BEC - IT Governance PLUS SOME DEVELOPMENT AND IMPLEME.
Which of the following techniques would be used to verify that a program was free of unauthorized changes? A. Source code comparison program. B. Echo check. C. Tests of controls. D. Authorization matrix.
A, correct A source code comparison program is used to compare an archived version of the program to the program actually in use. Think about what we did in IT Audit with the program for P x Q
In COBIT, the process of identifying automated solutions falls within the ________ control process domain. A. Acquire and implement. B. Deliver and support. C. Monitor and evaluate. D. Plan and organize.
A, correct
In a large firm, the custody of an entity's data is most appropriately maintained by which of the following personnel? A. Data librarian. B. Systems analyst. C. Computer operator. D. Computer programmer.
A, correct
In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator? A. Managing remote access. B. Developing application programs. C. Reviewing security policy. D. Installing operating system upgrades.
A, correct
Which of the following best defines electronic data interchange (EDI) transactions? A. Electronic business information is exchanged between two or more businesses. B. Customers' funds-related transactions are electronically transmitted and processed. C. Entered sales data are electronically transmitted via a centralized network to a central processor. D. Products sold on central web servers can be accessed by users anytime.
A, correct
Which of the following is NOT an example of an e-commerce system? A. Customer relationship management (CRM). B. Electronic data interchange (EDI). C. Supply chain management (SCM). D. Electronic funds transfer (EFT).
A, correct
Which of the following controls in not usually found in batch processing systems? A. Closed loop verification. B. Financial control totals. C. Check digits. D. Limit checks.
A, correct Closed loop verification is an input control associated with online real-time systems.
What is an example of the use of the cloud to access hardware? A. IaaS B. PaaS C. SAP D. ERP
A, correct IaaS is the use of the cloud to access virtual hardware.
Credit Card International developed a management reporting software package that enables members interactively to query a data warehouse and drill down into transaction and trend information via various network set-ups. What type of management reporting system has Credit Card International developed? A. On-line analytical processing system. B. On-line transaction-processing system. C. On-line executive information system. D. On-line information storage system.
A, correct On-line analytical processing systems (OLAPs) are an increasingly important multidimensional analytical tool. An OLAP is a modification and expansion of an on-line transaction processing system to provide the capabilities and functionalities identified in this question.
Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas? A. Change control. B. Management override. C. Data integrity. D. Computer operations.
A, correct The management of changes to applications is part of the Source Program Library Management System (SPLMS).
Which of the following is true of enterprise resource planning (ERP) systems? I. The online analytical processing system (OLAP) provides data warehouse capabilities for the ERP system. II. The ability of an ERP system to provide an integrated view of transactions in all parts of the system is a function of the online transaction processing (OLTP) system. A. I only. B. II only. C. Both I and II. D. Neither I nor II.
A, correct The online analytical processing system (OLAP) incorporates data warehouse and data mining capabilities within the ERP. The online transaction processing system (OLTP) records the day-to-day operational transactions and enhances the visibility of these transactions throughout the system. It is primarily the OLAP and not the OLTP, that provides an integrated view of transactions in all parts of the system. The OLTP is primary concerned with collecting data (and not analyzing it) across the organization.
In COBIT, the process of identifying automated solutions falls within the ________ control process domain. A. Acquire and implement. B. Deliver and support. C. Monitor and evaluate. D. Plan and organize.
A, correct The process of identifying automated solutions does fall within the acquire and implement control process domain.
In which of the following implementation approaches do the new and old systems run concurrently until it is clear that the new system is working properly? A. Parallel. B. Cold Turkey. C. Phased. D. Pilot.
A, correct Think that these are running at the same time - therefore, there are parallel.
Which of the following roles is responsible for prioritizing systems development proposals? A. IT Steering Committee. B. Lead systems analyst. C. Application programmers. D. End users.
A, correct This group's principal duty is to approve and prioritize systems proposals for development.
Which of the following is the primary advantage of using a value-added network (VAN)? A. It provides confidentiality for data transmitted over the Internet. B. It provides increased security for data transmissions. C. It is more cost effective for the company than transmitting data over the Internet. D. It enables the company to obtain trend information on data transmissions.
B, correct This is the best answer because increased security is a common motivation for the use of a value-added network.
After changes to a source program have been made and verified, it moves to A. Atlanta. B. Development. C. The operator. D. Production.
After changes and verification to those changes, source programs move into production.
An audit trail is considered what type of control? A. Input. B. Processing. C. Output. D. Software.
B, correct
An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? A. Data restoration plan. B. Disaster recovery plan. C. System security policy. D. System hardware policy.
B, correct
This is an example of B2G A. Amazon. B. Municipal audit procurement. C. Online chemical sales. D. RAID.
B, correct
What is an example of the use of the cloud to create software and programs? A. IaaS B. PaaS C. SaaS D. SAP
B, correct
What is the role of the systems analyst in an IT environment? A. Developing long-range plans and directs application development and computer operations. B. Designing systems, prepares specifications for programmers, and serves as intermediary between users and programmers. C. Maintaining control over the completeness, accuracy, and distribution of input and output. D. Selecting, implementing, and maintaining system software, including operating systems, network software, and the data base management system.
B, correct
Which of the following types of documentation would a computer operator use to determine how to set up and run a specific computer application. A. Program documentation. B. Run manual. C. Systems documentation. D. Data flow diagrams.
B, correct
Who is responsible for granting users access to specific data resources? A. System programmers. B. Database administrator. C. Systems analyst. D. Data control.
B, correct
Which of the following is considered an application input control? A. Run control total. B. Edit check. C. Report distribution log. D. Exception report.
B, correct An edit check is an application input control.
Which of the following is not considered to be an electronic funds transfer (EFT) transaction? A. Direct deposit of payroll payments into the employee's bank account. B. Cash cards. C. Automated teller machine (ATM) transactions. D. Credit card payment initiated from a POS terminal.
B, correct Cash cards do not involve bank clearing processes and are not considered to be EFT transactions.
A manufacturing company that wants to be able to place material orders more efficiently most likely would utilize which of the following? A. Electronic check presentment. B. Electronic data interchange. C. Automated clearinghouse. D. Electronic funds transfer.
B, correct Electronic data interchange (EDI) allows companies to place orders with their suppliers electronically
What is the primary objective of data security controls? A. To establish a framework for controlling the design, security, and use of computer programs throughout an organization. B. To ensure that storage media are subject to authorization prior to access, change, or destruction. C. To formalize standards, rules, and procedures to ensure that the organization's controls are properly executed. D. To monitor the use of system software to prevent unauthorized access to system software and computer programs.
B, correct Ensuring that accessing, changing, or destroying storage media is subject to authorization is, in fact, a primary objective of data security controls.
An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? A. Modifications can be made to each module without affecting other modules. B. Increased responsiveness and flexibility while aiding in the decision-making process. C. Increased amount of data redundancy, since more than one module contains the same information. D. Reduction in costs of implementation and training.
B, correct Improving responsiveness and flexibility, and aiding the decision-making processes in an organization, are important goals of an ERP system. Hence, this is the best answer.
A controller is developing a disaster recovery plan for a corporation's computer systems. In the event of a disaster that makes the company's facilities unusable, the controller has arranged for the use of an alternate location and the delivery of duplicate computer hardware to this alternate location. Which of the following recovery plans would best describe this arrangement? A. Hot site. B. Cold site. C. Back-up site procedures. D. Hot spare site agreement.
B, correct In a cold site approach to disaster recovery, hardware and records are delivered after the occurrence of a disaster. This approach is less expensive, but more risky than a hot site approach.
Mark Chen was recently hired by the Rollins Company at a monthly salary of $1,800. When his employee information was entered into the company's personnel system, his monthly salary amount was entered correctly, but he was inadvertently classified as an hourly employee. Which of the following controls would be most likely to detect this error? A. Range check. B. Reasonableness check. C. Closed loop verification. D. Limit check.
B, correct Reasonableness checks look at the values in two related fields to ensure that they make sense as a unit; for example, Mark's $1,800 rate is reasonable and his assignment as an hourly employee could be reasonable, but the combination of the two fields ($1,800 hourly rate) is unreasonable.
More than one file may be stored on a single magnetic disc. Several programs may be in the core storage unit simultaneously. In both cases it is important to prevent the mixing of data. One way to do this is to use A. File integrity control. B. Boundary protection. C. Interleaving. D. Paging.
B, correct This answer is correct because the primary purpose of boundary protection is to prevent the mixing of data on a magnetic memory disc and a core storage unit.
Control Objectives for Information and Related Technology (COBIT) provides a framework for A. Internet-based systems. B. IT governance and management of enterprise IT. C. Auditing IT Systems. D. The implementation for new technology.
B, correct\ This answer is correct. COBIT provides a framework for IT governance and management of enterprise IT.
Rose and McMullin, a regional public accounting firm, has recently accepted a contract to audit On-the-Spot, Inc., a mobile vending service that provides vending machines for large events. On-the-Spot uses a computerized accounting system, portions of which were developed internally to integrate with a standard financial reporting system that was purchased from a consultant. What type of documentation will be most useful to Rose and McMullin in determining how the system as a whole is constructed? A. Operator documentation. B. Program documentation. C. Systems documentation. D. User documentation.
C, Correct! Systems documentation provides an overview of the program and data files, processing logic, and interactions with each of the other programs and system
In DRP, top priority is given to which activities? A. Accounting. B. Manufacturing. C. Mission critical. D. Business critical.
C, correct
The distribution of reports is considered what type of control? A. Input. B. Processing. C. Output. D. Software.
C, correct
The position responsible for managing the flow of documents and reports in and out of the computer operations department is the A. Data entry clerk. B. Computer operator. C. Data control clerk. D. File librarian.
C, correct
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities? A. Modify and adapt operating system software. B. Correct detected data entry errors for the cash disbursement system. C. Code approved changes to a payroll program. D. Maintain custody of the billing program code and its documentation.
C, correct
Which of the following types of networks is often utilized to process electronic data interchange (EDI) transactions? A. Wide area network (WAN). B. Secure electronic transactions (SET) network. C. Value-added network (VAN). D. Intranet.
C, correct
Communications between trading partners in an electronic data interchange (EDI) environment are usually A. sent through the Internet. B. made via direct connection from one trading partner to the other. C. sent through a value-added network (VAN). D. processed along with electronic funds transfer transactions through the online banking network.
C, correct Because of their security and auditing features, VANs remain the most popular means of managing EDI communications.
Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporate headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery? A. Daily backup. B. Network security. C. Business continuity. D. Backup power.
C, correct Business continuity planning will help the business recover after a fire.
Which of the following is responsible for designing, creating, and testing programs? A. IT Steering Committee. B. Lead systems analyst. C. Application programmers. D. End users.
C, correct Design, create, test
Which of the following risks increases the least with cloud-based computing compared with local server storage for an organization that implements cloud-based computing? A. Data loss. B. Vendor security failure. C. Global visibility. D. System hacks.
C, correct Global visibility is not a risk of cloud-based computing.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system? A. Removable drives that can be locked up at night provide adequate security when the confidentiality of data is the primary risk. B. Message authentication in EDI systems performs the same function as segregation of duties in other information systems. C. Encryption performed by a physically secure hardware device is more secure than encryption performed by software. D. Security at the transaction phase in EDI systems is not necessary because problems at that level will be identified by the service provider.
C, correct Hardware > Software This answer is correct. Encryption can be used to ensure the privacy and security of EDI messages both during transmission and when stored. Hardware-based encryption is inherently more secure than software-based encryption, as software can be more easily accessed and altered than hardware.
An enterprise resource planning system is designed to A. Allow nonexperts to make decisions about a particular problem. B. Help with the decision-making process. C. Integrate data from all aspects of an organization's activities. D. Present executives with the information needed to make strategic plans.
C, correct It is a primary objective of an enterprise resource planning system to integrate data from all aspects of an organization's activities into a centralized data repository. Hence, this is the best answer to the question.
Problems associated with e-commerce in general include all of the following except A. Problems in establishing identity and authenticity. B. Maintaining privacy of customer information. C. Establishing contractual agreements between trading partners. D. Effecting a secure exchange of payment for the goods/services.
C, correct Most e-commerce transactions are not based on prior contractual agreements between trading partners.
Which of the following statements is (are) true. I. A greater level of control is necessary in automated than manual systems. II. The uniformity of transaction processing is higher in automated than manual systems. A. Both I and II. B. I only. C. II only. D. Neither I or II.
C, correct Statement two is correct. Automated transaction processing results in a greater uniformity of transactions.
Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals? A. Network maintenance and wireless access. B. Data entry and antivirus management. C. Data entry and application programming. D. Data entry and quality assurance.
C, correct The separation of the data entry function from the application programming function is critical to the segregation of duties within an IT department. This is because if one both enters data and changes the programs into which those data are entered, one can perpetrate consequential financial frauds. This is why data entry occurs within the operations unit of an IT department and application development occurs within the development function of an IT department. These functions must be kept separate and their duties segregated. Therefore, this is the best answer to the question.
In which of the following implementation approaches is the system divided into modules for implementation? A. Parallel. B. Cold Turkey. C. Phased. D. Pilot.
C, correct The system is divided into modules that are brought on line one at a time.
Which of the following is responsible for identifying problems and proposing initial solutions? A. IT Steering Committee. B. Lead systems analyst. C. Application programmers. D. End users.
D, This group has the primary responsibility of identifying problems and proposing initial solutions.
In DRP, the lowest priority is given to which activities? A. Accounting. B. Manufacturing. C. Mission critical. D. Task critical.
D, correct
In a small business with only microcomputers, which documentation would be most useful to an untrained user to learn how to correct data errors in a database application? A. Operator documentation. B. Program documentation. C. Systems documentation. D. User documentation.
D, correct
In which of the following implementation approaches are users divided into smaller groups and trained on the new system, one group at a time? A. Parallel. B. Cold Turkey. C. Phased. D. Pilot.
D, correct
A poor quality connection caused extensive line noise, resulting in faulty data transmission. Which of the following controls is most likely to detect this condition? A. Line check. B. Batch control total. C. Closed loop verification. D. Parity check.
D, correct A parity check is designed to detect errors in data transmission.
Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data? A. Reasonableness test. B. Field check. C. Digit verification check. D. Validity check
D, correct A validity check compares the value entered in a field to a list of valid data values.
A brokerage firm has changed a program so as to permit higher transaction volumes. After proper testing of the change, the revised programs were authorized and copied to the production library. This practice is an example of A. Prototyping. B. Program integration. C. SDLC (System Development Life Cycle). D. Change control.
D, correct Authorize changes, approve test results to production library.
An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error? A. Online prompting. B. Mathematical accuracy. C. Preformatted screen. D. Reasonableness.
D, correct Date is reasonableness
IT people controls are mostly A. Application, Corrective. B. General, Corrective. C. General, Detective. D. General, Preventive.
D, correct Most IT people controls are general and preventive. For example, the segregation of duties prevents employees from making unauthorized changes to program and data files.
The fixed assets and related depreciation of a company are currently tracked on a password-protected spreadsheet. The information technology governance committee is designing a new enterprise-wide system and needs to determine whether the current fixed asset process should be included because the current system seems to be working properly. What long-term solution should the committee recommend? A. Continuing to use the current spreadsheet process because there have been no issues in this area. B. Developing a new fixed asset system to manage the assets and related depreciation. C. Purchasing a stand-alone fixed asset program for managing the assets and related depreciation. D. Adopting the fixed-asset module of the new system for integration.
D, correct One of the goals of an enterprise-wide system is to integrate, "...all data maintained by the organization into a single database." This option best achieves the goal of a single, organization-wide system with which to bind the entire organization together.
QuikStop, Inc., a local convenience store chain, is planning to install point-of-sale (POS) systems in all eight of its locations by the end of the year. In the first year or so of operation, QuikStop can reasonably expect to experience all of the following EXCEPT A. Increases in order processing efficiency. B. Increases in order processing accuracy. C. Decreases in total inventory carrying costs. D. Decreases in total inventory order costs.
D, correct The reduction in inventory levels results in more frequent ordering for smaller quantities. This, in turn, leads to higher total inventory order costs.
Which of the following is a key difference in controls when changing from a manual system to a computer system? A. Internal control principles change. B. Internal control objectives differ. C. Control objectives are more difficult to achieve. D. Methodologies for implementing controls change.
D, correct This answer is correct because the methods of achieving control are different for a computer system.
One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control for this is use of A. A tape library. B. A self-checking digit system. C. Computer generated hash totals. D. A computer log.
D, correct This answer is correct because the use of a computer log will allow a review of an individual's access to the system.
Checkpoint auto leasing is a small company with six employees. The best action that it can take to increase its internal control effectiveness is A. Hire temporary employees to aid in the segregation of duties. B. Hire a bookkeeper to perform monthly "write up" work. C. Clearly delegate responsibilities to each employee for the functions that they are assigned. D. Engage the owner in direct participation in the activities, including financial record-keeping, of the business.
D, correct This is the best answer since engaging the owner in the activities of the business is an important compensating control in small organizations.