Unit 7
Under the COBIT 2019 framework, which of the following statements is true? A.Variant components for a governance system are designed for a specific context within a focus area. B.A focus area includes the threat landscape, technology adoption strategy, and enterprise strategy and goals. C.A governance system should focus on covering the IT function end to end. D.Providing stakeholder value is a governance framework principle.
A Governance system components can be generic or variant. Generic components are applied in principle to any circumstances. Variant components are designed for a given purpose or context in a focus area.
The two broad groupings of information systems control activities are general controls and application controls. General controls include controls A.For developing, modifying, and maintaining computer programs. B.Relating to the correction and resubmission of faulty data. C.Designed to ensure that all data submitted for processing have been properly authorized. D.Designed to ensure that only authorized users receive output from processing.
A. General controls are policies and procedures that relate to many information systems applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General controls include controls over (1) data center and network operations; (2) systems software acquisition and maintenance; (3) access security; and (4) application systems acquisition, development, and maintenance.
A small client recently put its cash disbursements system on a server. About which of the following internal control features would an auditor most likely be concerned? A.The server is operated by employees who have cash custody responsibilities. B.There are restrictions on the amount of data that can be stored and on the length of time that data can be stored. C.Programming of the applications are in Visual Basic rather than Java. D.Only one employee has the password to gain access to the cash disbursement system.
A. Segregation of duty! Segregation of duties is a basic category of control activities. Functions are incompatible if a person is in a position both to perpetrate and conceal fraud or errors. Hence, the duties of authorizing transactions, recording transactions, and custody of assets should be assigned to different people. Those employees that operate the server may be able to override the controls to change records to conceal a theft of cash.
The control known as closed-loop verification would be most useful for A.Updating and verifying customer addresses. B.Tracking the number of payroll checks processed. C.Ensuring accurate data transmission of records. D.Controls over network operations.
Answer (A) is correct.Closed-loop verification occurs when inputs by a user are transmitted to the computer, processed, and displayed back to the user for verification. Updating and verifying customer addresses would be an example of closed-loop verification. Closed-loop verification is an online input control.
The risks created by rapid changes in IT have not affected which concepts of internal control? Cost-benefit analysis Control environment Reasonable assurance Management's responsibility A.1, 2, 3, and 4. B.3 and 4 only. C.2, 3, and 4 only. D.1 and 2 only.
Answer (A) is correct.Internal control objectives remain essentially the same although technology, risks, and control methods change. Thus, many concepts of control (management's responsibility, the role of the control environment, reasonable assurance, monitoring, and cost-benefit analysis) are relevant regardless of IT changes.
Which of the following control frameworks groups IT business assurance objectives into the five categories of availability, capability, functionality, protectability, and accountability? A.eSAC. B.COBIT. C.ITGI. D.COSO.
Answer (A) is correct.eSAC's IT business assurance objectives fall into these five categories: availability, capability, functionality, protectability, and accountability.
Which standard specifically applies to requirements for a quality management system (QMS)? A.ISO 14000. B.ISO 9001. C.ISO 10012. D.ISO 19011.
Answer (B) is correct.ISO 9001 is a generic standard that states the requirements for a quality management system (QMS). It applies when an entity needs to demonstrate its ability to (1) sell a product that meets customer and regulatory requirements and (2) increase customer satisfaction through improving the QMS and ensuring conformity with requirements. ISO 14000 is a set of environmental standards
An organization uses a database management system (DBMS) as a repository of data. The DBMS in turn supports a number of end-user-developed applications. Some of the applications update the database. In evaluating the control procedures over access and use of the database, the auditor will be most concerned that A.End-user applications are developed and tested on personal computers before being ported to the mainframe. B.End users have their read-only applications approved by data processing before accessing the database. C.A relational database model is adopted so that multiple users can be served at the same time. D.Concurrency update controls are in place.
Answer (D) is correct.Concurrency controls manage situations in which two or more users attempt to access a file or database simultaneously. As such, the purpose of concurrency controls is to protect data integrity.
When reviewing the system design of data input controls, which of the following should be given the least consideration?A.Authorization. B.Validation. C.Error notification. D.Configuration.
Answer (D) is correct.Data input controls are application controls. The objective of application controls is to ensure the completeness, accuracy, authorization, and validity of input data, processed data, stored data, and output data. Configuration is a consideration when reviewing IT general controls, not application controls. It is a logical access control that ensures only authorized persons and applications have access to data and applications.
In an order-entry system in which manually-prepared source documents are entered online for immediate processing, which of the following is an example of an appropriate input-output control? A.Hash total verification. B.Backup and recovery procedures. C.Password authorization procedure. D.Check-digit validation procedure.
Answer (D) is correct.Self-checking digits may be used to detect incorrect identification numbers. The digit is generated by applying an algorithm to the ID number. During the input process, the check digit is recomputed by applying the same algorithm to the code actually entered.
The purpose of check digit verification of an account number on an update transaction is to A.Ensure that supporting documentation exists for the update transaction. B.Detect a transposition of an account number entered into the system. C.Verify that the account number corresponds to an existing account in the master file. D.Require the account number to have the correct logical relationship with other fields.
B A major control used to guard against errors made in transcribing or keying data is a check digit. A check digit is a detective control designed to establish the validity and appropriateness of numerical data elements, such as account numbers. The check digit within the code is a mathematical function of the other digits. Recalculation of the digit tests the accuracy of the other characters in the code. Check digit verification prevents single-digit errors from leading to erroneous updates.
A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error? A.Hash total. B.Check digit verification. C.Redundant data check. D.Record count.
B Check digit verification is used to identify incorrect identification numbers. The digit is generated by applying an algorithm to the ID number. During input, the check digit is recomputed by applying the same algorithm to the entered ID number.
A small company has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The computer system automatically updates all payroll records. Because of this change, A.Transactions must be processed in batches. B.Part of the audit trail is altered. C.The potential for payroll-related fraud is diminished. D.A generalized computer audit program must be used.
B In a manual payroll system, a paper trail of documents is created to provide audit evidence that controls over each step in processing are in place and functioning. One element of a computer system that differentiates it from a manual system is that a transaction trail useful for auditing purposes might exist only for a brief time or only in computer-readable form.
Which of the following statements most likely represents a disadvantage for an entity that keeps data files on a server rather than on a manual system? A.Attention is focused on the accuracy of the programming process rather than errors in individual transactions. B.It is usually easier for unauthorized persons to access and alter the files. C.Random error associated with processing similar transactions in different ways is usually greater. D.It is usually more difficult to compare recorded accountability with the physical count of assets.
B In a manual system, one individual is usually assigned responsibility for maintaining and safeguarding the records. However, in a server environment, the data files may be subject to change by others without documentation or an indication of who made the changes.
Batch and online processing modes A.Are forms of real-time processing. B.Are mutually exclusive. C.Can be used in combination in a single application. D.Are outmoded means of processing data.
C
Which of the following is the intended users of control frameworks such as COBIT? A.Internal and external auditors only. B.Everyone in the organization .C.Anyone with IT control responsibilities. D.Senior management only.
C Control frameworks are intended for use by anyone in the organization who has control responsibilities, not just auditors or senior management. Control frameworks also can be used to communicate with senior management and the board.
Effective IT general controls (ITGCs) are measured by the number of which of the following?IT systems change requestsIncidents that damage public reputationSystems that do not meet security criteriaViolations of segregation of duties A.1, 2, and 3 only. B.1, 2, and 4 only. C.1, 2, 3, and 4. D.2, 3, and 4 only.
D ITGCs apply to all systems components, processes, and data in the organization or the system environment. Ensuring systems security involves creating security policies and continuously monitoring and responding to security threats. Effective ITGCs are measured by the number of (1) incidents that damage public reputation, (2) systems that do not meet security criteria, and (3) violations of segregation of duties.
Which of the following statements accurately describes the impact that automation has on the controls normally present in a manual system? A.Transaction trails are more extensive in a computer-based system than in a manual system because there is always a one-for-one correspondence between data entry and output. B.The quality of documentation becomes less critical in a computer-based system than it is in a manual system because data records are stored in machine-readable files. C.Responsibility for custody of information assets is more concentrated in user departments in a computer-based system than it is in a manual system. D.Controls must be more explicit in a computer-based system because many processing points that present opportunities for human judgment in a manual system are eliminated.
D Using a computer does not change the basic concepts and objectives of control. However, the use of computers may modify the control techniques used. The processing of transactions may be combined with control activities previously performed separately, or control function may be combined within the information system activity.
A customer's order was never filled because an order entry clerk transposed the customer identification number while entering the sales transaction into the system. Which of the following controls would most likely have detected the transposition? A.Completeness test. B.Limit test. C.Sequence test. D.Validity check.
D Validity checks are tests of identification numbers or transaction codes for validity by comparison with items already known to be correct or authorized.