BEC-04 Process Management and Information Technology
What is a firewall?
A firewall is an "electronic device" (a firewall may actually be both hardware and software and not just hardware) that prevents unauthorized users from gaining access to network resources. A firewall isolates a private network of some type from a public network (or a network segment from the main network). It also maintains a (controlled) connection between those two networks.
What is full backup, incremental backup, and differential backup?
A full backup is an exact copy of the entire database. An incremental backup involves copying only the data items that have changed since the last BACKUP. This produces a set of incremental backup files, each containing the results of one day's transactions. A differential backup copies all changes made since the last FULL backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup.
Which changes in costs are most conducive to switching from a traditional inventory ordering system to a just-in-time ordering system?
A just-in-time system is used to lower inventory levels and results in more purchase orders of fewer units each. If carrying costs are increasing, JIT would be beneficial. Costs per purchase order that are decreasing would also be conducive to JIT.
What is the primary goal of IT governance?
A primary goal of IT governance is to align policies and practices with organizational objectives, as an organization with its strategic goals tied to IT governance practices will be able to reach its objectives more effectively and is more likely to achieve its corporate objectives leveraging technology due to the efficiencies and cost-saving benefits brought about by technology. IT governance is an issue for all levels of the organization, not just the board of directors. Control OBjectives for Information and related Technology (COBIT) is a best practice framework rather than a requirement that must be in place to implement an IT governance structure.
When implementing or developing a new software system, the first job role to start the process is most likely which of the following?
A systems analyst is responsible for determining user needs and designing software to meet those needs. Therefore, it is most likely the first job role to begin the software development and implementation process. There are several job roles involved in the creation and implementation of software systems, each with different yet important separate functions. To maintain proper segregation of duties, the design of systems should be performed by a different employee from the one writing the software. Similarly, an employee granting access to a system should be separate from the one designing and writing it. A hardware technician sets up and configures computers and would only do so after software and its related network have been designed. A software developer writes software programs based on a design, which must come first. A network administrator sets up and configures a computer network so that multiple computers can share the same data and information, but a design must come first.
An advertisement in a local newspaper stated that a small local business required "someone who can get our new off-the-shelf production software to do what we want it to do so we can get on with running our business". What type of computer professional is this business looking to recruit?
A systems analyst would take on the role of learning a purchased package and integrating it into any existing software. The systems analyst would also take responsibility for training staff in its use. A systems analyst is sometimes referred to as a systems integrator with purchased systems since that individual is responsible for adapting or integrating the purchased system into the business. An IT supervisor would manage part of the IT function but would not necessarily provide the "hands-on" integration effort contemplated by the employment advertisement. A programmer would be involved in writing new programs or maintaining existing programs, not integrating a purchased system with existing software. A network administrator would manage the Local Area Networks (communications), but would not be responsible for leading the integration of purchased software into existing software and systems.
An internet service provider's vision is to provide reliable and consistent network connectivity for all customers. Part of its corporate strategy for achieving that is heavily reliant on all of the following except having?
A virtual network because having a virtual network uses outsourced computing power that would not be ideal for an internet service provider as it would remove several layers of control that it otherwise would have if it managed this function on site using physical network. Having a physical network, the ability to deploy disaster recovery protocols quickly, and all IT staff on payroll would serve the internet service provider well, as it would have more control of the network and can respond immediately to any outages.
What is a virus and a denial-of-service attack?
A virus is a piece of computer program that inserts itself into some other program to propagate. A virus cannot run independently. In a denial-of-service attack, one computer bombards another computer with a flood of information (such as false request) intended to keep legitimate users from accessing the target computer or network.
Which of the following is the responsibility of an information technology steering committee?
An IT steering committee has broad objectives that include oversight of systems development and acquisition after an assessment of data processing needs. Evaluating IT performance using system performance measurements is the responsibility of managers involved in IT operations, not the direct responsibility of the committee. Development of specifications and acceptance criteria may be the responsibility of a group charged with post implementation review or the committee. IT project planning and monitoring may be the responsibility of a group charged with project controls or the committee.
What is acceptance test, validation test, integration test, and unit test in software testing?
An acceptance test ensures that the software works correctly for the intended user in his or her normal work environment. For example, a customer is conducting a beta test of the software at its own site and the developer is not present during the test. Validation tests focus on visible user actions and user-recognizable outputs from the system, which try to answer the question, "Did we build the right thing?" Integration tests exercise an entire subsystem and ensure that a set of components operates smoothly together. Unit tests are used to validate the smallest components of a system, ensuring that they handle known input and output correctly.
What is the relationship between accounting information system (AIS) and management information system (MIS)?
An accounting information system is a subsystem within a management information system. An AIS deals with accounting transactions. It's part of an MIS. MIS can handle both accounting and other data. An AIS is not control-oriented, and an MIS is not exclusively used for planning. AIS information is not used only by financial people.
Which errors can be detected by analyzing financial totals?
Analyzing financial totals involves calculating a manual total for each transaction file and comparing it to a computer-generated batch control total. Any financial discrepancies (such as an error on an employee paycheck) will be identified and resolved as part of this process. It would not capture missing digits on invoice numbers or purchase orders being entered twice.
What must a disaster recovery plan include?
Any disaster recovery plan must include an alternate processing site (of some kind), backup (of some kind) of programs and data, and a test of the plan. It can also include identification of critical applications (in almost all disaster recovery plans), a vendor contract for an alternate processing site (unless the organization uses its own facilities). The names of persons on the disaster recovery team are not essential; the individuals involved could be identified by position and not by name. Maintaining current, off-site copies of critical data and program files is a fundamental part of any disaster recovery plan. Cross-training could be included in some disaster recovery plans, assuming that the "operating personnel" means computer operations personnel (if it means something else, it will not be). Replacement of PCs could be in some disaster recovery plans, but even when it is, the plan is more likely to be called a business continuity plan. PCs can be readily purchased, and many firms will decide to purchase replacements only when they need to. Although the physical security of warehouses may be in another function's (i.e. supply chain business) disaster recovery plan, it is not likely to be a part of the IT function's disaster recovery plan.
What statements are correct about application programs and application programmers?
Application programmers should be allowed to test the programs that they have written because testing is an integral part of program development. However, before a program is released to production, it should be tested by someone other than the programmer who developed it. If programs are developed internally, a large portion of the overall programming budget will normally be devoted to program maintenance. Program maintenance is never simple, regardless of how the programs were written. Modern programming techniques may make program maintenance simpler but they will not make it simple. Application programmers should not be given full write/update access to data in production systems. Generally, programmers should only use test data and should not be allowed to modify programs in a production environment, as the programmers deal with the programs, not the data.
Which of the following information technology department responsibilities should be delegated to separate individuals?
Data entry and application programming, as application programmers should not be allowed to enter data in production systems nor should they have unrestricted and uncontrolled access to application program change management systems. An application programmer is the person responsible for writing and/or maintaining application programs and should not be responsible for also controlling or handling data. Data entry and antivirus management can safely be assigned to the same person, as they are not incompatible functions. Data entry and quality assurance can safely be assigned to the same person, as they are not incompatible functions. Network maintenance and wireless access are both responsibilities of the Network Administrator.
Which of the following spreadsheets most likely has the highest risk of data integrity errors?
Data integrity relates to the assurance that data is consistent and accurate. Spreadsheets with manual inputs carry a higher risk of errors than those produced from automated processes. A spreadsheet with manual entry inputs from a printed report carries a high risk of data integrity errors. Because the spreadsheet is an output from the check payment module (i.e. automated) and is reviewed by an administrator in accounts payable who likely is responsible for check payments, the risk of data integrity errors is low. A spreadsheet with inputs from an automated clock system carries a lower risk of data integrity errors than a spreadsheet created from manual entries. A spreadsheet that has a direct linkage to the accounting system database should have a high degree of data integrity.
Which of the following statements about security might indicate a weakness in the security?
Each of the above statements indicates a potential weakness in Splendora's security. A backdoor is a means of access to a program or system that bypasses normal security procedures, it does not refer to a problem with physical access to the facilities. Failure to understand threats of "backdoor" access indicates a security weakness related to risk identification and management. A network firewall protects access to a network and the company does not utilize any virus protection software. However, firewalls protect against intrusion by outsiders and do nothing to protect against viruses, thus it is a security weakness without any virus protection software. New users should be required (not just encouraged) to change their passwords on the first login. Failure to have adequate password security is a serious security weakness.
During the process of electronically transmitting data, which of the following IT controls would provide the most assurance that unauthorized disclosure of sensitive information would be prevented?
Encryption as an IT control involves using a digital key or password to scramble a readable message into something that is unreadable. The recipient of the transmitted data then uses another digital key or password to unscramble the message back into readable form. The use of separate keys or passwords provides more assurance that the intended recipient receives the message. Restricted access is not as powerful of a control in regard to electronic data transmission as encryption.
The protective software and/or hardware that allows users to access the internet without exposing the organization's IT assets to unauthorized users is called a(n):
Firewall, which is the protective device or program that protects an organization's IT resources by filtering network traffic through security protocols. This prevents unauthorized access as well as prevents employees from downloading malicious content. Networking devices provide connectivity and security by routing traffic, acting as an intermediary and providing a safe means to transmit data. These devices can be stand-alone or have multi-functionality with a single piece of equipment or software providing several of these functions. Servers are mainly for connecting other computers, programs, or data within a network, but do not act an intermediary among different networks. Gateways do. Switches can divide a connection into multiple connections. Routers can assign IP addresses and manage traffic on a network by connecting those devices. Gateways are intermediary devices on a computer network that transform data into different protocols so that data can flow between networks, but this process does not involve assigning IP addresses.
Generally, individual departmental rates rather than a plant-wide rate for applying overhead would be used if?
Generally, individual departmental rates (rather than a plant-wide rate for applying overhead) would be used if the manufactured products differ in the resources consumed from the individual departments in the plant. Plant-wide rates would probably be used if either of the following: 1. manufacturing overhead is the largest cost component of its product cost. 2. the company's manufacturing operations are basically labor based. 3. the company's manufacturing operations are all highly automated.
How to differentiate the high impact, medium impact, and low impact in terms of the risk assessment of the impact the information resources may have on the day-to-day operations?
High impact if the organization cannot operate without the information resource for even a short period of time. Medium impact if there is a work-around for the information resource loss in the short term (couple days or week), but recovery is necessary for long-term operations. Low impact if the organization could operate without the information resource for an extended period of time and not necessary to restore the resource any time soon. No impact is not a categorization used in the risk assessment process.
Which type of analytics (descriptive or predictive analytics) does the following transactions belong to?
Horizontal analysis of the balance sheet is the comparative evaluation of the financial statement for two or more periods, to calculate the absolute and relative variances for every line of item. It represents the growth or decline of an item. It aims at ascertaining the trend and changes in an item over time, thus, it is predictive analytics. Vertical analysis of the balance sheet is proportional evaluation of the financial statement wherein each item on the statement is expressed as a percentage of the total, in the respective section. It helps in forecasting and determining the relative proportion of an item to the common item in the financial statement. It aims at ascertaining the proportion of items to the common item of the single accounting year, thus it is predictive analytics. Accounts receivable analysis to determine potential bad debt expense for a specific set of customers.
What are correct statements about strategic risk, information risk and financial risk?
Strategic risk includes the risk of choosing inappropriate technology, Information risk includes the risk of loss of data integrity and that of incomplete transactions. Financial risk includes the risk of having financial resources lost, wasted, or stolen.
The concept of timeliness of data availability is most relevant to?
IT governance, as one of the key components of IT governance is data availability. Information that is not available to employees when they need it provides no benefit. Therefore, data must be available at the right time to support IT governance goals. IT governance frameworks depict the way an organization achieves its mission-critical goals using IT strategies, processes, and resources. IT governance focuses on the effective management of data and is ultimately the responsibility of management and the board of directors. Data analytics is more of a research-intensive and secondary process that is not as vital as for daily operations, availability is of less importance. Risk management relates somewhat to data availability, but its primary function is to mitigate risk. Often this may involve no data at all, i.e. qualitative judgment. Process management may involve real-time data, although there are many processes that may not directly involve the availability of data.
What is a systems analyst generally responsible for?
In an IT environment, a systems analyst is generally responsible for designing systems, preparing specifications for programmers, and serving as an intermediary between users and programmers. For internally developed systems, the analyst designs the overall application system but when the system is purchased, the analyst becomes a system integrator that adapts system design to processes.
How does asymmetric encryption work?
In asymmetric encryption, a public key is used to encrypt message and not transmitted along with the message (if it were, why have it in the first place?). A private key (which is never transmitted) of the recipient is used to decrypt the message at the other end. There are two keys. Effectively, anyone can encrypt a message, but only the intended recipient can decrypt the message. Symmetric encryption requires both parties (sender and receiver) to use the same key to encrypt and decrypt the message so that the key must be shared. This would require a unique private key for each entity with which one wanted to share encrypted data. Therefore, asymmetric encryption techniques are much more computationally intensive than symmetric encryption techniques because of the two keys. Data encryption is based on keys. There are a number of different encryption algorithms out there, and they are almost always discovered sooner or later. The algorithm is important, but the length of the key is more important.
What are characteristics of the just-in-time system?
Just-in-time (JIT) has the goal to minimize the level of inventory carried. Typical characteristics include lot sizes equal to one, insignificant set-up times and costs, and balanced and level workloads. In a JIT environment, the flow of goods is controlled by a "pull" approach (not push-through), where an item is produced only when it is needed down the line. JIT requires a sense of empowerment amongst employees to ensure the coordination of production and materials delivery is handled with maximum efficiency and accommodates variable schedules. JIT does not require strong job specialization because under JIT, employees with multiple skills are used more efficiently and will not specialize in merely one job or task.
Which of the following uses analysis of production processes to ensure that resource uses stay within target costs?
Kaizen, or continuous improvement, occurs at the manufacturing stage where the ongoing search for cost reductions takes the form of analysis of production processes to ensure that resource uses stay within target costs. Activity-based costing focuses on costs for each activity in a process, but does not strive to stay within a targeted cost. Value chain analysis is concerned with the additional value a product gains by passing through all the activities of the production chain. It is not focused on ensuring costs stay within a targeted range. Just-in-time management emphasizes efficiency by scheduling the deployment of resources just-in-time to meet customer or production requirements.
Which of the following management philosophies does not focus on quality?
Lean in manufacturing means waste reduction. Although customer requirements and demand-pull serve at the basis for the approach, quality is not the preeminent concept. Gap analysis determines the difference between industry best practices and current company practices. It focuses on quality as it identifies areas that need improvement to meet industry best practices. Total quality management is driven by customer satisfaction and continuous product improvement. Customer focus (like continuous improvement, quality circles, etc.) is one of the seven critical success factors identified by TQM Six Sigma is a quality improvement program that uses metrics to evaluate the achievement of goals. Improving current processes for the purpose of things like reducing defective product outputs is a big component of the program. Absolute conformance represents perfect compliance with pre-established levels of quality.
Which factor has the greatest impact to the design of an effective management information system?
To design the most effective MIS, the key driver comes from the ultimate goal of the reports, which is to help managers make decisions. The types of decisions that need to be made will dictate the overall design of the system.
In an ETL process, if a user must use advanced data mining software and time-intensive queries to obtain information, then that user is performing a?
Manual extraction is needed if the source data is in a format or location that is not easily attainable, which could require data mining software that is capable of complex manipulation and executing multiple queries. ETL stands for extract, transform, and load process which involves capturing information from its source and transferring it into the custody of another source.
Which of the following is a key difference in controls when changing from a manual system to a computer system?
Methodologies for implementing control change, as the controls almost always are different between a manual system and a computer system. The control objectives are not necessarily more difficult to achieve. Some will be easier. The specific controls almost always are different. The internal control principles and internal control objective remain the same.
What are some of common change management controls?
One of the key components of any well-orchestrated change management process is change management controls. These controls help mitigate the potential risks that may occur as a result of the change, including selection and acquisition risks, integration risks, and outsourcing risks. Some common controls include: 1. adopting basic policies and procedures, 2. standardizing requests (using formats, protocols, or technology so that all change requests meet preestablished criteria to streamline the change-requesting process), 3. separating certain job duties (preventing unauthorized access or protecting assets and info), 4. performing pre- and post-implementation testing (occurs after a new system is in production and may only validate or invalidate new transactions), and 5. providing reversion access (i.e. reverting to the old system if unexpected complications arise)
The concept of timeliness of data availability is more relevant to?
One of the key components of proper IT governance is data availability. Information that isn't available to employees when they need it provides no benefit. Therefore, it must be available at the right time to support IT governance goals. IT governance frameworks depict the way an organization achieves its mission-critical goals using IT strategies, processes, and resources. Governance focuses on the effective management of data and is ultimately the responsibility of management and the board of directors. In processes that involve real-time data, availability is relevant. However, there are many processes that may not directly involve the availability of data, making this choice less relevant. Risk management relates somewhat to data availability, but its primary function is to mitigate risks. Often this may involve no data at all. Data analytics focuses on the manipulation of large data sets from which insights can be drawn. Because this is more of a research-intensive and secondary process that is not as vital for daily operations, availability is of less importance.
What are correct statements about program modification controls?
Program modification controls are controls over the modification of programs being used in production applications. They include both controls that attempt to prevent changes by unauthorized personnel and also controls that track program changes so that there is an exact record of what versions of what programs were running in production at any specific point in time. Program change control software normally includes a software change management tool and a change request tracking tool. Program change control often involves changing what are effectively the same programs in two different ways simultaneously. Normally, an environment has both production programs and programs that are being tested. Sometimes, production programs require changes (production fixes) at the same time the test versions of the same programs are being worked on. This process must be controlled so that one set of changes does not incorrectly overlay the other.
What statements are correct regarding public key infrastructure (PKI), digital certificates and digital signatures?
Public key infrastructure refers to the system and processes (i.e. mechanisms) used to issue and manage asymmetric keys and digital certificates. Digital certificate includes a "tree-of-trust" that's checked each time a certificate is presented as proof of one's entity. It is intended for e-business use and is available through commercial certificate authorities, not PKI. Digital signatures facilitate the creation of legally binding electronic documents, not PKI.
Which of the following is usually a benefit of using electronic funds transfer for international cash transactions?
Reduction of the frequency of data entry errors, as EFT reduces the need for manual data entry. Use of EFT creates a need for more stringent access controls (not self-monitoring access control). Use of EFT is likely to result in a reduction in paper audit trail surrounding cash receipts and disbursements. Use of EFT does not affect a company policy regarding storage of source documents (i.e. invoice) for cash transactions.
In managerial accounting, the term "relevant range" is often used to describe?
Relevant range is often used to describe the range over which cost relationships are valid. For example, the range of activity within which the relationships of fixed costs and variable costs are meaningful and valid. Theoretical maximums and minimums may have nothing to do with actual operating characteristics of a given firm. For most companies, costs fluctuate over the entire range of operations and costs are incurred at every possible operating point.
Which of the following activities would most likely detect computer-related frauds?
Reviewing the systems-access log, because computer-related fraud often involves unauthorized access to systems and/or data, review of system access logs is the most likely of these choices to detect fraud. System access logs are electronic lists of who has accessed or has attempted to access systems or parts of systems or data or subsets of data. Fraud-awareness training would help employees to identify possible fraudulent activity/prevent frauds but it is not the most likely to detect fraud. Validity checks is about preventing erroneous data from being entered into a system. Data encryption is about keeping intercepted data from being understood. Neither of them will detect fraud.
What are risk and compliance analytics, customer analytics, operational analytics, new products and service innovation analytics?
Risk and compliance analytics are used to monitor transactions through continuous monitoring, continuous auditing, and fraud detection. Customer analytics support digital marketing and allow a company to deliver timely, relevant, and anticipated offers to customers. Operational analytics use data mining and data collection tools to plan for more effective business operations. New products and services innovation analytics are used to determine where innovation is needed, and to isolate product qualities that are most important to customers.
What is a system programmer responsible for?
System programmers would be involved in the selection of system software and responsible for maintaining system software, including operating systems, network software, and the data management system.
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
System testing through independent verification of the transaction processing results represents one of the most effective methods to reduce the risk of incorrect processing of transactions in a newly installed accounting system.
Which of the following steps in the development of a business continuity plan should a company initiate first?
The appropriate order for developing a business continuity plan for disaster recovery is as follows: Assess the key risks, identify mission-critical applications and data, develop a plan for handling these applications, determine responsibilities for parties involved in disaster recovery, and test the recovery plan. Of the choices given above, the business-impact analysis has to happen before identifying critical personnel, developing an emergency contact list, and preparing recovery procedures themselves.
What statements are correct regarding disaster recovery?
The company uses application software packages whose license agreements do usually provide the right to make backup copies of the software for disaster recovery purposes. Standard disaster recovery plans are not limited to the restoration of IT processing and should be designed to restore critical operations as quickly as possible.
Which of the following represents the procedure managers use to identify whether the company has information that unauthorized individuals want, how these individuals could obtain the information, the value of the information, and the probability of unauthorized access occurring?
The first step in risk assessment is to identify the risks. The question is asking about the risk of unauthorized access to information. The steps would certainly be to identify whether the company has information that unauthorized individuals might want (and whether company does not have such information), the value of the information, how those individuals could obtain the information, and the probability of unauthorized access occurring. The steps here are not necessarily in the same order as in the question; regardless, it is risk assessment. It is not particularly clear exactly what "system assessment" actually is. It probably means the review of a system to determine if it is operating effectively and efficiently. Regardless, it has nothing to do with the safeguarding of valuable information. Test of controls are audit tests to determine if described controls have been placed in operation and are working effectively. Tests of controls are controls involved in the safeguarding of information and those controls may be tested in the course of an audit.
What are programmed edit checks? Can it detect the error for a date field with April 31 mistakenly entered?
The programmed edit checks include reasonableness checks and edits for mathematically accuracy. Obviously, April does not have 31 days. A reasonableness check on this kind of data entry would be easy to implement and is standard. A preformatted screen is not a programmed edit check. It might assist in accurate data entry, but it cannot detect this error.
What is the theory of constraints (TOC)?
The theory of constraints is concerned with maximizing throughput by identifying and alleviating constraints.
What are the types of e-commerce models?
There are five types of e-commerce business models, including B2B, B2C, C2B, C2C, and government e-commerce. They all share some of the same benefits, like e-commerce removes overhead costs, encourages competition, creates new markets, and provides a level playing field in terms of knowledge available to all parties. E-commerce does come with drawbacks, such as shipping lag times, IT platform malfunction, personal information misuse, and a potential lack of human support. With C2B, an individual (consumer) is selling service to a business, even though the business can be seeking the individual for services. The distinguishing factor in a C2B model is that the consumer provides the product, service or overall value to the company. In a C2C model, individuals come together in an online marketplace to transact with each other, without the involvement of a business. Common platforms within this model facilitate the sale of after-market or used goods that people can exchange online.
All of the following are examples of a decision support system (DSS) except for a?
Transaction processing system, which is a type of accounting information system (AIS) that processes and tracks data resulting from business transactions, the core purpose of processing transactions does not fit the description of a DSS, although DSS may use data from a transaction processing system to help in decision making. Decision support systems (DSS) are computer-based management information systems (MIS) that provide interactive support to managers or others during the decision-making process. These "expert" systems help model different scenarios or a combination of possible outcomes. They also usually are supported in some way by artificial intelligence. Some examples of DSS usage are sensitivity analysis, financial modeling application, and database query applications. Forecasting future performance or projecting different scenarios is one of the key functions of a DSS. DSS is not used for managing inventory, processing transactions, or financial reporting.
What are variety and veracity category of big data?
Variety refers to the different types of data that are involved in the analysis, such as texts, numbers, videos. Veracity refers to the trustworthiness of the data and dictates which data should be used and the source of the data.
Which of the following is NOT supporting documentation for an organization's IT security policy?
Vision statement, which is a statement or short paragraph that outlines an organization's goals or aspirations, would be a stand-alone statement, not part of a company's IT specific security policy. A security policy outlines how an organization will protect its tangible and intangible IT assets. This document covers guidelines for hardware use, software use, personal conduct, internal IT controls (including protocols for IT processes), performance standards for IT assets, and applicable industry regulations (such as healthcare, or personal records)