unsuspecting employee into granting them access is called
social engineering.
Intrusion Prevention System (IPS)
software or hardware that monitors patterns in the traffic flow to identify and automatically block attacks
Database Administrator (DBA)
the person responsible for coordinating, controlling, and managing the database
Exposure/Impact
the potential dollar loss should a particular threat become a reality
Likelihood/risk
the probability that a threat will come to pass
Log analysis
the process of examining logs to identify evidence of possible attacks
Hardening
the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services
patch management
the process of regularly applying patches and updates to software
Database Management System (DBMS)
the program that manages and controls the data and the interfaces between the data and the application programs that use the data stored in the database
SELECT-FROM-WHERE (in SQL)
the format of SQL queries; the Select clause specifies a vertical subset to be included in the query result; the From clause specifies which tables are to be queried and any sub-grouping to be done; the Where clause specifies a horizontal subset to be included in the query result, and if multiple tables are included, helps to define the join
Query grid
the lower half of the QBE view into which fields are dragged and in which aggregations or horizontal calculations may be created to establish the desired logic for a query
Recovery Time Objective (RTO)
the maximum tolerable time to restore an organization's information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system
Questionnaire supplemented with additional analysis:
write-ups, flowcharts, applications controls matrix, other charting techniques
Preventive, detective, or corrective: Reconciliation
detective
Preventive, detective, or corrective: Redundant processing
detective
A major financial institution hired a renowned security firm to attempt to compromise its computer network. A few days later, the security firm reported that it had successfully entered the financial institution's computer system without being detected. The security firm presented an analysis of the vulnerabilities that had been found to the financial institution. This is an example of a
detective control.
If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is
effective.
masquerading/impersonating
gaining access to a system by pretending to be an authorized user. this requires that the perpetrator know the legitimate user's ID and passwords
The process of turning off unnecessary features in the system is known as
hardening.
Software errors and equipment malfunctions
hardware or software failures, software errors or bugs, power outages and fluctuations, and undetected data transmission errors, operation system crashes
Accounting system
identify, assemble, analyze, classify, record, and report the organization's transactions and maintain accountability for related assets/liabilities
Enterprise risk management (ERM) has eight components:
internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, monitoring
compatibility test
matching the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action
"Horizontal" calculations
mathematically combine values from different fields for each row
Approving Invoice Threats
-Errors in suppliers invoices -Mistakes in posting to AP
Collections-Threats
-Theft of Cash -Cash Flow problems
XBRL became mandatory in..
2011 after 3 year transition in 2009
106) In an application control matrix, row entries are A) controls. B) processing actions. C) either controls or processing actions. D) neither controls nor processing actions
A
121) The basic symbols in a BPMN include A) task, sequence flow, gateway, and event symbols. B) process, flowline, input/output, and annotation. C) task, flowline, event, and comments. D) input/output, sequence flow, entities, and storage.
A
It is normal for deficiencies in a systems plan to only become obvious during the A) design and implementation phases B) planning and analysis phases C) planning and design phases D) if the systems plan is correctly executed, deficiencies will not be pressent
A
Object-oriented design and analysis is based on objects and relies on A) UML diagrams B) MDA models C) BPEL diagrams D) None of the above aids OO analysis
A
manual operation
A processing operation performed manually
101) How many general guidelines should be followed when preparing a flowchart? A) Three B) Five C) Seven D) Four
B
In warrnier-Orr methodology, how would the repetitions associated with the input of batches of customer checks be shown? A) use a bracket with the number 2 B) use the subscript (n) C) use 2 brackets D) use the subscript (2)
B
Accruals
Made at end of Accounting period to reflect events that have occurred but are not in the financial statement
How to prevent fraud
Organizations must create a climate that makes fraud less likely, Increases the difficulty of committing it, improves detection methods, and reduces the amount lost if fraud occurs
journal/ledger
Paper-based accounting journals and ledgers
Which of the following is not a requirement of effective passwords?
Passwords should be no more than 8 characters in length.
Which relational algebra operators apply to Query to identify date and location of Sales Call #44?
Project, Select
Having Effective Decisions means...
Quality Decisions
Responsible Accounting
Reporing reduls based upon managerial responsibilities in an organization
Which of the following is not a flow charting symbol category? A. Storage B. Input - output C. Reporting D. Processing
Reporting
What is currently the most commonly used data manipulation language?
Structured Query Language (SQL)
What are two query languages?
Structured Query Language (SQL) and Query by Example (QBE)
Customers should be viewed as vital components of a system and should be included in any analysis
True
Relational Database
a database built using the relational data model
Sign Check
an edit check that verifies that the data in a field have the appropriate arithmetic sign
Preventive, detective, or corrective: Transaction trail
corrective
These act to correct errors
corrective controls
In financial statements, WAUC is often used to calculate
cost of goods sold for the income statement and also the dollar value of ending inventory for the balance sheet
IP address spoofing
creating internet protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system
Primary Key
database attribute, or combination of attributes, that uniquely identifies each row in a table
Ad hoc querying
direct retrieval of information by end-users from a database whereby the retrieval was not planned (i.e. no pre-formulated queries or interfaces were developed in anticipation of needing the information)
caller ID spoofing
displaying an incorrect number on the recipient's caller ID display to hide the caller's identity
General controls that affect all transaction processing (overall IT environment):
general operating procedures, equipment control procedures, data-access controls
In entering a batch of invoices into the computer, an operator made several errors in keying the invoice numbers. As a result, the computer program updated computer accounts with incorrect invoice information
hash total
Data dictionary
information about the structure of the database, including a description of each data element
SQL's SELECT component
isolates columns
Project Milestones
points where progress is reviewed and actual and estimated completion times are compared
Four common cycles:
revenue, expenditure, production, finance
Virtualization refers to the ability of
running multiple systems simultaneously on one physical computer.
The steps that criminals take to identify potential points of remote entry is called
scanning and mapping the target
DNS spoofing
sniffing the ID of a domain name system (DNS) request and replying before the real DNS server
A type of exposure
statutory sanction
Recovery Point Objective (RPO)
the amount of data the organization is willing to reenter or potentially lose
Analytical Review
the examination of the relationships between different sets of data
Change control and change management
the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
Relational Algebra
the original data manipulation (querying) language that was constructed based on set theory and predicate logic as part of the relational database model; primary operators include Select, Project, and Join; however, other operators are also part of the relational algebra
Who does reliability depend on?
the people who administer internal control procedures
The most important element of any preventive control is
the people.
utlization
the percentage of time a system is used
bot herder
the person who creates a botnet by installing software on the PC's that responds to the bot herder's electronic instructions
DNS
the phone book of the internet that converts a domain or website name to an IP address
Why are controls needed?
to reduce exposures to potential adverse events to acceptable levels
Output Fraud
unless properly safeguarded, displayed or printed output can be stolen, copied, or misused. Fraud perpetrators use computers to forge authentic looking outputs such as paychecks
Objectives of internal control must be seen as
valuable and relevant to individuals who will compromise the control system
Data Warehouse
very large databases containing detailed and summarized data for a number of years that are used for analysis rather than transaction processing
Tools called ________ can be used to identify unused and, therefore, unnecessary programs that represent potential security threats.
vulnerabilities scanners
Query to identify date and location of Sales Call #44 Step 1:
Create query. Add SalesCall table. Add SalesCallID, Date, and Location to Field. "44" for criteria for SalesCallID. Save query as DateLocationOfSalesCall44.
How do you query for Customer#, name, and salesperson# using column filtering?
Create query. Add customer table. Add CustomerNumber, Name, and SalespersonNumber to Field column. Save query as CustomerProject.
Most deficiencies in a system plan become obvious during the planning and analysis phase of the systems development life cycle
False
One objective of a systems survey is to find ways to automate tasks that have been performed manually
False
The systems development life cycle, including the design phase, is a finite process terminating in a completed system
False
Intrusion Detection System (IDS)
a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions
Vulnerabilities
flaws in programs that can be exploited to either crash the system or take control of it
dictionary attack
using special software to guess company e-mail addresses and send them blank e-mail messages. unreturned e-mail addresses are usually valid e-mail addresses that can be added to spammer e-mail lists
internet pump-and-dump fraud
using the internet to pump up the price of a stock and then sell it
internet misinformation
using the internet to spread false or misleading information
Collections-Activities
-Accept Payment -Deposit Collections -Give Credit (update AR)
What are examples of aggregation functions?
-COUNT - summarizes the number of rows that contain a given value in the field -AVERAGE - computes the arithmetic mean value of all rows included in the answer -SUM - computes the arithmetic sum of all rows included in the answer -MIN - identifies the minimum (lowest) attribute value for the field -MAX - identifies the maximum (greatest) attribute value for the field
What tables are event tables and what kind of event are they?
-Sales Call Event (Instigation) -Sale Order Event (Mutual Commitment) -Sale Event (Economic Decrement) -Cash Receipt Event (Economic Increment) -Sales Return Event (Economic Decrement Reversal)
Querying for Inventory Weighted Average Unit Cost - NOT for Financial Statement use Step 2:
-Sum Purchase quantities and line item extensions for each Item: -Creat query. Add LineItemPurchaseExtensionsDuringPeriod table. Add ItemID, QuantityPurchased, and LineItemExtension to Field. Sum QuantityPurchased and LineItemExtension. Save query as SumPurchQtyAndLineExtensions.
4 categories of flowcharting symbols
1. Input/ output symbols 2. Processing symbols 3. Storage symbols 4. Flow and misc symbols
Value Chain
A chain of activities that delivers products or services of value to customers
If a table contained 50 rows and you want to use only 20 of the rows that meet a specific criterion, you would create a query to get
A horizontal subset
What logical operators may queries include?
AND, OR, and NOT
Cloud computing is generally more secure than traditional computing.
False
UML diagrams are ideal for OO development; however, they are difficult to create source code
False
________ is/are an example of a detective control.
Log analysis
SQL statement for Mathematical Comparison Operators
Select Account#, Balance From Cash Where Balance>=50000;
Rationalization
The excuse that fraud perpetrators use to justify their illegal behavior.
The role played by the systems developer is much like that of a doctor with regard to a patient
True
True or false. Fraudulent financial reporting is intentional or reckless conduct that results in materially misleading financial statements.
True
The ________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences.
chief security officer
Endpoints
collective term for the workstations, servers, printers, and other devices that comprise an organization's network
Agreement or conspiracy among two or more people to commit fraud
collusion
3 basic forms of white-collar crime theft:
employee, employee-outsider, management fraud
Small companies can compensate by:
leadership involvement, effective Board of Directors, increased focusing on Monitoring due to limited resources for SOD, information technology
spamming
simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something
Receiving-Threats
-Accepting unordered items -Mistakes in counting -Verifying receipt of service -Theft of Inventory
Examples of questions for Revenue Cycle Participation Queries?
-To which customer was a specific sale made? -By which salesperson was a specific sale order accepted? -How many sales calls did a specified salesperson make during a specified time period? -What is the total (or average) dollar amount of sales made by each salesperson during a specified time period? -When was a specified shipment sent to a specified customer? -Where did a specified sales call to a specified customer take place?
Produce managerial reports
-report items by organizational structure and traces items to responsible individuals -Timelieness is important
The object-oriented approach focuses on defining A) objects B) services C) units D) all of the above are a part of the object-oriented approach
A
The second major phase of systems analysis is information needs analysis. This phase A) focuses on the general information needs of particular applications B) concentrates on the report formats that the new systems will output C) is concerned with specific managerial decisions and their inputs D) none of these answers
A
Which of the following describes the point in which systems project costs should be quantified? A) identifying and prioritizing potential projects for systems development B) developing a strategic information systems plan C) assembling the project team D) preparing the systems proposal
A
AIS Support Activities
-Firm Infrastructure -Human Resources -Technology -Purchasing
A special language describing processing logic that uses key words such as IF, THEN, ELSE IF, and SO is called A) Warnier-Orr English B) structured English C) analytic flowchart notation D) structured assembler
B
Certain turnkey software packages can sometimes meet the specific needs of an individual situation with minimal design work. Which of the following companies would least likely be able to use a turkey system? A) a doctor's office B) an attorney C) a petroleum refining company D) a construction company
C
From a cost standpoint, the phase of systems development in which more money is spent than any other area is A) systems analysis B) systems design C) systems implementation D) systems planning
C
43) To ensure proper segregation of duties, only the ________ has authority to issue credit memos.
C) credit manager
Identify a party below who was involved with developing the Trust Services Framework.
COSO
Requires compliance with internal control framework:
COSO reports, COBIT (control objectives for information and related technology), ISO 27002, the US Federal Sentencing Guidelines
What tables are used for a Resource Type Query?
Cash (Resource Type) and Inventory Type (Resource Type)
Instance Document
Contains specific amounts for a taxonmy at one instance
How do you query for Details of all sales, related cash receipts using outer (left) join?
Create query. Add sale and Sales-CRDuality tables. SaleNumber and SaleNumber should be joined. Click on the join. Change to number 2 to make outer join. Add everything from both tables to Field column. Save query as SalesAndRelatedCR.
posing
Creating a seemingly legitimate business, collecting personal data while making a sale, and never delivering items sold
True or false. An internal control flowchart is not very helpful in spotting system weaknesses or inefficiencies.
False
True or false. Auditors and management are just as concerned with misappropriations as they are with fraudulent financial reporting.
False
Which of the below keeps a record of the network traffic permitted to pass through a firewall?
Intrusion detection system.
Identifier Element
Is a unique identifier for the element, such as an account number
Update GL- Source Documents
Journal Voucher: From varous subsystems, treasurer, To Journal voucher files
Why are Cash Disbursements from Vendors not acceptable?
Note: Acquisitions - Cash disbursements from Vendors is not acceptable as it is theoretically less sound than using the duality relationships
Having Efficient Decisions means..
Reducing cost of decision making
25) A HIPO chart contains two segments: a hierarchy chart and one or more IPO charts.
TRUE
28) A program flowchart is also known as a block flowchart.
TRUE
3) Substantive testing involves direct verification of financial statement figures.
TRUE
30) The intent of using DFDs is to clearly separate the logical process of systems analysis from the physical process of systems design.
TRUE
7) The usual focus of an audit is to review an existing system rather than design a new system.
TRUE
9) A systems development project generally consists of three main phases.
TRUE
internal controls
The processes and procedures implemented within a business organization to provide reasonable assurance that control objectives are met
Structured Query Language (SQL)
The user enters commands according to a pre-defined syntax to retrieve desired data.
misappropriation of assets
Theft of company assets by employees.
Outer join
a combination of tables based on a common attribute that includes unmatched records from both sides; accomplishes a set union of the tables
Equi-join
a join that combines the tables together based on a common attribute, keeping only those rows for which the data values of the common attribute match exactly; also called an inner join; accomplishes a set intersection of the tables.
Internal-level schema
a low-level view of the entire database describing how the data are actually stored and accessed
Aggregation functions
a mathematical operation used in querying to summarize information within a single column; also called vertical calculation
rootkit
a means of concealing system components and malware from the operating system and other programs; can also modify the operating system
Digital Signature
a means of electronically signing a document with data that cannot be forged
Vertical subset of a table
a part of a table that includes only some of the table's columns (but includes all the rows)
Horizontal subset of a table
a part of a table that includes only some of the table's rows, but includes all the columns
Audit Trail
a path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin
This network access control determines which IP packets are allowed entry to a network and which are dropped.
access control list
Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate.
access control matrix
AND
accomplishes a set intersection - answer includes all instances that meet BOTH conditions
phreaking
attacking phone systems to obtain free phone line access, use phone lines to transmit malware, and to access, steal, and destroy data
Has responsibility for reviewing the reports of the company's external auditors
audit committee
Identify the primary means of protecting data stored in a cloud from unauthorized access.
authentication
The Trust Services Framework reliability principle that states access to the system and its data should be accessible to meet operational and contractual obligations to legitimate users is known as
availability.
A border router
connects an organization's information system to the Internet.
The process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as
deep packet inspection.
A separate network located outside the organization's internal information system that permits controlled access from the Internet to selected resources is known as a(n)
demilitarized zone.
Preventive, detective, or corrective: Visual verification
detective
An activity concerned with preventing and detected fraud
forensic accounting
Information security procedures protect information integrity by
preventing fictitious transactions.
Preventive, detective, or corrective: Endorsement
preventive
Preventive, detective, or corrective: Rotation of duties
preventive
Preventive, detective, or corrective: Training of personnel
preventive
The Trust Services Framework reliability principle that states personal information should be protected from unauthorized disclosure is known as
privacy.
What is risk assessment?
process of identifying, analyzing, and managing risks that affect organizational objectives
Production cycle control objectives:
production plan authorized; COGM accurately and promptly classified, summarized, and reported
Goals of an information system:
productivity, reliability of information, safeguarding of assets
The process of maintaining a table listing all established connections between the organization's computers and the internet to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as
stateful packet filtering
Batch Tools
the sum of a numerical item for a batch of documents, calculated prior to processing the batch, when the data are entered, and subsequently compared with computer-generated totals after each processing step to verify that the data was processed correctly
Public Key Infrastructure (PKI)
the system for issuing pairs of public and private keys and corresponding digital certificates
social engineering
the techniques or psychological tricks used to get people to comply with the perpetrators wishes in order to gain physical or logical access to a building, computer, server, or network. it is usually to get the information needed to obtain confidential data
In the time-based model of information security, P represents
the time it takes an attacker to break through the various controls that protect the organization's information assets.
87) The technique that is characterized by a series of charts that represent the system at increasing levels of detail is called A) analytic flowcharting. B) HIPO. C) IPO. D) logical data flow diagram.
B
Data Definition Language (DDL)
DBMS language that builds the data dictionary, creates the database, describes logical views, and specifies record or field security constraints
72) In the preparation of a logical data flow diagram for a payroll system, which of the following symbols could be used to indicate the payroll data? A) Magnetic disk symbol B) Data store symbol C) Terminator symbol D) Input/output symbol
B
Posting Adjusting Entries - Activities
Identify, prepare, and post adjusting entries
Skills needed by cyber sleuths
- ability to follow a trail, Think analytically, and be thorough -good understanding of information technology -ability to think like a fraud perpetrator -ability to use hacking tools and techniques
Lifestyle pressures
- gambling habit - drug or alcohol addiction - sexual relationships - family/ peer pressure
Posting Adjusting Entries Types
-Accruals -Deferrals -Estimates -Revolutions -Corrections
Balanced Scorecard
A report that provides a multidimensional perspective of organizational performance
Setting
A sizable business that sells product to other businesses
Firewall
A special-purpose hardware device or software running a general-purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks.
cookie
A text file created by a Web site and stored on a visitor's hard drive. Cookies store information about who the user is and what the user has done on the site.
Relational Data Model
A two-dimensional table representation of data; each row represents a unique entity (record) and each column is a field where record attributes are stored.
differential backup
A type of partial backup that involves copying all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup.
One reason to put off the purchase of computer hardware or software is A) the price of hardware and software will drop shortly B) a new version of hardware or software will be available soon C) the company wants the latest "state-of-the-art" system D) none of these answers is a good reason to put
D
Prepackaged design systems have both advantages and disadvantages in assisting the designer with the systems development cycle. A disadvantage of such prepackaged design methodologies is that they do not A) specify desired outputs B) provide assistance in structuring a particular problem C) adequately deal with the problem of response time D) answers A and C are correct
D
Report writer
DBMS language that simplifies report creation
Which of the following is not an example of computer fraud? Theft of money by altering computer records Obtaining information illegally using a computer Failure to perform preventive maintenance on a computer Unauthorized modification of a software program
Failure to perform preventive maintenance on a computer
A good approach to use with a manager when performing an information needs analysis is to ask the manager, "what kind of problems do you have here?"
False
system flowchart
Depicts the relationships among system input, processing, storage, and output. They are used to describe data flows and procedures within an AIS
41) All BPDs contain at least two pools.
FALSE
Which of the following is not a step in an organization's incident response process? A) Recognition. B) Recovery. C) Isolation. D) Containment.
Isolation.
________ is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system.
Penetration test
Update GL - Activities
Summary transaction data periodically into journal entries
39) BPMN basic symbols include the task, sequence flow, gateway, and event symbols.
TRUE
Data store
The data flow diagram component that represents the place or medium where system data is stored. A repository of data. Data stores are represented by 2 horizontal lines
BPD end symbol
The end of a process is represented by a small bolded circle
The most prevalent opportunity for fraud is:
The failure by the company to design and enforce a good internal control system
Flow
The flow of information or data is indicated by arrow
Data flows
The flow of the data into or out of a process is represented by curved or straight lines with arrows.
Internal Control
The internal controls are numbered and explained in an accompanying table
data leakage
The unauthorized copying of company data, often without leaving any indication that it was copied.
Query By Example (QBE) (Query Tool)
The user starts with a sample of the table(s) columns and marks the fields he or she wants to include in the answer. Defaults are available for summarizing and manipulating the data.
Identify one aspect of systems reliability that is not a source of concern with regards to a public cloud.
efficiency
Defense in Depth
employing multiple layers of controls to avoid a single point-of-failure
Marking a form or document to restrict its further processing
endorsement
Who Enterprise risk management (ERM) affect by?
entity's board of directors, management, and other personnel
sloth
few people want to do things the hard way, waste time, or do something unpleasant; fraudsters take advantage of our lazy habits and tendancies
Exposure =
financial effect X probability of occurrence (risk)
Communication is provided throughout the organization to provide information necessary to ensure employees are aware of:
goals and objectives, policies and procedures (rules), firm and organizational performance, top to bottom and bottom to top
economic espionage
Theft of information, trade secrets, and intellectual property.
denial-of-service (DOS) attack
a computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the internet service provider's e-mail server or the web server is overloaded and shuts down
Archive
a copy of a database, master file, or software that is retained indefinitely as a historical record, usually to satisfy legal and regulatory requirements
Parity checking
a data transmission control in which the receiving device recalculates the parity bit to verify accuracy of transmitted data
Checksum
a data transmission control that uses a hash of a file to verify accuracy
Strategic Objectives
high-level goals that are aligned with and support the company's mission and create shareholder value
MAC address
a media access control address is a hardware address that uniquely identifies each node on a network
botnet
a network of powerful and dangerous hijacked computers that are used to attack systems or spread malware
Fraud Hotline
a phone number employees can call to anonymously report fraud and abuse
Biometric Identifier
a physical or behavioral characteristic that is used as an authentication credential
Business Continuity Plan
a plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity
Query
a request for information submitted to a database engine
Data Fraud
illegally using, copying, browsing, searching, or harming company data. Data can also be damaged, changed, Destroyed or displaced. Especially by disgruntled employees
Insert Anomaly
improper database organization that results in the inability to add records to a database
virus
a segment of executable code that attaches itself to a file, program, or some other executable system component. when the hidden program is triggered, it makes unauthorized alterations to the way a system operates
urgency
a sense of urgency or immediate need that must be met leads people to be more cooperative and accommodating
Record count
a type of batch total that equals the number of records processed at a given time
Financial Total
a type of batch total that equals the sum of a field that contains monetary values
What is * ?
a wild card indicating all columns should be included)
SQL injection (insertion) attack
inserting a malicious SQL query in input such that it is passed to and executed by an application program. this allows a hacker to convince the application to run SQL code that it was not intended to execute
COSO reports:
internal control - integrated framework, ERM - integrated framework, internal control over financial reporting, etc.
A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions is called
intrusion detection systems.
Multi-factor authentication (MFA)
involves the use of two or more basic authentication methods.
An access control matrix
is a table specifying which portions of the system users are permitted to access.
According to the Trust Services Framework, the reliability principle of availability is achieved when the system produces data that
is available for operation and use at times set forth by agreement.
According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that
is complete, accurate, and valid.
SQL's FROM component
is used for identifying the table(s) involved
Real-time mirroring
maintaining complete copies of a database at two separate data centers and updating both copies in real-time as each transaction occurs
Section 102 of the FCPA requires all companies who are subject to the SEC Act of 1934 to:
make and keep books, records, and accounts that accurately reflect transactions and dispositions; devise and maintain internal accounting controls
Finance cycle control objectives:
amounts and timing of debt transactions authorized; access to cash and securities only permitted in accordance with management criteria
Verifying the identity of the person or device attempting to access the system is an example of
authentication.
COBIT 5 management practice APO01.08 stresses the importance of ________ of both employee compliance with the organization's information security policies and overall performance of business processes.
continuous monitoring
One of the main components of internal control
control environment
Detective Controls
controls designed to discover control problems that were not prevented
The most common input-related vulnerability is called the
cross-site scripting attack.
web cramming
offering a free website for a month developing a worthless website, and charging the phone bill of the people who accept the offer for months, whether they want to continue using the website or not
Monitoring
ongoing process to access quality of internal controls over time and take corrective action to ensure controls remain effective
Identify changing internal and external conditions:
operating environment (process/regulation), personnel (key positions), information systems (new systems implemented), new technology (competition), etc
Organization goals and objectives:
organizational - mission statement/code of ethics, departmental - standard operating procedures, personal - performance review and job responsibilities
A former employee gained access to the computer system and damaged the customer master file
password
Information technology managers are often in a bind when a new exploit is discovered in the wild. They can respond by updating the affected software or hardware with new code provided by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until the new code has been extensively tested, but that runs the risk that they will be compromised by the exploit during the testing period. Dealing with these issues is referred to as
patch management.
Controls tend to _____; controls rarely affect ____
reduce exposures; causes of exposures
torpedo software
software that destroys competing malware. this sometimes results in "malware warfare" between the competing malware developers
keylogger
software that records computer activity, such as a user's keystrokes, e-mails sent and received, websites visited, and chat session participation
splog
spam blogs created to increase a website's Google PageRank, which is how often a web page is referenced by other web pages
specific authorization
special approval an employee needs in order to be allowed to handle a transaction
bluesnarfing
stealing personal data such as contacts, pictures and other data from a Bluetooth enabled application.
In the time-based model of information security, D represents
the time it takes for the organization to detect that an attack is in progress.
In the time-based model of information security, R represents
the time it takes to respond to and stop the attack.
trojan horse
a set of unauthorized computer instructions in an authorized and otherwise properly functioning program
Paying for Goods and Services-Activities
-Approve vendor invoices -Pay approved invoices
Shipping-Controls
-Barcode and RFID Technology -Reconciliation of picking list to sales order details and shipping documents with sales orders, picking lists and packing slips -Restriction of physical access to inventory -Documentationf of all inventory transfers -Periodic physical counts of inventory -Configuraton of ERP system to prevent duplicate shipments
Cash Dispursements Threats
-Failure to take advatage of discounts for prompt payment -Paying for items not received -Duplicate payments -Theft of cash -Check alteration -Cash flow problems
Querying for Inventory Weighted Average Unit Cost - NOT for Financial Statement use Step 1:
-Join Purchase and Stockflow tables, constrain Purchase date and calculate line item extensions: -Create query. Add Purchases and StockflowPurchaseInventoryType tables. Add ItemID, QuantityPurchased, and ActualUnitCost from StockflowPurchaseInventoryType table. In next Field column, click builder. Multiply QuantityPurchased*ActualUnitCost. Rename "LineItemExtension" before :equation. In next Field column, add Date from Purchases table. "Between [begdate] and [enddate]" for criteria for Date. (IF FOR FINANCIAL STATEMENTS USE "<=[enddate]). Save query as LineItemPurchaseExtensionsDuringPeriod.
Order Taking-Activites and Decisions
-Receive customer order -Check customer credit -Check inventory availability -Prepare sales order
data sources and destinations
-The people and organizations that send data to and receive data from the system are represented by square boxes. -Data Destinations are also referred to as data sinks.
WAUCs for Financial Statements
-The same WAUCs must be used for both the income statement and balance sheet -WAUCs must be for each inventory type - e.g., you can't combine hammers and nails
Practically, what are the steps for Accounts Receivable Query?
-Total sales/service engagements through balance sheet date minus total cash receipts through balance sheet date that applied to sales/service engagements. Also subtract sales returns and discounts through balance sheet date. -MUST include ONLY ending date constraint (balance sheet item reflects cumulative data from beginning of company through balance sheet date). -Use sale/service engagement date to determine which revenues to include. -Use cash receipt date and duality relationship to determine which cash receipts to include. Be sure to aggregate cash receipts that apply to same sale BEFORE subtracting from sale amount -Note: Sales minus Cash receipts from Customers not acceptable (because you might get non-sale related CR from customers)
Guidelines for preparing business process diagrams
1. Identify and understand the business processes 2. Ignore certain items 3. Decide how much detail to include 4. Organize diagram: they usually consist of 2 columns and as many rows as needed 5. Enter each business process on the diagram 6. Draw a rough sketch 7. Draw a final copy
Enterprise Risk Management (ERM)
A COSO framework that improves the risk management process by expanding COSO's internal control
100) The first step in preparing a flowchart is to A) select the symbols to be used. B) analyze the system. C) sketch a rough draft of the system. D) consult the work papers from previous audits.
B
Key success factors are characteristics of an organization that distinguishes it from competitors
True
Logs need to be analyzed regularly to detect problems in a timely manner
True
110) Flowchart symbols that represent the I/O function and the medium upon which the information is recorded, and/or the manner of handling such information, are known as A) basic input/output symbols. B) specialized input/output symbols. C) LDFD symbols. D) HIPO hierarchy chart modules.
B
112) Connector symbols may be used in place of A) comment symbols. B) long flowlines. C) data flow symbols. D) communications links.
B
116) UML is a(n) ________ standard. A) United States B) international C) ANSI D) AICPA
B
Fraud is gaining an unfair advantage over another person. Legally, for an asked to be fraudulent there must be: A. Unfairness B. All of these are correct C. An exchange of monetary consideration D. An intent to deceive
An intent to deceive
sabotage
An intentional act where the intent is to destroy a system or some of its components.
Background Check
An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.
71) How can Electronic Data Interchange (EDI) facilitate the billing and accounts receivable process?
Answer: The basic document created in the billing process is the sales invoice. Many companies still print paper invoices and send them to customers in the mail. Batch processing of invoices may create cash flow problems because of the time it takes invoices to flow through the regular mail system. Companies that use EDI can create quicker turnaround for payment, and save costs by reducing paper handling and processing. Depending on the number of invoices processed per year, these savings can be significant.
Probably the most difficult design consideration in designing the data input system is A) uniformity B) accuracy C) integration D) organization
B
The purpose of a systems development steering committee is to A) inquire of top management as to the problems encountered with current systems B) oversee the work of the systems analysts C) focus on the overall current and future information needs of the company D) provide a positive image of the development of new systems and to keep criticism within the organization to a minimum
C
The third phase of systems analysis results in decisions regarding A) input requirements for the new system B) output requirements for the new system C) both input and output requirements for the new system D) priorities for ranking the different subsystems projects, but not specific system requirements
C
When a company is purchasing software, it should choose hardware A) before choosing software B) at the end of systems analysis C) after choosing software D) at any time either before or after choosing software
C
Which of the following database design techniques shows the interrelationships between files, their contents, and their use? A) data structure diagrams B) record layouts C) file-related matrices D) file analysis sheets
C
Lapping
Concealing the theft of cash by means of a series of delays in posting collections to accounts. For example, a perpetrator steals customer A's accounts receivable payment. Funds received at a later date from customer B are used to pay off customer A's balance. Funds from customer C are used to pay off B's balance, and so forth.
A graphical description of Data sources, data flow, transformation processes, data Storage, and data destination is called A. Context diagram B. Flowchart C. Business process D. Data flow diagram
Data flow diagram
2) The interim audit requires some type of substantive testing.
FALSE
22) The triangle is a specialized symbol representing a decision process.
FALSE
23) When the flow is bidirectional, it can only be shown by double lines.
FALSE
26) An IPO chart can provide much detail concerning the processing function.
FALSE
Which of the following is necessary for effective information retrieval? A) The database is well designed B) The query designer has a thorough knowledge of the database table structures and the nature of the data in the tables. C) The query designer adequately understands the desired output. D) The query designer knows the querying language used to retrieve information from the enterprise's database. E) All of the above are necessary for effective information retrieval.
E) All of the above are necessary for effective information retrieval.
27) HIPO structures a "bottom-up" strategy in structured systems analysis and design.
FALSE
29) A systems flowchart is more detailed concerning individual processing functions than a program flowchart.
FALSE
Kuzman Jovan called a meeting of the top management at Jovan Capital Management. Number one on the agenda was computer system security. "The risk of security breach incidents has become unacceptable," he said, and turned to the Chief Information Officer. "What do you intend to do?" Which of the following is the best answer?
Evaluate and modify the system using the Trust Services
Order Taking-Source Documents
Input-Customer order Output-Sales order to: customer, warehouse, shipping, billing
Billing-Source Documents
Input-Sales order, Packing slips, and Bill of lading Output-Invoices to customer and to AR
round-down fraud
Instructing the computer to round down all interest calculation to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer's account.
Misappropriation of assets is an example of what type accounting information threat? A. Natural andpolitical disasters B. Software error and equipment malfunctions C. Intentional act D. Unintentional acts
Intentional act
fraudulent financial reporting
Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
Create a query in SQL that will list the last name, first name, and telephone number for all the customers who live in Florida. States are entered in the database using their two digit postal abbreviation (Florida is FL).
SELECT LastName, FirstName, Telephone FROM Customer WHERE State = FL;
What is SQL statement for a Query to identify date and location of Sales Call #44?
SELECT SalesCallID, Date, Location FROM SalesCall WHERE SalesCallID=44;
What is SQL statement to Query for Sales for a specific time period (e.g. for an income statement)?
SELECT Sum(DollarTotal) FROM Sale WHERE Date BETWEEN 5/1/2015 AND 5/7/2015;
In SQL, every information retrieval query follows what structured, predefined syntax?
SELECT attribute name(s), FROM table name(s), WHERE condition criteria is met;
What tables do you need to query for Sales for a specific time period (e.g. for an income statement)?
Sale Event
SQL statement for (left) Outer Join: Find all details of all sales and the cash receipt number and amount applied of any cash receipts related to those sales
Select * From Sale LeftJoin [Sale-CashRecDuality] Where [Sale.Sale#]=[Sale-CashRecDuality.Sale#]; Select * From Sale LeftJoin [Sale-CashRecDuality] Where [Sale.Sale#]=[Sale-CashRecDuality.Sale#];
SQL statement for Row Filtering: Find the cash receipts from Customer #2 (keeping all the details of those cash receipts)
Select * From [Cash Receipt] Where [Customer Number] = C-2;
SQL statement for Column Filtering: Find the customer number, name, and salesperson number for all customers
Select Customer#, Name, SP# From Customer;
SQL statement for Mathematical Comparison Operators on Character Attributes
Select Sale#, Amount From Sale Where SalesRep# <> E-10;
SQL statement for Special Operators
Select Sale#, Amount, Date From Sale Where Date BETWEEN 7/1 and 7/31;
What is the standard format of a SQL query statement?
Select ______ From______ Where_______;
Information requirements of a production control system might include quality control specifications
True
33) The forms distribution chart is closely related to the document flowchart.
TRUE
data diddling
changing data before or during entry into a computer system to delete, alter, add or incorrectly update key system data.
segregation of systems duties
implementing control procedures to clearly divide authority and responsibility within the information system function
Update Anomaly
improper database organization where a non-primary key item is stored multiple times; updating the item in one location and not the others causes data inconsistencies
Where are Mathematical comparison operators typically included?
in the WHERE clause of the SQL statement, and may be used on all types of fields
What is essential?
internal control procedures are actually performed as prescribed
Sarbanes-Oxley Act (SOX)
legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud
Foreign Corrupt Practices Act (FCPA)
legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls
How should control objectives be developed?
specific to each transaction cycle
spyware
software that secretly monitors computer usage, collects personal information about users, and sends it to someone else, often without the computer user's permission.
Information retrieval
repossession or capture of data that was previously entered into a database or other data storage structure
The steps that criminals take to find known vulnerabilities and learn how to take advantage of those vulnerabilities is called
research.
The concept of internal control is based on two major premises:
responsibility and reasonable assurance
scavenging/dumpster diving
searching documents and records to gain access to confidential information. scavenging methods include searching garbage cans, communal trash bins, and city dumps.
adware
spyware that causes banner ads to pop up on a monitor, collects information about the users web-surfing and spending habits, and forwards it to the creator, often an advertising or media organization. this usually comes bundled with freeware and shareware downloaded from the internet
The process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as
static packet filtering.
multimodel authentication
the use of multiple authentication credentials of the same type to achieve a greater level of security
Examples of Revenue Cycle Agent Queries
-A list of all salespeople, cashiers, inventory clerks, or credit managers for an enterprise -A list of all employees that possess certain characteristics
Update GL - Source data comes from
-Account subsystems -Treasurer regaring finacing transactions
Accounts Payable Step 6:
-Calculate Purchases - Cash Disb for Purchases - Purchase Returns: -Create query. Add PurchasesThroughEndDate, SumCashDisbforPurchThroughEndDate, and SumPurchaseReturnsThroughEndDate tables. Add SumOfDollarAmount from each table to Field. In next Field column, click builder. Subtract Cash Disbursements and Purchase Returns from Purchases. Add Nz around each. Rename "AcctsPay" before :equation. Save query as APfinal.
Accounts Payable Step 5:
-Calculate Total Purchase Returns: -Create query. Add Purchase Returns table. Add DollarAmount and Date to Field. Sum DollarAmount. Where for Date. <=[EndDate] for criteria for Date. Save query as SumPurchaseReturnsThroughEndDate.
Expenditure Cycle Controls
-Data processing integrity controls -Restriction of access to mater data -Review of all changes made to master data
Examples of questions for Acquisition Cycle Proposition Queries?
-Which inventory types were identified as needed in a purchase requisition event? -What unit cost was estimated for an inventory type in a specific purchase requisition event? -How many different times has a specified inventory type been requisitioned during a time period? -How many different types of inventory were requisitioned in a specific purchase requisition event?
Opportunity allows a perpetrator to do three things
1. Commit the fraud 2. Conceal the fraud 3. Convert the theft or misrepresentation to personal gain
4 actions to reduce fraudulent financial reporting
1. Establish an organizational environment that contributes to the integrity of the financial reporting process 2. Identify and understand the factors that lead to fraudulent financial reporting 3. Assess the risk of fraudulent financial reporting within the company 4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting
Reasons computer fraud is rising
1. It takes very little time 2. Difficult to detect 3. High number and variety of access points 4. Programs only need to be modified once 5. PCs are vulnerable 6. There are a number of unique challenges ( power failure fire, etc)
3 forms of rationalization
1. Justification: I only took what they owed me 2. Attitude: rules don't apply to me 3. Lack of personal integrity: getting what I want is more important than being honest
Internal control reports in company annual reports must
1. State that management is responsible for establishing and maintaining adequate internal control structure 2. Assess effectiveness of internal controls
Guidelines for drawing a DFD
1. Understand the system 2. Ignore certain aspects of the system 3. Determine system boundaries 4. develop a context diagram 5. Identify data flows 6. Group data flows 7. Identify transformation processes 8. Group transformation processes 9. Identify all files or data stores 10. Identify all data sources and destinations 11. Name all DFD elements 12. Subdivide the DFD 13. Give each process a sequestuial number 14. Refine the DFD 15. Prepare a final copy
7 traits that fraudsters take advantage of in order to entice a person to reveal information
1. compassion 2. greed 3. sex appeal 4. sloth 5. trust 6. urgency 7. vanity
3 types of flowcharts
1. document flowcharts 2. system flowcharts 3. program flowcharts
75) Which of the following analytic flowcharting symbols is most appropriate to represent the accounts receivable subsidiary records? A) The basic input/output symbol B) The basic manual operation symbol C) The document symbol D) None of these answers are correct.
A
76) In a HIPO chart of a payroll system, which of the following activities would appear higher in the chart than the other activities? A) Calculate gross pay B) Accumulate hours worked C) Find correct pay rate D) Look up authorized deductions
A
80) In a logical data flow diagram for a payroll system, the employees' time cards would best be represented by which of the following symbols? A) The terminator symbol B) The process symbol C) The data store symbol D) The data flow symbol
A
Which of the following design considerations applies to report or document outputs? A) Relevance B) integration C) uniformity D) accuracy
A
________ diagrams are used to document objects (and classes of objects) and how they communicate with each other A) UML B) ER C) conceptual D) data flow
A
terminal
A beginning, end, or point of interruption in a process, also used to indicate an external party
In a DFD, a data destination is represented by A. A bubble B. Two horizontal lines C. An arrow D. A square
A square
Which of the following statements is false? A flowchart is an analytical technique used to describe some aspect of an information system in a clear, concise, and logical manner. Flowcharts use a standard set of symbols to describe pictorially the flow of documents and data through a system. Flowcharts are easy to prepare and revise when the designer utilizes a flowcharting software package. A system flowchart is a narrative representation of an information system.
A system flowchart is a narrative representation of an information system.
Incremental backup
A type of partial backup that involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day's transactions
Extensible Business Reporting Language (XBRL)
A variant of XML designed specifically to communicate the contents of financial data by creating tags for each data item
If Table A is on the left and Table B is on the right, a right outer join will include in its answer
All the rows from Table B, with the corresponding detail of Table A for those rows for which the value of the two tables' common attribute match exactly.
Identify the statement below which is not a useful control procedure regarding access to system outputs.
Allowing visitors to move through the building without supervision.
Aggregation function
An aggregation function summarizes the data values within a field (column)
Transposition error
An error that results when numbers in two adjacent columns are inadvertently exchanged
Steering Committee
An executive-level committee to plan and oversee the information systems function.
79) Explain how to effectively segregate duties in the sales order activity.
Answer: Sales orders should be recorded by sales personnel. Credit decisions should be made by the credit manager, not sales personnel. Also, sales orders authorize release of goods to shipping. Warehouse and shipping should be separate from sales. Because a computer does recording and authorization, it is important to ensure integrity of the programs and to perform edit checks on any online entries.
104) A branching table may be used to A) validate the degree of reliance placed on an organization's internal controls. B) document the decision logic in a computer program. C) document work measurement analysis. D) validate the computing speed of a program.
B
120) A graphical representation focusing on the sequence of activities in a business process is a(n) A) analytical flowchart. B) business process diagram. C) process flowchart. D) data flow diagram.
B
What special operators may queries include?
BETWEEN, NULL, and EXISTS
99) The flowchart which is most similar to a document flowchart is the A) IPO chart. B) DFD. C) analytic flowchart. D) HIPO chart.
C
The company should inform users that a new system is being developed A) as late as possible, to eliminate the possibility that some employees might oppose the new system B) after the design plan is complete, to avoid employee interference and confusion C) as soon as possible, to maximize user acceptance of the new system D) as son as the users seem ready to accept the new system
C
The design criterion concerned with avoiding the collection and maintenance of the same data items is more than one place in the organization is A) uniformity B) flexibility C) integration D) standardization
C
57) In Petaluma, California, electric power is provided to consumers by the Power To The People Electrical Company, a local co-op. Each month PTTP mails bills to 70,000 households and then processes payments as they are received. The customers are provided with a remittance advice, which is a
C) turnaround document.
Who bears the responsibility for information security in an organization?
CISO.
107) A block flowchart is also known as a(n) A) data flow diagram. B) HIPO chart. C) analytic flowchart. D) program flowchart.
D
108) A tabular technique used to represent a decision function in a flowchart is known as a A) block flowchart.B) logical data flow diagram. C) decision table. D) branching table.
D
109) The display symbol in a flowchart represents information displayed for human use using a device such as a A) video monitor. B) plotter. C) console printer. D) All of these answers are correct.
D
117) UML includes techniques that are the functional equivalents of A) data flow diagrams. B) document flowcharting. C) analytical flowcharting. D) All of the above are included in the UML standard.
D
118) UML version 2.4 defines ________ types of diagrams, divided into two categories. A) two B) five C) ten D) more than a dozen
D
65) In an analytic flowchart, the symbol which could be used to indicate the computation of gross pay is the A) connector symbol. B) terminal symbol. C) input/output symbol. D) process symbol.
D
68) The manual input symbol could be used to represent A) the entering of data at an on-line keyboard. B) the entering of data using switch settings. C) the entering of data using touch screens. D) All of these answers are correct.
D
96) Systems techniques may be used by A) internal auditors. B) external auditors. C) systems personnel. D) All of these answers are correct
D
A major output of a systems development steering committee or the individual in charge of systems development is a written documentation outlining short-and long-term goals relating to the company's development effort. This document is called A) Key systems Development success factors B) the systems development life cycle C) objectives of systems analysis D) strategic systems plan
D
A system planning and feasibility analysis involves several phases and operates in a "top-down" fashion. This type of analysis is composed of how many phases? A) Three B) Five C) Six D) Seven
D
An iterative approach using prototypes is called A) service oriented development B) waterfall development C) object oriented development D) rapid application development
D
Each domain in the enterprise architecture is subject to A) cost overruns if planning is not carefully completed upfront B) government review if the company is publicly traded C) the four phases of RUP development D) analysis, planning, design, and implementation
D
In structured systems analysis, the data dictionary describes A) data structure B) physical layout C) data structure and physical layout D) data structure and data elements
D
One benefit of using the Warrior-Orr methodology as a fact-gathering technique is that A) is easy to understand and use B) can be used to document any type of system C) forces a top-down, structured approach to analysis D) all
D
The Warnier-ORR methodology is a technique used for A) flowcharting B) document review C) evaluating work distribution D) analyzing infomration flows
D
The design criterion concerned with using the same format and name for data items used in more than one place A) uniformity B) flexibility C) integration D) standardization
D
The most important consideration for output design is A) relevance B) integration C) uniformity D) cost-effectiveness
D
The phase of the Rational Unified Process where the software is deployed to end users for testing and training is the ________ phase A) inception B) elaboration C) implementation D) transition
D
Which of the following design alternatives is the most difficult to evaluate? A) Deciding whether reports should be generated automatically or on-demand B) deciding whether processing should deb in batch mode or online C) deciding whether the alternatives meet all major objectives for the system D) deciding whether existing personnel can manage the system
D
Which of the following is most relevant in gaining an understanding of a manger's decisions and information needs? A) information about the major problems the manager normally deals with B) knowledge about the manager's self-assessment criteria C) details concerning the manager's job responsibilities D) knowledge of the criteria used to evaluate the managers job performance
D
Which of the following would be an appropriate source of information to obtain during the survey of the current system? A) Professional journals and industry publications B) minutes of board meetings, financial statements, and charts of accounts C) organization charts, job descriptions, and policy manuals D) all of these are correct
D
When should a beginning date constraint not be used for a query set to generate weighted average unit costs of inventory items? A) When the weighted average unit cost is to be assigned to cost of goods sold on the income statement B) When the weighted average unit cost is to be assigned to inventory on the balance sheet C) When the weighted average unit cost is to be assigned to all goods purchased within a time period D) Both A and B above (the beginning date constraint should not be used for either A or B) E) None of the above (the beginning date constraint should always be used)
D) Both A and B above (the beginning date constraint should not be used for either A or B) -Note: Although Cost of Goods Sold (based on Item A above) should have a beginning date constraint, that beginning date will be for the quantity sold query, not for the query set that generates the weighted average unit costs).
22) Responding to customer inquiries and general customer service is an important aspect in the revenue cycle. Since customer service is so important, software programs have been created to help manage this function. These special software packages are called
D) CRM systems.
23) The best solution for maintaining accurate automated perpetual inventory system is to use
D) RFID tags.
35) The accounts receivable department must know when customers pay their invoices, yet segregation of duties controls dictate that the collection and recording functions be kept separate from each other. What is a solution to this potential internal control problem?
D) all of the above
60) Sad Clown Pajamas is an Internet-based wholesaler. The manager of Callow Youth Clothing received an order from Sad Clown and found that the wrong product had been shipped. He repackaged the order and sent it back for a refund. When Sad Clown Pajamas received the returned product, they mailed a ______ to Callow Youth Clothing's manager.
D) credit memo
61) A customer service manager at Sad Clown Pajamas, Bob, received a call from the manager at Callow Youth Clothing, who informed Bob that Callow was entering bankruptcy liquidation and it was unlikely that they would be able to pay the outstanding balance on their account. Bob should
D) document the phone conversation and forward it to the credit department manager.
52) Which of the following duties could be performed by the same individual and not violate segregation of duty controls?
D) handling cash receipts and mailing vendor payments
28) A method for tracking accounts receivable that matches specific invoices and payments from the customer is called a(n) ________ method.
D) open-invoice
2) In the revenue cycle, before a shipping notice is prepared, the shipping department personnel should match the inventory received from the warehouse to details from
D) picking ticket and sales order.
16) During the sales order entry process, a ________ is performed to compare the quantity ordered with the standard amounts normally ordered.
D) reasonableness test
53) To prevent the loss of valuable data in the revenue cycle, internal file labels can be used to
D) reduce the possibility of erasing important files.
26) What is the basic document created in the billing process?
D) sales invoice
1) In organizations with at least basic segregation of duties, the credit manager reports to the ________ and the treasurer reports to the ________.
D) treasurer; vice president of finance
32) A type of business document in which part of the original document is returned to the source for further processing is called a ________ document.
D) turnaround
Which of the following statements is false? Flowcharts make use of many symbols. A document flowchart emphasizes the flow of documents or records containing data. DFDs help convey the timing of events Both a and b are false.
DFDs help convey the timing of events
A hacker was able to break into the system that transmitted the daily transactions of a retail store to the company's central office. Every night for several weeks he copied the transaction data that included customer names, credit card numbers, and other confidential data. Hundreds of thousands of customers were affected. This is an example of what type of fraud? a)Input fraud b)Computer instruction fraud c)Data fraud d)Output fraud e)Processor fraud
Data fraud
Presentation links
Define how elements are presented
Label Links
Define the labels used in the document
Reference Links
Define the relationships between the elements and the external regulations or standards
Unit Elements
Define the unit of measure
Schema
Define which element are related to particular taxonomy, a taxonomy contains one or more
Which of the following are flowchart preparation guidelines? (Check all that apply.) a)Design the flowchart so that data flow from bottom to top and from right to left. b)There is no need to identify departments, job functions, or external parties on the flowchart. c)It is usually not necessary to show procedures and processes in the order they take place. d)Develop an understanding of the system using tools, such as interviews or questionnaires, or by walking through the system transactions. e)In document flowcharts, divide the flowchart into columns with labels, clearly label all symbols, and use arrowheads on all the flow lines.
Develop an understanding of the system using tools, such as interviews or questionnaires, or by walking through the system transactions. In document flowcharts, divide the flowchart into columns with labels, clearly label all symbols, and use arrowheads on all the flow lines.
Corruption
Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
Understandable
Enables users to perceive its significance
asymmetric encryption systems
Encryption systems that use two keys (one public, the other private); either key can encrypt, but only the other matching key can decrypt.
Corrections
Entries made to counteract effects of errors found in the GL
14) Section 404 of the Sarbanes-Oxley Act requires that monthly filings of publicly traded companies include a statement of management& responsibility for establishing and maintaining adequate internal control as well as an assessment of the effectiveness of that internal control.
FALSE
40) BPMN basic symbols include input/output, process, flowline, and annotation symbols.
FALSE
paper document file
File of paper documents; letters indicate file-ordering sequence. N=numerically. A=alphabetically D=by date
program flowchart
Illustrates the sequence of logical operations performed by a computer in executing a program; describes the specific logic to perform a process shown on a system flowchart.
time-based model of security
Implementing a combination of preventive, detective and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
Forensic Investigators
Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as Certified Fraud Examiner (CFE).
Deferrals
Made at the end to reflect exchange of cash prior to performance of related event
There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the "black hat" hackers. He had researched an exploit and determined that he could penetrate the target system, download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the attack he was locked out of the system. Using the notation of the time-based model of security, which of the following must be true?
P > 6
hash
Plaintext that has been trasformed into short code.
Data masking
Protecting privacy by replacing sensitive personal information with fake data. Also called tokenization
What tables do you need to query for Inventory Weighted Average Unit Cost?
Purchase Event and Stockflow 1 Relationship (Purchase - Inventory Type)
Intentional Acts
Sabotage Misrepresentation, false use, or unauthorized disclosure of data Misappropriation if assets Financial statement fraud Corruption Computer fraud- attack's, social engineering, malware etc
tabnapping
Secretly changing an already open browser tab in order to capture user IDs and passwords when the victim logs back into the site.
Which of the following is commonly true of the default settings for most commercially available wireless access points?
Security is set to the lowest level that the device is capable of handling.
Once fraud has occurred, which of the following will NOT reduce fraud losses? Insurance regular backup of data and programs contingency plan segregation of duties
Segregation of duties
SQL statement for Special Operators with EXISTS
Select * From Cash Where Balance EXISTS;
SQL statement for Special Operators with NULL
Select * From Cash Where Balance IS NULL;
salami technique
Stealing tiny slices of money from many different accounts
5) Auditors undertake compliance testing to determine the degree of reliance of existing internal controls.
TRUE
What does the asterisk (*) in SQL mean?
The asterisk (*) is a wildcard symbol that requests inclusion of all attributes
Data stores
The storage of data is represented by two horizontal lines.
True or false: The controls used to protect corporate assets make it more difficult for an outsider to steal from a company.
True
UML diagrams are used to document objects and classes and how they communicate with each other
True
True or false. In order to provide more information, a portion of a level zero diagram (such as process 2.0) can be divided into sub-processes (for example, 2.1, 2.2, and 2.3, if there are three sub-processes).
True.
Individuals who perpetrate fraud are often referred to as: A. Bad actors B. Blue collar criminals C. All of these are correct D. White-collar criminals
White-collar criminals
Narrative description
Written, step-by-step explanation of system components and how they interact.
Left join
a combination of tables based on a common attribute that includes unmatched records from the first table in the join and does not include unmatched records from the second table in the join; is a partial outer join, is also called left outer join
Right join
a combination of tables based on a common attribute that includes unmatched records from the second table in the join and does not include unmatched records from the first table in the join; is a partial outer join, is also called right outer join
Vertical calculation
a computation that is a summarization of data values within a single column; also called an aggregation function
Schema
a description of the data elements in a database, the relationships among them, and the logical model used to organize and describe the data
Border router
a device that connects an organization's information system to the internet
policy and procedures manual
a document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties
project development plan
a document that shows how a project will be completed
Business process diagrams
a graphical description of the business processes used by a company
disaster recovery plan
a plan to restore an organization's IT capability in the event that its data center is destroyed
Event
a positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives
trap door / back door
a set of computer instructions that allows a user to bypass the system's normal controls
Subschema
a subset of the schema; the way the user defines the data and the data relationships
Access Control Matrix
a table used to implement authorization controls
Forensic accounting describes...
activities of roles concerned with preventing and detecting fraud; fraud examiner, fraud auditor, loss prevention specialist
spoofing
altering some part of an electronic communication to make it look as if someone else sent the communication in order to gain the trust of the recipient
zero-day attack
an attack between the time a new software vulnerability is discovered and "released into the wild" and the time a software developer releases a patch to fix the problem
patch
code released by software developers that fixes a particular vulnerability
Computer Forensics Specialists
computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges
Neural Networks
computing systems that imitate the brain's learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically
Preventive Controls
controls that deter problems before they arise
Corrective Controls
controls that identify and correct problems as well as correct and recover from the resulting errors
Concurrent update controls
controls that lock out users to protect individual records from errors that could occur if multiple users attempted to update the same record simultaneously
Application Controls
controls that prevent, detect, and correct transaction errors and fraud in application programs
Collusion
cooperation between two or more people in an effort to thwart internal controls
Information System Library
corporate databases, files, and programs stored and managed by the system librarian
Audit trail
documentary evidence of various control techniques that a transaction was subject to during processing
skimming
double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, hand-held card reader that records credit card data for later use
war dialing
driving around looking for protected home or corporate wireless networks
The most effective method for protecting an organization from social engineering attacks is providing
employee awareness training.
White-collar crime describes...
grouping of illegal activities that occur as part of the occupation of the offender; asset misappropriation or fraudulent financial reporting
Response Time
how long it takes for a system to respond
Delete Anomaly
improper organization of a database that results in the loss of all information about an entity when a row is deleted
According to the Trust Services Framework, the confidentiality principle of integrity is achieved when the system produces data that
is protected against unauthorized physical and logical access.
Operations Objectives
objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources
Compliance Objectives
objectives to help the company comply with all applicable laws and regulations
trust
people are more likely to cooperate with people who gain their trust
Segregation of Accounting Duties
separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud
Document flowchart
shows the flow of documents and information between departments or areas of responsibility
system flowchart
shows the relationship among the input, processing, and output in an information system
ransomware
software that encrypts programs and data until a ransom is paid to remove it
Boundary System
system that helps employees act ethically by setting boundaries on employee behavior
interactive control system
system that helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions
Diagnostic Control System
system that measures, monitors, and compares actual company progress to budgets and performance goals
general authorization
the authorization given employees to handle routine transactions without special approval
Fault Tolerance
the capability of a system to continue performing when there is a hardware failure
compassion
the desire to help others who present themselves as really needing your help
Authorization
the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform
key escrow
the process of storing a copy of an encryption key in a secure location
Encryption
the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext
software piracy
the unauthorized copying or distribution copyrighted software
multifactor authentication
the use of two or more types of authentication credentials in conjunction to achieve a greater level of security
physical view
the way data are physically arranged and stored in the computer system
Join
to combine separate but related tables by linking them on their common attributes; one of the three primary relational algebra operators discussed in this text
What is the principle function of internal controls?
to influence the behavior
Other considerations for small companies:
top-down risk assessment of internal controls, focus on changes, manage reporting objectives, right-size documentation
decryption
transforming ciphertext back into plaintext
Hashing
transforming plaintext of any length into a short code called a hash
This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.
transmission control protocol
communication link
transmission of data from one geographic location to another via communication lines
True or false. Researchers found few psychological and demographic differences between white-collar criminals and the public.
true
This feature speeds up data entry because some of the input data is prerecorded on the source document and can be scanned
turnaround document
Header Record
type of internal label that appears at the beginning of each file and contains the file name, expiration date, and other file identification information
war rocketing
using rockets to let loose wireless access points attached to parachutes that detect unsecured wireless networks
SMS spoofing
using short message service (SMS) to change the name or number a text message appears to come from
Data Mining
using sophisticated statistical analysis to "discover" unhypothesized relationships in the data
Expenditure cycle control objectives:
vendors authorized, employees hired; access to personnel, payroll, and disbursement records permitted according to job need; compensation rates and payroll deductions authorized; amounts due to vendors accurately and promptly classified, summarized, and reported
Nonrepudiation
creating legally binding agreements that cannot be unilaterally repudiated by either party
Query to identify highest and lowest selling inventory during a specific time period Step 1:
-Constrain dates and calculate extended sale line item amounts: -Create query. Add Sale and StockflowSaleInventory table. SaleID should be joined. Add Date from Sale table to Field. Add ItemID, QuantitySold, and ActualUnitSellingPrice from StockflowSaleInventory table. Add "Between [begdate] AND [enddate] for criteria for Date. In the next Field column, click builder. Multiply QuantitySold and ActualUnitSellingPrice. Rename "ExtSaleAmt" before :equation. Save query as InventorySaleAmountsOuterJoin1.
Accounts Payable Step 4:
-Sum Cash Disbursements applicable to Purchases paid: -Create query. Add IdentifyCashDisbforPurchthoughenddate table. Add DollarAmount to Field. Sum DollarAmount. Save query as SumCashDisbforPurchThroughEndDate.
Most frequent "cook the books" schemes
-fictitiously inflating revenues - recognize revenue before they are earned -delaying current expenses to later period -overstating inventories or assets -concealing losses and liabilities
Elements or characters of a typical misappropriation
1. Gain the trust 2 uses trickery, cunning, or misinformation 3. Conceals fraud by falsifying records 4. Rarely stops voluntarily 5. Need or greed impels person to continue 6. Spends the gains 7. Takes larger and larger sums 8. Grows careless or overconfident
Pressures that can lead to financial statement fraud
1. Management characteristics 2. Industry conditions 3. Financial
4 types of threats to AIS
1. Natural and political disasters 2. Software errors and equipment malfunctions 3. Unintentional acts 4. Intentional threat
A flowchart differs from a logical flow diagram because it A) provides a physical description of the system B) provides a logical description of the system C) does not specify certain input/output devices D) does not specify certain storage devices
A
A formal technique used by the systems analyst to summarize related data inputs and outputs is A) matrix analysis B) work measurement C) flowcharting D) decision analysis
A
An analysis of the system survey contains a A) summary of the system's strengths and weaknesses B) cost comparison of different software packages C) review of information needs D) listing of input requirements
A
Mathematical comparison operators
= equal to < less than <= less than or equal to > greater than >= greater than or equal to <> not equal to (or != in some software)
102) The goal of work measurement is to create a benchmark or yardstick to use in measuring the efficiency of an operation. The first step taken in work measurement is to A) identify the tasks. B) analyze requirements C) examine IPO and HIPO documentation. D) obtain time estimates for performing the tasks.
A
103) The formula used to compute total task time for work measurement purposes is A) (average time / unit + idle time / unit) × average volume. B) total time available / total task time. C) (average volume / unit + average time / unit) × average volume. D) total task time / total time available.
A
114) An annotation or comment may be represented in a flowchart using a A) brace. B) flowline. C) square. D) diamond.
A
61) Audit tests that follow compliance tests and rely on the interim audit's results are called A) substantive tests. B) follow-up tests. C) internal control tests. D) evaluation tests.
A
Which of the following database design techniques shows the interrelationships between various kinds of records? A) data structure design B) record layouts C) file-related matricies D) file analysis sheets
A
Decision
A decision making step
digital signature
A hash encrypted with the creator's private key
carding
Activities performed on stolen credit cards, including making a small online purchase to determine whether the card is still valid and buying and selling stolen credit card numbers
Size Check
An edit check that ensures that input data will fit into the assigned field
Field Check
An edit check that tests whether the characters in a field are of the correct field type (e.g., numeric data in numeric fields).
Accessible
Available when needed and in a useful format
Which of the following preventive controls are necessary to provide adequate security for social engineering threats?
Awareness training.
60) The acronym for the organization responsible for standardizing flowchart symbols is A) FASB. B) ANSI. C) AICPA. D) CMA.
B
62) Which of the following is a procedure included in systems design? A) Computer program documentation B) Forms design C) Training personnel D) Document review
B
Which of the following are business process diagram preparation guidelines? (Check all that apply.) a)BPDs depict the major steps in a process sequentially, reading from left to right and top to bottom. b)A BPD, no matter how detailed, is rarely sufficient to evaluate internal controls, such as whether duties are properly segregated. c)Unlike DFDs, most BPDs will not start with an action verb. d)Each row or swim lane in a BPD contains the activities performed by the indicated employee or department. e)Show what technology is used in each business process.
BPDs depict the major steps in a process sequentially, reading from left to right and top to bottom. Each row or swim lane in a BPD contains the activities performed by the indicated employee or department.
Father of XBRL
Charlie Hoffman
After a fraud has occurred which of the following ways is the best Way to reduce loss from that fraud A. Develop and implement a strong system of internal controls B. Increase the penalty for committing fraud by prosecuting fraud perpetrators more vigorously C create an organizational culture that stresses integrity and commitment to ethical values and competence D. Collect on fraud insurance purchased before the fraud E. Implements computer based controls over Data input, computer processing, Data storage, Data transmission and information output
Collect on fraud insurance purchased before the fraud
A programmer at a large bank inserted code into the company's computer system that told the computer to not only ignore any overdrafts on his accounts, but to not charge his accounts any late or service fees. This is an example of what type of fraud? a)Computer instruction fraud b)Output fraud c)Data fraud d)Input fraud e)Processor fraud
Computer instruction fraud
On-page connector
Connects the processing flow on the same page; its usage avoids lines crisscrossing a page
Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security?
Controlling remote access.
Another way to fight computer fraud
Develop software to examine bank or accounting records for suspicious transactions
Popular means of documenting a system
Diagrams, flowcharts, tables and other graphical representations of data and information
A query's answer in Microsoft Access is referred to as a
Dynaset
What is the advantage to creating a query that includes a date constraint as a parameter query?
Each time the user needs to run the query for different dates, the user does not need to change the query design; but rather the user is prompted to enter the desired date upon running the query.
Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to systems reliability, as discussed in the Trust Services Framework?
Effectively communicating policies to all outsiders.
Electronic data entry
Electronic data entry device such as a computer, terminal, tablet, or phone
Authorization
Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document or record.
A closed-ended questionnaire is the same as a depth interview
False: open ended questionnaire is same as depth interview, closed-ended is same as structural interview
cyber sleuths
Forensics experts breaking into a company, and specialize in catching fraud perpetrators
Basic Exchange
Goods for money
Data Flow Diagrams
Graphical descriptions of the sources and destinations of data
Oranizations have limited resources, thus investments to AIS should...
Have greatest impact on ROI
data query language (DQL)
High-level, English-like, DBMS language that contains powerful, easy-to-use commands that enable users to retrieve, sort, order, and display data.
Context Diagram
Highest-level DFD; a summary-level view of a system, showing the data processing system, its input(s) and output(s), and their sources and destinations. Context diagrams decomposed into successively lower levels, each with an increasing amount of detail
Which of the following causes the majority of computer security problems? Human errors Software errors Natural disasters Power outages
Human errors
Check digit
ID numbers (such as employee number) can contain a check digit computed from the other digits
Explain how incorrect information retrieval results may be obtained even from a perfectly designed database.
If a database is perfectly designed but the query designer doesn't understand the database design or the nature of the data in the tables, or if the query designer is not adept with the database's query language, the query designer is likely to make mistakes in creating the query. Sometimes querying mistakes are not readily evident and the incorrect results are used for decision-making, often resulting in bad decisions.
Which of the following is an example of a corrective control?
Incident response teams.
Which of the following are data flow diagram preparation guidelines? (Check all that apply.) A. Include all relevant data elements so that they are considered during the system development. b)All transformation processes should have one or more incoming data flows, but may not have an outgoing data flow. c)Include all error paths, no matter how unimportant they may seem. d)Give each process a sequential number to help readers navigate among the DFD levels.
Include all relevant data elements so that they are considered during the system development. Give each process a sequential number to help readers navigate among the DFD levels.
Electronic Output
Information displayed by an electronic output device such as a terminal, monitor, or screen
Reliable
Information is free from error and bias and faithfully represents what it is supposed to
Complete
Information reported includes every material that is necessary for faithful representation
Which of the following is not one of the three fundamental information security concepts?
Information security is a technology issue based on prevention.
Annotation Information
Information that helps explain A business process is entered in the BPD and if needed a bolded dashed arrow is drawn from the explanation to the symbol
Relevant
Information will make a difference in your decision making
Computer systems are particularly vulnerable to fraud for the following reasons: (Check all that apply.) a)Few companies design controls into their computer systems. b)Most employees and suppliers with access to a computer system will eventually perpetrate a computer fraud, irrespective of the strength of the Internal controls. c)It is difficult to control physical access to each electronic device that accesses a network. d)Computer programs need to be illegally modified only once, in order for them to operate improperly for as long as they are in use. e)Perpetrators who break into corporate databases can steal or destroy massive amounts of data in very little time, often leaving little evidence.
It is difficult to control physical access to each electronic device that accesses a network. Computer programs need to be illegally modified only once, in order for them to operate improperly for as long as they are in use. Perpetrators who break into corporate databases can steal or destroy massive amounts of data in very little time, often leaving little evidence.
Taxonomy
Like a dictionary which defines the XBRL tags used for specific data items
Residents in Berryhill received an e-mail stating that there is an armed robber on the loose. The e-mail claimed to be from the Berryhill police department, but it wasn't. Computer forensic experts later determined that the e-mail was sent from a computer lab in the Berryhill's public library. The police were then able to uniquely identify the computer that was used by means of its network interface card's ________ address. Security cameras later help the police to reveal the identity of the individual responsible for the hoax.
MAC
Organizations can increase The difficulty of committing fraud by all of the following except: A. Encrypting stored and transmitted data B. Implementing strong internal controls C. Distracting access to Company assets and data D. Maintaining adequate insurance
Maintaining adequate insurance
click fraud
Manipulating the number of times an ad is clicked on to inflate advertising bills.
investment fraud
Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud.
All of the following are guidelines that should be followed in naming DFD data elements except: Process names should include action verbs, such as update, edit, prepare, and record. Make sure the names describe all the data or the entire process. Name only the most important DFD elements. Choose active and descriptive names.
Name only the most important DFD elements.
Open Invoice Method
New invoice for each transaction ADV: Get money quicker
Which of the following control procedures is most likely to deter lapping? Encryption Continual update of the access control matrix Background check on employees Periodic rotation of duties
Periodic rotation of duties
Estimates
Portion of expenses expected to occur over a number of accounting periods
chipping
Posing as a service engineer and planting a small chip that records transaction data in a legitimate credit card reader. The chip is later removed to access the data recorded on it.
XBRL is used by
Prepareers, reviewers, and users of financial information
Change Management
Process of making sure changes are made smoothly and efficiently and do not negatively affect the system
The documentation skills that accountants require vary with their job function. However, all accountants should at least be able to do which of the following? Read documentation to determine how the system works. Critique and correct documentation that others prepare. Prepare documentation for a newly developed information system. Teach others how to prepare documentation.
Read documentation to determine how the system works
What is SQL statement for a Query to Identify Customers with Credit Rating of "A" or "A+"?
SELECT * FROM Customer WHERE CreditRating=A OR CreditRating=A+;
Which of the following is the most important, basic, and effective control to deter fraud? Enforced vacations Logical access control Segregation of duties Virus protection controls
Segregation of duties
What tables do you use in a query to find accounts receivable?
Sale Event, Cash Receipt Event, and Sales Return Event
Information Rights Management (IRM)
Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.
Data Loss Prevention (DLP)
Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.
opportinity
The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain.
Which of the following is an example of a preventive control?
The creation of a "security-aware" culture.
Which of the following is true regarding the use of an outer join in SQL?
The outer join must be specified as a Left Join or a Right Join.
Which of the following statements is false? The psychological profiles of white-collar criminals differ from those of violent criminals. The psychological profiles of white-collar criminals are significantly different from those of the general public. The psychological profile of white-collar criminals is similar to that of the general public. There is little difference between computer fraud perpetrators and other types of white-collar criminals. Some computer fraud perpetrators do not view themselves as criminals.
The psychological profiles of white-collar criminals are significantly different from those of the general public.
Strategy
They way to sustain competitiveness
Natural and political disasters
This AIS threat includes fire or excessive heat, floods, earthquakes, landslides, hurricanes, tornadoes, blizzards, snowstorms, and freezing rain. and war and attacks by terrorists
General Ledger Primary Function
To collect and organize the accoutning cycle activities, Finance activities, Investing activities, Budget activities, and Adjustments
A good question to ask when evaluating "canned" software is "are source programs supplied?"
True
A large portion of the systems analyst's job is to collect and organize facts
True
In object-oriented design, objects possess methods and attributes
True
white-collar criminals
Typically, businesspeople who commit fraud. White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
pretexting
Using an invented scenario (the pretext) that creates legitimacy in the target's mind in order to increase the likelihood that a victim will divulge information or do something
cyber-bullying
Using computer technology to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses or otherwise harms another person
internet terrorism
Using the Internet to disrupt electronic commerce and harm computers and communications.
A BPD provides users a________ of the different steps or activities in a business process A. Decision tree B. Narrative C. Visual view D. Dataflow
Visual view
Level 1 DFD
a DFD is created for each process in LEVEL 0. (It has one meaningful decimal place)
Collusion
agreement or conspiracy among two or more people to commit fraud
Preventive, detective, or corrective: Automatic error correction
corrective
postimplementation review
review, performed after a new system has been operating for a brief period, to ensure that it meets its planned objectives
Human resource policies and procedures:
segregation of duties - clear designated responsibility, supervision, job rotation and forced vacation, dual control - two people working in unison
worm
similar to a virus, except that it is a program rather than a code segment hidden in a host program. this also copies itself automatically and actively transmits itself directly to other systems
Trailer Record
type of internal label that appears at the end of a file; in transaction files, the trailer record contains the batch totals calculated during input
hacking
unauthorized access, modification, or use of an electronic device or some element of a computer system.
spam
unsolicited email that contains either advertising or offensive content
Social Engineering
using deception to obtain unauthorized access to information resources
Virtual Private Network (VPN)
using encryption and authentication to securely transfer information over the internet, thereby creating a "virtual" private network
Authentication
verifying the identity of the person or device attempting to access the system
system performance measurements
ways to evaluate and assess a system
Query to identify inventory items with no positive customer reactions Step 1:
-Identify items in sales calls with positive customer reactions: -Create query. Add PropositionSalesCallInventoryType table. Add ItemID and CustomerReactiontoProduct to Field. "Positive" for criteria for CustomerReactiontoProduct. Save query as InventoryWithPositiveSalesCallReactions.
83) The symbol which is used to link other symbols and indicate the sequence of information and operations is the A) flowline symbol. B) annotation symbol. C) input/output symbol. D) process symbol.
A
fraud
Any and all means a person uses to gain an unfair advantage over another person.
95) Which of the following is not true with respect to the use of systems techniques by auditors? A) Systems techniques assist the auditor in evaluating a client's internal control. B) Systems techniques replace audit working papers. C) Auditors rely on systems techniques to assist with compliance testing. D) Auditors use systems techniques as part of their documentation for their audit working papers.
B
________ is/are an example of a preventive control.
Encryption
12) Auditors primarily use IPO and HIPO charts.
FALSE
As an organization increases in its complexity and the number of products manufactured or sold, it becomes easier to find an appropriate turnkey software system that adequately meets the organization's needs
False
Which type of fraud is associated with 50 percent of all auditor lawsuits? Kiting Fraudulent financial reporting Ponzi schemes Lapping
Fraudulent financial reporting
A woman sent her company fictitious medical bills from doctors who did not exist. The bills were processed in the normal way by her employer, and payments went to her husband's office address. She bilked her company out of millions of dollars. This is an example of what type of fraud? a)Processor fraud b)Data fraud c)Computer instruction fraud d)Input fraud e)Output fraud
Input fraud
Shipping-Source Documents
Input- Sale order/Picking ticket Output- Packing Slip(warehouse) and Bill of Lading(shipping) both go to Common carrier, Customer, and billing
Which of the following is a fraud in which later payments on account are used to pay off earlier payments that were stolen? A. Lapping B. Kiting C. Ponzi scheme D. Salami technique
Lapping
buffer overflow attack
Large amount of data sent to the input memory (buffer) of a program which overflows into adjacent buffers, corrupting or overwriting the valid data held in them.
Which of the following query interfaces is intended to be more point-and-click in nature and to require less user expertise?
Query By Example
BPEL is an executable computer language that facilitates interactions between business processes and Web services
True
Computer Operators
people who operate the company's computers
A demilitarized zone
permits controlled access from the Internet to selected resources.
Systems Administrator
person responsible for making sure a system operates smoothly and efficiently
Network Manager
person who ensures that the organization's networks operate properly
This could help prevent the entry of inconsistent data elements, such as entering a tax code for a customer for whom sales should be nontaxable
reasonableness test
Internal control is a process designed to provide reasonable assurance related to achievement of objectives in these categories:
reliability of financial reporting, effectiveness and efficiency of operations, compliance with applicable laws and regulations
address resolution protocol (ARP) spoofing
sending fake ARP messages to an Ethernet LAN. ARP is a computer networking protocol for determining a network host's hardware address when only its IP or network address is known
4 basic data flow diagram elements
1. Data sources and destinations 2. Data flows 3. Transformations processes 4. Data stores
31) A DFD may consist of either DFD or ANSI flowchart symbols.
FALSE
32) A document flowchart is similar to a systems flowchart.
FALSE
35) UML is a United States standard, not yet supported by the International Standards Organization.
FALSE
37) In UML, use case diagrams model the flow of activities involved in a single process.
FALSE
4) When evaluating internal controls, auditors are usually not concerned with the flow of processing and distribution of documents within an application system.
FALSE
8) Analytic and system flowcharts are seldom found in the working papers of auditors.
FALSE
Internal control Opportunities permitting fraud
Failure to enforce/monitor internal controls Management's failure to be involved in the internal control system Management override of controls Managerial carelessness, inattention to details Dominant and unchallenged management Ineffective oversight by board of directors No effective internal auditing staff Infrequent third-party reviews Insufficient separation of authorization, custody, and record-keeping duties Too much trust in key employees Inadequate supervision Unclear lines of authority Lack of proper authorization procedures No independent checks on performance Inadequate documents and records Inadequate system for safeguarding assets No physical or logical security system No audit trails Failure to conduct background checks No policy of annual vacations, rotation of duties
patch
code released by software developers that fixes a particular software vulnerability
Receive and Store Goods-Source Documents
-Input: Purchase order; Packing slip and bill of lading -Output: Receiving report
What tables are used for a Query for number of sales calls made by each salesperson during a time period?
SalesCall and SalesRepresentative
What tables do you use to Query to identify inventory items with no positive customer reactions?
SalesCall, PropositionSalesCallInventoryType, and InventoryType
How do you hard-wire a date?
<=#5/1/2018#
9) Accounting recognizes a sale when
A) inventory becomes the legal property of the customer.
Context Elements
Explain the context in which the data appears
Internal control processes collect information concerning the following:
fulfillment of duties, transfer of authorities, approval, verification
Accounts Receivable Step 4:
-Calculate A/R as sales minus applicable cash receipts and sale returns: Create new query. Add SumSalesThroughBSDate, SumCRforSalesThroughBSdate, and SumSalesReturnThroughBSdate tables. Add SumOfDollarTotal from each table to field. In next field column, click builder. Subtract CR for sales and Sales Returns from Sales. Add Nz to each. Rename "AcctsRec" before :equation. Save query as ARfinal.
Query to calculate number of days to fill selected sales orders Step 2:
-Calculate average of days to fill orders: -Create query. Add DateDiffSaleSaleOrder table. Add DaysToFill to Field. Avg for DaysToFill. Save query as AvgDaysToFillSaleOrders.
Query to calculate number of days to fill selected sales orders Step 1:
-Calculate number of days to fill each sale order for orders accepted in May 2015: -Create query. Add SaleOrder, FulfillmentSaleOrderSale, and Sale table. SaleOrderID should be joined between SaleOrder and FulfillmentSaleOrderSale tables. SaleID should be joined between FulfillmentSaleOrderSale and Sale tables. Add OrderDate from SaleOrder table. Add Date from Sale table. Add "Between [begindate] AND [enddate]" for criteria for OrderDate. In next field column, click builder. Subtract OrderDate from Date. Rename "DaysToFill" before :equation. Save query as DateDiffSaleSaleOrder.
Examples of Acquisition Cycle Duality Queries
-Calculation of the outstanding payable balance for a purchase -Calculation of total accounts payable at a point in time -Calculation of prepaid expenses at a point in time Aging of accounts payable -Calculation of the average number of days it takes to pay vendor invoices
Examples of Revenue Cycle Duality Queries
-Calculation of the outstanding receivable balance for a sale (or service engagement) invoice -Calculation of total accounts receivable at a point in time -Calculation of prepaid revenue at a point in time Aging of accounts receivable -Calculation of the average number of days it takes to collect receivables
Functions of AIS
-Collects and stores data about organization -Transforms data into information useful to internal and external users -Provides adequate controls to safeguard organizational assets
Query to find dollar value of sales of each inventory type for a given time period Step 1:
-Constrain dates and calculate extended sale line item amounts: -Create query. Add InventoryType, StockflowSaleInventory, and Sale table. Item ID should be joined between InventoryType and StockflowSaleInventory. Sale ID should be joined between StockflowSaleInventory and Sale. Add ItemID and Description from InventoryType table to Field. Add Date from Sale table to Field. Add QuantitySold and ActualUnitSellingPrice from StockflowSaleInvestory table. "Between [begindate] AND [enddate] for criteria for Date. In next Field colomn, click builder. Multiply QuantitySold and ActualUnitSellingPrice. Rename "ExtSaleAmt" before :equation. Save query as StockflowExtendedSaleAmt.
What are the tables that are Agent Tables and what kind of agent are they?
-Customer (External Agent) -Cashier (Internal Agent) -Receiving Clerk (Internal Agent) -Sales Representative (Internal Agent)
Differences between a DFD and Flowchart
-DFD focuses on logical relatioship and flow of data among system's elements while system flow charts focus more on the physical elements in the system -DFD remains the same when devices change as long as the processing logic is the same, but the flowchart will change as soon asn the services change
Request Goods-Activities
-Determine needs -Submit request
Querying for Inventory Weighted Average Unit Cost - NOT for Financial Statement use Step 3:
-Divide total line item extensions by total purchase quantities for each item: -Create query. Add SumPurchQtyAndLineExtensions table. Add ItemID, SumOfLineItemExtension, and SumOfQuantityPurchased to Field. In next Field column, click builder. Divide SumOfLineItemExtension and SumOfQuantityPurchased. Rename "WAUC" before : equation. Save query as WeightedAverageUnitCostDuringPeriod.
Invoice Processing: Non Voucher
-Each approved invoice is posted to individual supplier records in the accounts payable file and is then stored in an open invoice file -When a check is written to pay an invoice, the voucher package is removed from the open invoice file, is marked paid, and then is stored in the paid invoice file
Receive and Store Goods-Activities
-Verify order and quantify -Inspect quality and condition -Accept goods -Store goods
Balance Scorecard reflects on...
-Financial -Customer -Internal Operations -Innovation and Learning
Examples of questions for Acquisition Cycle Participation Queries?
-From which supplier was a specific purchase made? -By which purchase agent was a specific purchase order placed? -How many purchase orders did a specified purchase agent make during a specified time period? -What is the total (or average) dollar amount of purchases made by each purchasing agent during a specified time period? -When was a specified purchase received, and by which receiving clerk (include clerk's id, name, and telephone number)? -To which supplier have the most purchase returns been made?
Examples of Duality Relationship Query Types
-Identification as to whether a specified exchange is completed -Identification of completed exchanges for a specified time period Identification of incomplete exchanges for a specified time period -Calculation of the amount of claims, e.g. prepaid expenses, payables, unearned revenues, or receivables, either in total or for a specified exchange event -Calculation of the total or average length of the timing difference(s) between the events involved in one or more exchanges
Examples of Acquisition Cycle Fulfillment Queries?
-Identification of unfilled purchase orders -Identification of filled purchase requisitions (i.e., those purchase requisitions that resulted in purchase orders) -Calculation of average number of days the enterprise takes to fill purchase requisitions for a given time period -Identify the purchase order that corresponds to a purchase
Revenue Cycle Fulfillment Queries
-Identification of unfilled sale orders -Identification of successful sales calls (i.e., those sales calls that resulted in orders) -Calculation of number of average days the enterprise takes to fill sale orders for a given time period
Fulfillment Relationship Query Types
-Identification of unfulfilled commitments or instigation events -Identification of fulfilled commitments or instigation events -Identification of commitment events that were not preceded by instigation events, or identification of economic events that were not preceded by commitment events -Calculation of length of time between instigation and commitment events or between commitment and economic events -Identification of causes of commitments and/or of economic events -Identification of results of instigations and/or of commitment events
Accounts Payable Step 3:
-Identify Cash Disbursements applicable to Purchases paid: -Create query. Add Purchase and Cash Disbursement table. Cash DisbursementID should be a foreign key in the Purchases table. Add DisbVoucherID, Dollar Amount, and VoucherDate all from the Cash Disbursements table to Field. Where for VoucherDate. <=[EndDate] for criteria for VoucherDate. Save query as IdentifyCashDisbforPurchthoughenddate.
Accounts Payable Step 1 and 2:
-Identify and sum purchase dollar amounts through end date: -Create query. Add purchases table. Add Dollar Amount and Date to Field. Sum Dollar Amount. Where for Date. <=[EndDate] for criteria for Date. Save query as PurchasesThroughEndDate.
Order Goods-Threats
-Inaccurate inventory records -Purchasing items not needed or at an inflated price -Purchasing goods that are inferior quality -Unreliable suppliers -Purchasing from unauthorized suppliers -Kickbacks
Expenditure Cycle Threats
-Inaccurate or invalid master data -Unauthorized disclosure of senstive information -Loss or destruction of data -Poor performance
AIS Primary Activites
-Inbound Logistics -Operations -Outbound Logistics -Marketing and Sales -Service (post sale--90 day trial)
Order Taking-Threats
-Incomplete/inaccurate order -Invalid orders -Uncollectible accounts -Stockouts or excess inventory -Loss of customer
Paying for Goods and Services-Source Documents
-Input: Pruchase order, receiving report, vendor invoice -Output: Disbursment voucher, check to vendor
What is querying?
-It is asking questions about the data in the database and manipulating or combining the data in different ways -We can isolate certain rows in tables, we can isolate certain columns in tables, we can join tables together, we can create calculations based on various data items, etc.
Query to identify highest and lowest selling inventory during a specific time period Step 2:
-Join Inventory Type table to Extended Sale Line Item Amounts query result using Outer Join to include those items with no sales at all: -Create query. Add InventoryType and InventorySaleAmountsOuterJoin1 tables. Join ItemID by dragging from Inventory type to InventorySaleAmountsOuterJoin1. Add ItemID and Description from InvestoryType table to Field. Add ExtSaleAmt from InventorySaleAmountsOuterJoin1 table to Field. Sum ExtSaleAmt. Save query as InventorySaleAmountsOuterJoin2.
Examples of Revenue Cycle Event Queries
-Location of a sales call -Total number of sales calls, sale orders, sales, etc., that occurred at a specified location or during a specified time period -Total dollar amount for a specific sale order, sale, cash receipt, or sale return -Total or average dollar amount of all sale orders, sales, cash receipts, or sale returns for one or more specified time periods -Total or average dollar amount of sale orders, sales, cash receipts, or sale returns in a specific location for one or more specified time periods -Sales tax applicable to a specified sale event -Shipper's tracking number for a shipment sale event -Date a sale event occurred -Length of a sales call (end time minus start time)
Query for number of sales calls made by each salesperson during a time period Step 2:
-Outer Join Sales Representatives to Sales Calls and count for each: -Create query. Add SalesCallsforTimePeriod and SalesRepresentative tables. SalesRepID from SalesRepresentative table should be join to SalesRepID from SalesCallsforTimePeriod table. Add SalesRepID and Name from SalesRepresentative table. Add SalesCallID from SalesCallsforTimePeriod table. Count for SalesCallID. Save query as SalesRepCountofSalesCallsforTimePeriod.
Query to identify inventory items with no positive customer reactions Step 2:
-Outer join inventory type to positive reactions result; use "Is Null" operator to identify those without positive reactions: -Create query. Add InventoryWithPositiveSalesCallReactions and InventoryType table. ItemID from InventoryType should be joined to ItemID in InventoryWithPositiveSalesCallReactions. Add ItemID and Description from InventoryType table to Field. Add CustomerReactiontoProduct from InventoryWithPositiveSalesCallReactions table to Field. "Is Null" for criteria for CustomerReactiontoProduct. Save query as InventoryWithoutPositiveSalesCallReactions.
Shipping-Threats
-Picking the wrong items or quantity -Theft of inventory -Shipping errors
Key Activities of the Expenditure Cycle
-Request Goods -Order Goods -Receive and Store Goods -Pay for Goods and Services
Order Taking-Controls
-Restriction fo access to master data -Digital or written signatures -Credit limits -Specific Authorization ro approve sales of new cutomers and sales that go over credit limits -Aging of AR -Perpetual inventory control system -Use of Barcodes or RFID -Training -Periodic physical counts of inventory -Sales forecasts and activity reports -CRM, and proper ecaluation fo customer service ratings
Collections-Controls
-Seperation of Cash handling functions from AR and Credit Functions -Regular reconciliation of bank account by someone independant of cash collections -Use of EFT, FEDI, and lockboxes to minimze handling of customer payments by employees -Prompt, restrictive endorsement of all customer checks -Having two people open all mail likely to contain customer payments -Use of cash registers -Daily deposits fo all cash receipts -lockbox arrangments, EFT, credit cards -Disocunts for prompt payment by customers -Cash flow budgets
Electronic Data Interchange
-The exchange of business transactions infromation between companies in a standard format via a computerized information system -In pure, human involvements is not necessary
What is different about a WAUC query for Financial Statements opposed to one not for the Financial Statements?
-The only different step from the queries on the previous 3 slides is the first query should not have a beginning date constraint. -Items may not have been purchased within the financial statement time period; including a beginning date would result in those items purchased prior to that date not being assigned any cost value
Financial pressure examples
-living beyond your means -high personal debt/expenses -"inadequate" salary/income -poor credit ratings -heavy financial losses -tax avoidance -bad investments -unreasonable quotas/goals
Accounts Receivable Step 2:
-Total Cash Receipts for Sales through Balance Sheet Date. -2a: identify them: Create new query. Add Cash Receipts and Sale tables. CR should be foreign key in Sale table. Add Cash Receipts ID, Dollar Total, and Date from Cash Receipts table to Field. Where for Date. <=[bsdate] for criteria for Date. Save as query IdentifyCRforSalesThroughBSdate. -2b: sum them.: Create new query. Add IdentifyCRforSalesThroughBSdate table. Add Dollar Total to Field and SUM. Save query as SumCRforSalesThroughBSdate.
Accounts Receivable Step 3:
-Total Sale Returns through Balance Sheet Date: Create new query. Add Sales Returns table. Add Dollar Amount and Date to Field. Sum Dollar Amount. Where for Date. <=[bsdate] for criteria for Date. Save query as SumSalesReturnThroughBSdate.
Examples of Acquisition Cycle Event Queries
-Total number of purchase orders made during a specified time period -Total dollar amount for a specific purchase order, general & administrative service and supplies acquisition, operating asset acquisition, inventory acquisition, cash disbursement, or purchase return -Total or average dollar amount of all acquisition/payment events of a specified type for one or more specified time periods -Seller's tracking number for an expected purchase event -Date a purchase event occurred
Practically, what are the step for Accounts Payable query?
-Total of acquisitions through balance sheet date minus total of cash disbursements through balance sheet date that applied to acquisitions. Also minus purchase returns/discounts through balance sheet date. -MUST include ONLY ending date constraint (balance sheet items reflect cumulative data from beginning of company through balance sheet date). -Use acquisition date to determine which acquisitions to include. -Use cash disbursement date and duality relationships to determine which cash disbursements to include. Be sure to aggregate cash disbursements that apply to the same purchase before subtracting from purchase amount
Examples of questions for Revenue Cycle Reservation Queries?
-Which inventory types does a specific commitment event agree to decrease? -What quantity of each inventory type does a specific commitment event agree to decrease? -What selling price was quoted for each inventory type in a specific commitment event? -What was the total dollar value of sale orders for a specified time period? (if total dollar amount is stored in the sale order event table, then it is not necessary to use the reservation relationship to meet this information need) -What is the average dollar value of sale orders of a specified inventory type for a specified time period?
Examples of questions for Acquisition Cycle Reservation Queries?
-Which inventory types does a specific commitment event agree to increase? -What quantity of each inventory type does a specific commitment event agree to increase? -What unit cost was quoted for each inventory type in a specific commitment event? -What was the total dollar value of purchase orders for a specified time period? (if total dollar amount is stored in the purchase order event table, then it is not necessary to use the reservation relationship to meet this information need) -What is the average dollar value of purchase orders of a specified inventory type for a specified time period?
What are examples of questions for a Revenue Cycle Stockflow Query Type?
-Which inventory types were decreased by a specific sale event? -What quantity of each inventory type was decreased by a specific sale event? -Which inventory types were increased by a sale return event? -What quantity of each inventory type was increased by a specific sale return event? -What selling price was charged for an inventory type on a specific sale event? -What selling price was granted as credit for an inventory type on a specific sale return event? -What was the total dollar value of sales for a specified time period? (if total sale amount is stored in the sale event table, then it is not necessary to use the stockflow relationship to meet this information need) -What is the average dollar value of sales of a specified inventory type for a specified time period?
What are examples of questions for an Acquisition Cycle Stockflow Query?
-Which inventory types were increased by a specific purchase event? -What quantity of each inventory type was increased by a specific purchase event? -Which inventory types were decreased by a purchase return event? -What quantity of each inventory type was decreased by a specific purchase return event? -What unit cost was charged for an inventory type on a specific purchase event? -What unit cost was granted as credit for an inventory type on a specific purchase return event? -What was the total dollar value of purchases for a specified time period? (if total purchase dollar amount is stored in the purchase event table, then it is not necessary to use the stockflow relationship to meet this information need) -What is the average dollar value of purchases of a specified inventory type for a specified time period?
Examples of questions for Revenue Cycle Proposition Queries?
-Which inventory types were presented as part of a sales call event? -What selling price was proposed for an inventory type in a specific sales call event? -What was the reaction to each inventory type presented in a specific sales call event? -Have any inventory types never been presented in any sales call event? -How many different types of inventory were presented in a specific sales call event?
Emotional pressure examples
-excessive ego, pride, ambition -performance not recognized -job satisfaction -fear of losing job -need for power or control -deliberate nonconformity -inability to abide by or respect rules -challenge of beating the system -envy or resentment agains others -need to win financial one-upmanship -competition -coercion by bosses/ top management
SQL's WHERE component
-isolates rows -Also can help accomplish join -may be omitted for single-table queries that retrieve all rows
Reasons number of incidents, total dollar loss, and sophistication of predators and schemes used to commit computer fraud are increasing rapidly:
-not everyone agrees on what constitutes computer fraud -many times computer fraud goes undetected - high percentage of fraud is not reported -many networks are not secure -internet sites offer step by step instructions -law enforcement can not keep up with the growth -calculating losses is difficult
For an act to be fraudulent there must be
1) A false statement, representation, disclosure 2) A material fact (something that induces a person to act) 3) An intent to deceive 4) A justifiable reliance (person relies on the misrepresentation to take the action) 5) An injury or loss
Guidelines for preparing flowcharts
1) Understand the system 2) Identify the entities to be flowcharted 3) Organize flowchart 4) Clearly label all symbols 5) Page connectors 6) Draw a rough sketch of the flowchart 7) Draw a final copy of the flowchart
difference between a virus and a worm
1. a virus is a segment of a code hidden in or attached to a host program or executable file, whereas a worm is a stand-alone program 2. a virus requires a human to do something to replicate itself, whereas a worm does that automatically and actively seeks to send copies of itself to other network devices 3. worms harm networks (if only by consuming bandwidth) whereas viruses infect or corrupt files or data on a targeted computer
ways to minimze social engineering
1. never let people follow you into a restricted building 2. never log in for someone else on a computer, especially if you have administrative access 3. never give sensitive information over the phone or by e-mail 4. never share passwords or user IDs 5. be cautious of anyone you don't know who is trying to gain access through you
Oh well planned drawn level 0 data flow diagram for the revenue cycle would show which of the following processes? A. 1.0 take customer Order. 2.0 ship products 3.0 bill customer B. 0.1 take customer Order. 0.2 ship products 0.3 bill customer C. 0.1 take customer Order. 0.12 ship products 0.13 bill customer D. 1.1 take customer Order. 1.2 ship products 1.3 bill customer
1.0 take customer Order. 2.0 ship products 3.0 bill customer
When evaluating purchased software it is often helpful to use a decision table format to consider various issues and potential problems with the software. A question (or questions) to be asked in a decision table which might uncover any "skeletons in the closet" regarding a software package is A) How many other installations that are 'second-reference organizations' have used the software, and for how long? B) how stable is the software vendor? C) who closely does the software fit the needs of the company? D) how flexible is the software?
A
Public Company Accounting Oversight Board (PCAOB)
A board created by SOX that regulates the auditing profession; created as part of SOX.
Computer Processing
A computer-performed processing function; usually results in a change in data or information
Which of the following is not an example of asset misappropriation? A. Warehouse employee takes home five iPhones without authorization B. A controller of a company falsely adds $50 million to accounts receivable C. The treasure of a company makes an unauthorized wire transfer from the organizations bring to a private account D. The president of the Company utilizes The organization cash to pay for an overseas vacation
A controller of a company falsely adds $50 million to accounts receivable
BPD Decision symbol
A decision made during the process is represented by a diamond. An explanation of the decision is placed inside the diamond
Legally, for an act to be fraudulent there must be: A) A justifiable reliance, where a person relies on a misrepresentation to take an action b)A false statement, representation, or disclosure c)An injury or loss suffered by the perpetrator d)A material fact that induces a person to act e)An intent to do bodily harm to the victim
A justifiable reliance, where a person relies on a misrepresentation to take an action A false statement, representation, or disclosure A material fact that induces a person to act
39) A way to incorporate the advantages of Electronic Data Interchange with the Electronic Funds Transfer is
A) Financial Electronic Data Interchange.
Business process diagram (BPD)
A visual way to describe the different steps or activities in a business process, providing a reader with an easily understood pictorial view of what takes place in a business process.
Business Process Diagrams (BPD)
A visual way to repersent the activites in a business process, and can show the organizational unit performing the activity
65) The accounts receivable clerk destroys all invoices for sales made to family and friends and does not record the sales in the accounts receivable subsidiary ledgers. The family and friends usually give the clerk cash as a"thank you". Which procedure will not prevent or detect this fraud?
A) Send monthly statements to all customers with balances owed.
45) Consider the following revenue cycle scenario: The company has been exposed to customer dissatisfaction and the suggested control procedure to be implemented is to install and use bar-code scanners. What is the threat?
A) The company may be shipping the wrong merchandise.
18) When a customer places an order (on account) for a certain product, what should be done before the order is checked for inventory availability?
A) The customer's available credit should be checked.
63) A sales clerk at an electronics store scanned the bar code for a low cost set of headphones and then substituted a high cost set of headphones for his friend, who paid the lower price. Which of the following controls would best help to prevent this sort of fraud?
A) Use of RFID tags
3) Which is the best control to prevent invoicing customers for the quantity ordered, which was more than the quantity shipped due to items on backorder?
A) Use the information from the packing slip to prepare the sales invoice.
49) When a proper segregation of duties exists in the area of handling cash receipts, the ________, who reports to the ________, actually handles the cash and is not the same person who posts cash receipts to customer accounts.
A) cashier; treasurer
17) During the sales order entry process, a ________ is performed to verify that each transaction record contains all appropriate data items.
A) completeness test
31) When a customer pays off the balance on an invoice, the payment is credited to the ________ file.
A) customer master
47) Separating the shipping and billing functions is designed to reduce the threat of
A) failure to bill customers.
40) Key differences exist when an integrated Enterprise Resource Planning system (ERP) replaces an existing AIS or legacy system. For example, ________ are more accurate and timely, enabling sales order entry staff to provide customers more accurate information about delivery dates.
A) inventory records
58) Laz Chance wears roller blades and headphones when he is at work at the Squishy Things Toy Company. He is a product packer. The headphones give him computer-generated instructions so he knows the location of each item and quantity that should be included in the order. These instructions are the equivalent of a
A) picking ticket.
8) A monthly statement sent to customers serves a control purpose by
A) providing an opportunity for customers to verify the balance owed and activity on the account.
54) The manager of Callow Youth Clothing was entering an order online from Sad Clown Pajamas. He ordered 100 one-size fits all pajama bottoms, but when he ordered 1000 one-size fits all pajama tops, the following error message popped up: "Did you mean to enter a quantity of 1000 for your order?" This message is the result of a
A) reasonableness test.
67) For sales returns, the least effective control to prevent fraudulent processing of a credit memo is to
A) reconcile total of credit memos to total debits posted to customers' subsidiary ledgers.
29) The document a customer returns with their payment and that identifies the source and the amount of the payment is called a
A) remittance advice.
33) A document typically encountered in the revenue cycle that is both an output document and a source document is the
A) sales invoice.
42) The activities involved in soliciting and processing customer orders within the revenue cycle are known as the ________.
A) sales order entry process
21) A company should check inventory quantities before accepting a sales order for all the following reasons except to
A) verify the accuracy of the perpetual inventory records.
Verifiable
Ability through consensus among measures to endure that information represents what it purports to represent or that the chosen method of measurement has been used without error or bias
A rationalization allows a person to convince him or herself that his or her actions are not illegal or dishonest. There are several different types of rationalizations: (Check all that apply.) a)A mental defect that makes a person think that they own the item that they took b)An attitude, such as "the rules do not apply to me" c)A lack of personal integrity that makes what a person wants more important than acting honestly d)A justification, such as "I am underpaid, so they owe it to me"
An attitude, such as "the rules do not apply to me" A lack of personal integrity that makes what a person wants more important than acting honestly A justification, such as "I am underpaid, so they owe it to me"
Document
An electronic or paper document or report
Computer Security Officer (CSO)
An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences, and reports to top management.
Off-page connector
An entry from, or an exit to, another page
81) You have been hired by a catalog company to computerize its sales order entry process. Approximately 70% of all orders are received over the telephone by a sales person. The other 30% of orders are received by a sales person through mail or fax. The catalog company wants the phone orders processed real-time. The mail and fax orders will be processed in batches of 50 orders. The following attributes are collected for every sales order: Customer number (if the order is from a new customer, a new number needs to be assigned) Customer name Address Payment method (credit card for phone and fax orders and check for mailed orders) Credit card number and expiration date Items ordered and quantity of each Unit price of each item ordered Identify and describe at least ten specific control policies and procedures you will implement for the sales order process. Be very specific describing the controls and number each new control you suggest.
Answer: 1. Validity check on customer number 2. Authorization controls to set up new customer records 3. Check digit on customer number 4. Modulus 11 on customer number 5. Closed-loop verification on customer number 6. Credit approval before accepting orders 7. Credit check and credit limit establishment for new customers, before accepting orders 8. Preformatting of customer state, zip code and phone number 9. On-line real-time authorization of credit card charges 10. Field check on credit card number and expiration date 11. Validity check on item number 12. Check digit on item number 13. Modulus 11 on item number 14. Closed-loop verification on item number 15. Auto fill of unit price, based on item number 16. Field check on quantity ordered 17. Batch control totals for mail and fax orders 18. Encryption of credit card data 19. Completeness check
77) Describe four threats in the revenue cycle and identify appropriate controls for each threat.
Answer: Answers can include the following information: Threat 1: Sales to customers with poor credit Controls: Having an independent credit approval function and maintaining good customer accounting can help to prevent problems. Threat 2: Shipping errors Controls: Reconciling shipping notices with picking tickets; bar-code scanners; and data entry application controls will help to catch these errors. Threat 3: Theft of inventory Controls: Secure the location of inventory and document transfers; release only with valid shipping orders; have good accountability for picking and shipping; and finally, periodically reconcile records with a physical count. Threat 4: Failure to bill customers Controls: Separating shipping and billing and pre-numbering of shipping documents helps along with reconciliation of all sales documents. Threat 5: Billing errors Controls: Reconciliation of picking tickets and bills of lading with sales orders; data entry edit controls; and price lists may prevent billing errors. Threat 6: Theft of cash Controls: Segregation of duties is essential to prevent this serious problem (the following duties should be separate: handling cash and posting to customer accounts; handling cash and authorizing credit memos and adjustments; issuing credit memos and maintaining customer accounts); use of lockboxes for receipts and EFT for disbursements; mailing customer statements monthly; use cash registers in retail operations where cash payments are received; deposit cash daily in the bank; and have the bank reconciliation function performed by independent third parties. Threat 7: Posting errors in updating accounts receivable Controls: Use of editing and batch totals is essential here. Threat 8: Loss of data Controls: Regular backups are essential with one copy stored off-site; and logical and physical access controls to prevent leakage to competitors and irregularities. Threat 9: Poor performance Controls: Use sales and profitability analyses; accounts receivable aging; and cash budgets to track operations.
76) Discuss ways in which technology can be used to streamline cash collections.
Answer: Answers may include the following points: A lockbox system can reduce delays due to processing and geographical distance between customer and company. Customers send remittances to a nearby P.O. box; a local bank picks up remittances, deposits cash and sends remittance advices and copies of all checks to the company. The main disadvantage is cost; the banks charge a service fee up to 1% of the cash processed through the system. Information technology can provide additional efficiencies in the use of lockboxes. An electronic lockbox sends electronic notification of remittances to the company. This method enables the company to begin applying remittances to customer accounts before the photocopies of the checks arrive. An EFT system eliminates paper checks and uses electronic payments between banks. Integrating EFT and EDI, called the financial electronic data interchange, automates billing and cash collections. Procurement cards or credit cards can be used. These cards eliminate the risks and costs associated with creating and maintaining accounts receivable, but cost between 2% to 4% of the gross sales price.
75) Failure to collect cash on credit sales is a threat in the revenue cycle. What controls can be used to help neutralize this threat?
Answer: Both accounts receivable and cash flows should be monitored. Segregation of duty controls should always be implemented and monitored for compliance. Also, a control used to deal with accounts receivable (which directly impacts cash flow) is to use an accounts receivable aging schedule. This schedule lists customer account balances by length of time outstanding and provides information for estimating bad debts. It can also assist in evaluating credit policies and specific customer credit limits. Also, a cash budget can be used to provide a more precise estimate of cash inflows (cash collected from sales) and cash outflow (outstanding payables). An organization can be alerted to a pending cash flow shortage, thus enabling it to secure short-term financing at competitive rates to deal with the problem in a timely manner.
70) Define and describe benefits of a CRM system.
Answer: CRM stands for customer relationship management. Since customer service is so important today, special CRM software packages have been created that support this vital process. CRM systems help a company to organize detailed data about customers so that more personalized service can be given to them. A CRM system may retain customer preferences and customer transaction history, which can be used to suggest other products the customer may wish to purchase. The system could also take a pro-active marketing approach in contacting customers at certain re-order points. A well-implemented CRM system can help the business achieve the goal of turning satisfied customers into loyal customers.
74) Describe cycle billing and identify how an organization might benefit by using cycle billing.
Answer: Cycle billing is spreading out the customer base so that a portion of the billing is done each day to a group of customers. Credit card and utility companies use it extensively because of their large customer bases. The advantage of this method is that the billing load is dispersed and the cash flow of the company is evened out dramatically.
72) Describe typical credit approval procedures.
Answer: Most business-to-business sales are made on credit. Key to revenue cycle success is the approval of credit sales before they are processed and goods shipped. A part of good control in this area is to establish a credit limit for customers. With new customers, or when orders exceed a customer's credit limit, or the customer has a past due balance, specific authorization for the credit manager should specifically authorize and approve further credit. The system can also be programmed to do a limit check for each order processed to maintain further control in this area. Also, marketing personnel should not make credit decisions, as a potential conflict of interest is possible.
78) Discuss the general control issue of the loss of data, as it relates to the revenue cycle.
Answer: One of the two general objectives that pertain to all revenue cycle activities is the loss of data. The primary threats related to the data availability objective are the loss of data and access controls. It is imperative that accurate customer account and inventory records be maintained for external and internal reporting purposes and for customer inquiries. Such records must be protected from loss and damage by using backup files. One backup file should be kept on-site, while a second should be kept off-site. Backup files of the most recent transactions should also be maintained. Also, all disks and tapes should have both external and internal file labels to reduce the possibility of accidental erasure of important files. Access controls are also important as a general control. Unauthorized access to information may cause leaks of the information to competitors and the risk of damage to sensitive and important data files. Employees should have certain access restrictions to help prevent this threat from occurring. Passwords and user IDs will help to limit access to files and the operations allowed to be performed on files. For example, the sales staff should not be allowed write-access to customers' credit limit and approval information. Individual terminals should also have access controls in place. An example of this control would be to prevent someone at a shipping dock terminal from entering a sales transaction order. Another control that should be put in place is to require activity logs of any management approved transaction. Such a log should be maintained for audit trail purposes.
73) Describe the two methods to manage accounts receivable.
Answer: Open invoice system customers pay the invoice by returning a remittance advice turnaround document and a check. Remittances are applied against specific open invoices. The open-invoice method can be used to offer discounts for prompt payments since invoices are individually tracked. However, such individual tracking adds complexity in maintaining information. Balance-forward method customers pay according to the amount shown on a monthly statement and remittances are applied against the total outstanding balance; this method is used by department stores typically where customers make a large number of smaller dollar amount purchases.
80) Discuss the revenue cycle threat of stockouts, carrying costs, and markdowns.
Answer: Stockouts, carrying costs, and markdowns are a threat in the sales order entry process. The problem with stockouts is that when goods are not available to ship to customers, the business risks losing the sale to a competitor that can provide the goods in a timely manner. The opposite problem can also occur where excess inventory increases carrying costs, with the result that markdowns may be necessary in order to sell the inventory. Two controls can be implemented to cope with this threat. One control that can be put into place is to establish accurate inventory control. An AIS with real-time online capabilities can be programmed to use the perpetual inventory method. This will ensure that accurate records are maintained about the quantity of inventory for sale. This will eliminate mistakes in placing orders for goods when a sufficient inventory amount is on hand. Periodic physical counts of inventory will also verify the perpetual amounts recorded by the AIS. Another important control in this situation is that of accurate sales forecasting. Proper marketing efforts should be made in conjunction with regularly reviewing sales forecasts for accuracy. Such forecasts should be revised as necessary. Sales force marketing efforts should be commensurate with inventory levels as well.
68) Describe the basic revenue cycle activities.
Answer: The revenue cycle is a recurring set of business activities and related information processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. The basic activities in the revenue cycle are: order entry soliciting and processing customer activities filling customer orders and shipping merchandise invoicing customers and maintaining customer accounts collections the cashier handles remittances and deposits them in the bank; accounts receivable personnel credits customer accounts for the payments received.
69) Explain how validity checks, completeness tests and reasonableness tests can be implemented to ensure accuracy of customer orders.
Answer: Validity checks can be used to compare the customer and inventory information on the customer order with the information in the customer and inventory master files. A completeness test can ensure that all the necessary information is present on the customer order. A reasonableness test can compare the quantity ordered with the customer's past order history for that item.
67) In an analytic flowchart, the symbol which could be used to indicate the payroll data is the A) connector symbol. B) magnetic disk symbol. C) terminator symbol. D) decision symbol.
B
74) An internal auditor wants to flowchart a file of (hardcopy) purchase orders. Which of the following would be the best symbol to use for the file? A) The on-line storage symbol B) The off-line storage symbol C) The terminal symbol D) The auxiliary operation symbol
B
79) In a logical data flow diagram for a payroll system, the employees would best be represented by which of the following symbols? A) The process symbol B) The terminator symbol C) The data store symbol D) The data flow symbol
B
82) Which of the following is not one of the basic symbols used in analytic flowcharting? A) Input/output B) Manual input C) Flowline D) Annotation
B
91) A type of resource utilization technique which is used to rationally assign work activities to particular individuals, departments, or other entities is A) work measurement B) work distribution analysis. C) branching table. D) decision table.
B
A company should decide whether to develop software independently or purchase software A) when preparing the detailed designed proposal B) at the end of systems analysis C) at the end of systems planning D) when preparing design specifications
B
A file-related matrix reveals that a file's data item A is used in six different reports, while data item B in the same file is not used in any report. The systems designer should consider A) using both data items A and B B) deleting data item B and using only data item A C) using neither data item A nor b D) deleting data item A and using only data item B
B
An example of a transformation language that can be used with MDA is __________ A) OMG B) QVT C) UML D) OO
B
Any bottlenecks in a company's current operations would most likely be discovered A) when the technical specifications of a system are being decided B) when the information obtained during the system survey is analyzed C) during the document review D) none of these
B
In the preparation of design specifications, which of the following activities is undertaken after all of the others have been completed? A) Database Design B) specifying inputs C) specifying processing steps D) designing management reports
B
The approach of MDA is to A) develop a model and then use iteration so programmers can develop a prototype B) develop a model and then transform the model into computer software C) develop methods that can then be organized into object classes D) develop methods that can be modeled into computer software
B
The more complicated, unfamiliar, or innovative business and information environments become, the more it becomes necessary to A) plan and analyze upfront B) use an iterative design approach C) employ a project manager D) use the waterfall method correctly
B
The phase of the Rational Unified Process where the project is documented in detail using UML and prototypes is the ________ phase A) inception B) elaboration C) construction D) transition
B
The things objects do are called A) items B) methods C) attributes D) characteristics
B
Which of the following elements is contained in the systems analysis report? A) Specific timetables for project completion B) descriptions of any overall problems in the specific subsystem being studied C) A summary of the current system's strengths and weaknesses D) a systems proprosal to serve as the framework for the project
B
Which of the following is often the key motivation for the system developers to establish good relationships with current and future users of the system? A) The users' expertise is essential to designing the technical specifications of the new system B) The success or failure of the new system will depend heavily on the support of the eventual users C) users often are responsible for the subsequent evaluation of the developers D) users often determine budgets and timetables for systems projects
B
Which of the following planning activities is performed after the other activities? A) Deciding that all system changes must be completed within five years B) Naming the individuals to the systems analysis and design team C) Appointing a steering committee D) Deciding that a reliable file backup system is more important than new factory workstations
B
14) Retail stores could send their orders directly to the manufacturer's sales order system in a format that would eliminate the need for data entry, using
B) Electronic Data Interchange
19) How is credit approval generally handled for established customers with a documented payment history?
B) General authorization by a sales clerk
12) Which of the decisions below is not ordinarily found as part of the revenue cycle?
B) How often should accounts receivable be subjected to audit?
46) Which of the following would be the least effective control to minimize the loss of inventory?
B) Release inventory only with proper documentation. C) Periodically back up all perpetual inventory records.
20) What is a typical procedure for processing sales orders from new customers or customers making a purchase that causes their credit limit to be exceeded?
B) Specific authorization must be granted by the credit manager.
25) Two documents usually accompany goods shipped to a customer. What are the two documents?
B) a packing slip and a bill of lading
50) In a revenue cycle with proper controls, the ________ who reports to the ________, is not involved in any cash handling activities.
B) accounts receivable clerk; controller
37) An arrangement where a bank receives customer payments through the postal system, scans the remittance advices, and transmits payment data to the business electronically is known as
B) an electronic lockbox.
24) This document is a legal contract that defines responsibility for goods that are in transit.
B) bill of lading
59) The shipping department at Squishy Things Toy Company follows policies that determine which carrier will deliver orders according to the size, weight, and destination of the shipment. It maintains standing agreements with shippers that specify legal responsibility for the shipment while it is in transit. The terms of the agreements are documented on
B) bills of lading.
48) All of the following edit checks for online editing of accounts receivable transactions would probably be included except
B) check digit verification on the amount of the sale.
44) It has been discovered that credit sales have been made to customers with a poor credit rating. If this continues, the company will face increasing uncollectible receivables and losses due to bad debts. Separation of duties between ________ and ________ should help resolve the problem.
B) credit approval; marketing
38) Customers that send their payments electronically directly to the company's bank are using
B) electronic funds transfer (EFT).
27) A company uses the method for tracking accounts receivable where customers pay according to individual sales invoices. This describes the ________ method.
B) open-invoice
36) The benefits of a lockbox arrangement with a bank are maximized when
B) several banks around the country are used, in order to minimize the time payments spend in the mail.
51) A serious exposure in the revenue cycle is loss of assets. What is the related threat and applicable control procedure that address this exposure?
B) theft of cash; segregation of duties and minimization of cash handling
Service oriented architecture relies on developing small independent pieces of software called A) groups B) services C) units D) prototypes
BB
63) In an analytic flowchart, the symbol which could be used to indicate unclaimed payroll checks is the A) connector symbol. B) terminal symbol. C) document symbol. D) process symbol.
C
66) In an analytic flowchart, the symbol which could be used to indicate unclaimed payroll checks is the A) connector symbol. B) terminal symbol. C) document symbol. D) process symbol.
C
70) The "hierarchy" aspect of HIPO charts refers to the fact that this technique factors a task into modules by A) using the entity's organization chart. B) utilizing a horizontal approach. C) going from the general to the specific. D) None of these answers are correct.
C
71) The charting technique which emphasizes a logical rather than a physical description of a system is a(n) A) analytic flowchart. B) forms distribution flowchart. C) data flow diagram. D) document flowchart.
C
78) In an IPO chart of a payroll system, the payroll master file would A) appear as an input B) appear as an output. C) Answers A and B are correct. D) not be represented in the chart
C
84) Which of the following is not a specialized input/output symbol that represents a particular medium? A) The magnetic tape symbol B) The magnetic disk symbol C) The connector symbol D) The document symbol
C
90) Which of the following would generally not be appropriate in preparing a document flowchart? A) Columnar headings B) Flowlines C) Process symbols D) Connector symbols
C
93) The decision analysis techniques that are similar because both are tabular representations of decision-making processes are A) work measurement and work distribution analysis. B) work distribution and decision tables. C) branching and decision tables. D) None of these answers are correct.
C
98) To confirm the existence and assess the effectiveness of an organization's internal controls, Auditors A) create systems techniques. B) perform substantive testing. C) perform compliance testing. D) create HIPO and IPO charts.
C
At the first level of structured systems analysis, documenting begins with A) matrix analysis B) an analytic flowchart C) a logical flow diagram D) functional analysis
C
In iterative or agile approaches to systems development A) each phase of the life cycle is completed prior to moving to the next phase B) phases can be started in any order the project manager deems appropriate C) all phases of the life cycle are carried on simultaneously D) the systems development life cycle is not appropriate to implement
C
When conducting structured systems analysis of a particular system, defining the processing logic A) should always be done using structured English B) is the same thing as writing actual program code C) may be done with decision trees or decision diagrams D) is useful only to technical systems peronnel
C
Which of the following information needs in the acquisition/payment process requires multiple relationships? A) To which supplier have the most purchase returns been made? B) Which inventory types were identified as needed in a purchase requisition event? C) On which requisitions was a specific inventory type requested from a specific recommended supplier? D) When was a specific purchase received, and by which receiving clerk? E) Which purchase orders are unfilled as of a specific date?
C) On which requisitions was a specific inventory type requested from a specific recommended supplier?
66) Which of the following poses an internal control problem?
C) Sales representatives have authority to increase customers' credit limits in $1,000 increments.
Which of the following is an example of an information need that could be satisfied by an event query in the revenue cycle? A) What is the name and address of the salesperson with the highest dollar sales for a specific time period? B) A list of open sale orders C) What is the total dollar amount of a specific sale? D) A list of inventory items that have a list selling price higher than $100 E) What quantity of a specific inventory type was sold on a specific sale?
C) What is the total dollar amount of a specific sale?
Which of the following information needs can be met using only one relationship in the revenue cycle? A) Which sale orders have been partially filled? B) Which salesperson presented a specific inventory type to a specific customer? C) Which inventory types were delivered in a specific sale event? D) What is the total dollar value of accounts receivable for a specific customer at a point in time? E) None of the above
C) Which inventory types were delivered in a specific sale event?
41) When an ERP is used, it is assumed that there will be increases in efficiency and the effectiveness of the activities related to the revenue cycle. However, what must be in place and functioning well to fully realize these benefits?
C) adequate controls
30) In the ________ method of tracking accounts receivable, customers pay according to the amount showing on their monthly statement and payments are applied against the total account balance.
C) balance forward
55) The manager of Callow Youth Clothing was entering an order online from Sad Clown Pajamas. He entered all the items and quantities, completed the checkout and payment process, but the following error message popped up when he tried to exit the site: "Please enter your email address." This message is likely the result of a
C) completeness test.
34) A ________ system prepares and mails monthly statements to customers throughout the entire month, instead of just at the end of the month.
C) cycle billing
56) Sad Clown Pajamas is an Internet-based wholesaler. Customers enter their orders online. The manager of Callow Youth Clothing was entering an order when the following error message popped up: "Your total order exceeds your available credit. A Credit Department representative will contact you within 24 hours." This message is the result of a
C) limit check.
62) Because it is the most fungible of all assets, the management of cash has always been the most difficult of all control issues. The most important of cash controls is
C) segregation of duties.
11) What is the primary objective of the revenue cycle?
C) to provide the right product in the right place at the right time at the right price
check kiting
Creating cash using the lag between the time a check is deposited and the time it clears the bank. Suppose an account is opened in banks A, B, and C. The perpetrator "creates" cash by depositing a $1,000 check from bank B in bank C and withdrawing the funds. If it takes two days for the check to clear bank B, he has created $1,000 for two days. After two days, the perpetrator deposits a $1,000 check from bank A in bank B to cover the created $1,000 for two more days. At the appropriate time, $1,000 is deposited from bank C in bank A. The scheme continues—writing checks and making deposits as needed to keep the checks from bouncing—until the person is caught or he deposits money to cover the created and stolen cash.
73) Instead of using the on-line storage symbol, a systems analyst wants to use an analytic flowcharting symbol that represents the medium that is used for the file. Which of the following would be the best symbol to use in place of the on-line analytic storage symbol? A) The display symbol B) The magnetic tape symbol C) The document symbol D) None of these answers are correct.
D
81) Which of the following systems development activities may require the use of systems techniques? A) Systems analysis B) Systems design C) Systems implementation D) All of these answers are correct.
D
86) Which of the following flow directions is(are) assumed in a flowchart? A) From top to bottom B) From left to right C) Neither answer A nor B is correct. D) Answers A and B are both correct.
D
88) Which of the following is not a basic symbol used in logical data flow diagrams? A) Terminator B) Data store C) Data flow D) Manual input
D
92) Which of the following is an example of narrative techniques? A) In-depth interviews B) Open-ended questionnaires C) Document reviews D) All of these answers are correct.
D
94) Systems techniques may be used to A) assist in designing computer programs. B) give an overall picture of transaction processing in the organization. C) assist a systems analyst in organizing facts about a system. D) All of these answers are correct.
D
Actively involving the ultimate users in the development of a system might help to limit A) communications problems B) unrealistic or vague requirements during the analysis phase C) disillusionment and confusion during the design phase D) all of these answers are correct
D
BPEL is an executable computer language that facilitates interactions between A) objects and services B) objects and methods C) business processes and data diagrams D) business processes and Web services
D
Revolutions
Entries made to reflect differences between acural and recourded value of an asset or change in accounting principle
15) Matching customer account numbers and inventory item numbers to the numbers in the customer and inventory master files is an example of a
D) validity check.
Document Flowcharts
Describes the flow of documents and information between departments or units
System Flowcharts
Describes the realtionship between inputs, processing, and outputs for a system
A BPD for the revenue cycle will include which of the following? A. Scription of all the major functions performed within all cycles within an organization B. Description of all human resources and payroll function within an organization C. Description of all purchasing functions within an organization D. Description of all selling functions in an organization
Description of all selling functions in an organization
sexting
Exchanging sexually explicit text messages and revealing pictures with other people, usually by means of a phone.
19) The decision symbol represents a named procedure consisting of one or more operations or program steps that are not specified within the set of flowcharts.
FALSE
Which of the following conditions is NOT usually necessary for a fraud to occur? pressure opportunity explanation rationalization
Explanation
11) Systems analysis involves formulating a blueprint for a completed system.
FALSE
15) Manual input/output and connector symbols are among the basic flowchart symbols.
FALSE
16) In the United States, the AICPA is responsible for establishing standard flowchart symbols.
FALSE
18) If no special symbol exists to depict a function, verbal descriptions are used in the flowchart.
FALSE
What is an SQL example of inner join?
Find all detail of all customers and all available details of each customer's salesperson
What is an SQL example of (left) outer join?
Find all details of all sales and the cash receipt number and amount applied of any cash receipts related to those sales
How would you column filter?
Find all the other amounts that correlate to one column. For example: Find the customer number, name, and salesperson number for all customers
All of the following are recommended guidelines for making flowcharts more readable, clear, concise, consistent, and understandable except: Divide a document flowchart into columns with labels. Flowchart all data flows, especially exception procedures and error routines. Design the flowchart so that flow proceeds from top to bottom and from left Show the final disposition of all documents to prevent loose ends that leave the reader dangling.
Flowchart all data flows, especially exception procedures and error routines.
Which of the following are business process diagram preparation guidelines? (Check all that apply.) a)Divide the BPD into columns with labels, clearly label all symbols, and use arrowheads on all flow lines. b)Identify business processes, documents, data flows, and data processing procedures. c)Get an understanding of the system using tools, such as observing business processes and data flows, or by walking through the system transactions. d)Show documents as they flow through the system, and show where each is stored. e)Place the name, date, and preparer's name on each page of the completed BPD.
Identify business processes, documents, data flows, and data processing procedures. Get an understanding of the system using tools, such as observing business processes and data flows, or by walking through the system transactions Place the name, date, and preparer's name on each page of the completed BPD.
Explain why a poor database design will result in information retrieval problems.
If a database is poorly designed, connections between tables will be faulty or nonexistent and the tables will not be able to be joined to satisfy some information needs.
Document flowchart
Illustrates the flow of documents and data among areas of responsibility within an organization, from its cradle to its grave; shows where each document originates, its distribution, its purposes, and its ultimate disposition.
Which of the following will improve the ability to detect fraud? (Check all that apply.) a)Implement project development and acquisition controls, as well as change management controls. b)Implement whistleblower rewards. c)Provide employee support programs so they know where they can get help to deal with pressures that might tempt them to perpetrate fraud. d)Restrict physical and remote access to system resources to authorized personnel. e)Implement a fraud hotline.
Implement whistleblower rewards. Implement a fraud hotline.
Collections-Source Documents
Input-Check, Remittance Advice Output-Remittance List and checks to cashier, Deposit Slip to bank, Remittance list and remittance advices AR
Skimming
Inserting a sleeve into an ATM that prevents it from ejection the card. The perpetrator pretends to help the victim, tricking the person into entering the PIN again. Once the victim gives up, the thief removes the card and uses it and the PIN to withdraw money.
Other Opportunities for fraud
Large, unusual, or complex transactions Numerous adjusting entries at year-end Related-party transactions Accounting department that is understaffed, overworked Incompetent personnel Rapid turnover of key employees Lengthy tenure in a key job Overly complex organizational structure No code of conduct, conflict-of-interest statement, or definition of unacceptable behavior Frequent changes in auditors, legal counsel Operating on a crisis basis Close association with suppliers/customers Assets highly susceptible to misappropriation Questionable accounting practices Pushing accounting principles to the limit Unclear company policies and procedures Failing to teach and stress corporate honesty Failure to prosecute dishonest employees Low employee morale and loyalty
Balance Forward Method
One aggregate invoice ADV: More convenient
private key
One of the keys used in asymmetric encryption systems. It is kept secret and known only to the owner of that pair of public and private keys.
public key
One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.
The Sarbanes-Oxley Act of 2002 (SOX) established:
PCAOB, corporate executive responsibility for financial reports, management assessment of internal controls, increased penalties for white-collar crime, expanded scope of obstruction, provides whistleblower protection, restricts non-audit services by external auditor, increases role of Audit Committee, requires Code of Ethics and Conflicts of Interest, prohibits personal loans to executives and directors by company
Which relational algebra operators apply to query for Sales for a specific time period (e.g. for an income statement)?
Project, Select
What tables do you use in a query to find accounts payable?
Purchase Event, Cash Disbursement Event, and Purchase Return Event
A list of all science fiction titles owned by a bookstore is an information need that could be answered by what type of query?
Resource query
What tables do you use in a query to find dollar value of sales of each different inventory type for a given time period?
Sale, StockflowSaleInventory, and Inventory Type
What tables do you need to query to calculate number of days to fill selected sales orders?
SaleOrder, FulfillmentSaleOrderSale, and Sale
1) Tools used in the analysis, design, and documentation of system and subsystem relationships are known as system techniques.
TRUE
10) Systems techniques assist the analyst in the collection and organization of facts.
TRUE
17) The four basic symbols corresponding to basic data processing functions are the input/output symbol, the process symbol, the flowline symbol, and the annotation or comment symbol.
TRUE
20) The decision symbol represents a decision or switching type of operation that determines which of a number of alternative paths is to be followed.
TRUE
21) The normal flow direction of a flowchart is from left to right and top to bottom.
TRUE
24) An IPO chart provides a narrative description of the inputs needed to generate desired system outputs.
TRUE
34) The sandwich rule states that every process symbol should be placed between an input and output symbol.
TRUE
36) UML is a collection of modeling tools used to model the specifics of software development including functional equivalents of data flow diagrams, document flowcharting, and analytical flowcharting.
TRUE
38) The business process diagram focuses on the sequence of activities in a business process.
TRUE
6) It is desirable for auditors to have a basic understanding of systems techniques.
TRUE
Processes
The data flow diagram component that represents a set of actions that transform data into other data or information.
Data source
The data flow diagram component that represents the entity that produces or sends the data that is entered into a system.
data destination
The data flow diagram component that represents the entity that receives data produced by a system.
Data flow
The data flow diagram component that represents the movement of data among processes, stores, sources, and destinations.
BPD start symbol
The start or beginning of a process is represented by a small circle
Accounting Information System
The system that processes quantitative data and provides quantitative information for management planning and control
Fraud Triangle
The three factors that contribute to fraudulent activity by employees: opportunity, financial pressure, and rationalization.
superzapping
The unauthorized use of a special system program to bypass regular system controls and perform illegal acts. The superzap utility was originally written to handle emergencies, such as restoring a system that had crashed.
internal control flowchart
Used to describe, analyze, and evaluate internal controls, including identifying system strengths, weaknesses, and inefficiencies.
zombie
a hijacked computer, typically part of a botnet, that is used to launch a variety of internet attacks
The most effective way to protect network resources that are exposed to the internet, yet reside outside of a network is
a demilitarized zone.
Hot Site
a disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and software
Cold Site
a disaster recovery option that relies on access to an alternative facility that is prewired for necessary telephone and internet access, but does not contain any computing equipment
redundant arrays of independent drives (RAID)
a fault tolerance technique that records data on multiple disk drives instead of just one to reduce the risk of data loss
Data Flow Diagram (DFD)
a graphical description of the flow of data within an organization, including data sources/destinations, data flows, transformation processes, and data storage
man-in-the-middle (MITM) attack
a hacker placing himself between a client and a host to intercept communications between them
Parameter query
a query in which variables are used in lieu of data values as part of the query's selection criteria; allows the user to specify the data value to be used each time the query is run, thereby allowing re-use of the same query many times for different decisions
Dynaset
a query's result; looks and behaves like a table but is not actually stored as a table; it is generated as a view each time the query is run
Group by
a querying function used to create subgroups to which aggregations may be applied; a means for creating subtotals
PROJECT
a relational algebra operator that specified a vertical subset to be included in the query result
SELECT (in relational algebra)
a relational algebra operator that specifies a horizontal subset to be included in the query result
Date constraint
a restriction placed on a date field in a query to limit the query results to include only records for which the date values meet the restriction
Horizontal calculation
a row computation in a query that combines data from two or more separate columns of one or more tables
Tuple
a row in a table that contains data about a specific item in a database table
data processing schedule
a schedule that shows when each data processing task should be performed
Show Table window
a screen from which the user may choose which tables to include in the relationship layout or in a query
Join properties window
a screen that appears when a user double-clicks on a join line to reveal whether the join is an inner join, a left join, or a right join; a user can change the join type in this window; used in the relationship layout and in query designs
demilitarized zone
a separate network located outside the organization's internal information system that permits controlled access from the internet
Access Control List
a set of IF-THEN rules used to determine what to do with arriving packets
Database
a set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible
OR
accomplishes a set union - answer includes all instances that meet one condition and all instances that meet the other condition
web-page spoofing
also known as phishing
Data Model
an abstract representation of database contents
uninterruptible power supply (UPS)
an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down
The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as
availability.
swim lane
arranges the steps of a business process into a set of rows depicting the various elements
identity theft
assuming someone's identity usually for economic gain, by illegally obtaining confidential information such as a Social Security number or a bank account or credit card number
identity theft
assuming someone's identity, usually for economic gain
ShareIt is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires. Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(n)
authentication control.
Limits the initiation of a transaction or performance of an activity to selected individuals
authorization
New employees of Baker Technologies are assigned user names and appropriate permissions. Their credentials are then entered into the company's information system's access control matrix. This is an example of a(n)
authorization control
Restricting access of users to specific portions of the system as well as specific tasks, is an example of
authorization.
Vulnerability scanner
automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats
The vendor master file was damaged in yesterday's update, and cannot be used for today's update
backup and recovery
A computer operator discovered that he had not input all items in a batch
batch balancing
Why does COBIT5 DSS-05.06 stress the importance of restricting physical access to network printers?
because document images are often stored on network printers
New employees of Baker Technologies are assigned user names and appropriate permissions. Each of them were given a company's issued laptop that have an integrated fingerprint reader. In order to log in, the user's fingerprint must be recognized by the reader. This is an example of a(n)
biometric device.
The identification of documents to prevent their repeated use
cancellation
Many customer account numbers entered into the billing transaction file are invalid
check digit
Internal control questionnaire
checklist to ensure that important internal controls are not omitted from review
Digital Watermark
code embedded in documents that enables an organization to identify confidential information that has been disclosed
The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as
confidentiality.
General Controls
controls designed to make sure an organization's information system and control environment is stable and well managed
Record Layout
document that shows the items stored in a file, including the order and length of the data fields and the type of data stored
The COSO report "Guidance on Monitoring Internal Control Systems" presents a three-phase model for monitoring:
establish foundation, design and execute procedures that are based on risk, assess and report results
Full backup
exact copy of an entire database
Normalization
following relational database creation rules to design a relational database that is free from delete, insert, and update anomalies
An example of this procedure is: all characters in the vendor number field are numeric
format check
This helps control input accuracy by ensuring that dates are properly entered using the format MM/DD/YYYY
format check
A new field salesperson omitted several data elements when completing the sales order forms
forms design
What is the control environment?
foundation of controls that consists of various factors affecting the effectiveness of specific policies and procedures
QR barcode replacements
fraudsters cover valid Quick Response codes with stickers containing a replacement QR code to fool people into going to an unintended site that infects their phones with malware
Outer join (right or left)
includes all records (rows) from one table, and matches those records from the other table for which values in the joined fields are equal
Inner join
includes only the records (rows) from both tables that have the exact same values in the fields that are joined
Designed to prevent or detect errors in the beginning stage of processing
input controls
Computer fraud classifications
input fraud processor fraud computer instructions fraud data fraud output fraud
Application controls are specific to individual applications (programs):
input, processing, output
Control environment factors:
integrity and ethical values, commitment to competence, management philosophy/operating style, attention and direction provided by BOD, organization structure, human resource polices and procedures
eavesdropping
listening to private communications or tapping into data transmissions intended for someone else. One way to intercept signals is by setting up a wiretap
e-mail spoofing
making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source
scareware
malicious software of no benefit that is sold using scare tactics
Whose responsibility is monitoring?
management, but internal audit function frequently evaluates and consults on redesign if necessary
Determine actions necessary to respond to risk:
modify procedures, evaluate causes of employee concern, evaluate system controls
Plaintext
normal text that has not been encrypted
greed
people are more likely to cooperate if they get something free or think they are getting a once in a lifetime deal
vanity
people are more likely to cooperate if you appeal to their vanity by telling them they are going to be more popular or successful
sex-appeal
people are more likely to cooperate with someone who is flirtatious or "hot"
Security Management
people that make sure systems are secure and protected from internal and external threats
Systems Analysts
people who help users determine their information needs and design systems to meet those needs
Users
people who record transactions, authorize data processing, and use system output
Programmers
people who use the analysts' design to create and test computer programs
All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(n)
physical access control.
Ciphertext
plaintext that was transformed into unreadable gibberish using encryption
Control Activities
policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out
pharming
redirecting website traffic to a spoofed website
phishing
sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. the request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim's account
Ensure controls are designed to provide reasonable assurance the following control objectives are met:
serration of duties, adequate documents and records (authorization/record keeping), restricted access to assets (custody), independent checks on performance (verification), information processing controls (accuracy)
Routers
special purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next
annotation
the addition of explanatory or critical comments to a text
What should Horizontal calculations NOT be included in ?
the same query as an aggregation function
Query window
the screen in which queries are created; user may toggle back and forth between QBE design, SQL design, and Datasheet (result) views within the query window
input fraud
the simplest and most common way to commit a computer fraud is to alter or falsify computer input
Data manipulation
the specification of operations to be performed on one or more data fields to obtain additional information; may create aggregations, horizontal calculations, subset selections, and so forth
Inherent Risk
the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control
Internal accounting controls should be sufficient enough to provide reasonable assurance that:
transactions are executed in accordance with authorization, transactions are recorded as necessary, access to assets is permitted only with authorization, recorded accountability for assets is compared with existing assets
Processor Fraud
unauthorized system use, including the theft of computer time and services
EXISTS
used to retrieve attributes for which the value is not null.
NULL
used to retrieve attributes for which the value is null.
Cloud Computing
using a browser to remotely access software, data storage, hardware, and applications
internet auction fraud
using an internet auction site to defraud another person
Semantic Data Modeling
using knowledge of business processes and information needs to create a diagram that shows what to include in a fully normalized database
Online Analytical Processing (OLAP)
using queries to investigate hypothesized relationships among data
vishing
voice phishing, it is like phishing except the victim enters confidential data over the phone
The process that uses automated tools to identify whether a system possesses any well-known security problems is known as a(n)
vulnerability scan.