D217 AIS SET1
What is a reason for sales returns?
" Buyer refusing due to late arrival." Late deliveries can affect sales returns.
Which journals record the results of transaction cycles?
" Special journals and subsidiary accounts of the general ledger." Transaction cycles are part of the accounting information system and record individual events in the special journals and subsidiary accounts of the general ledger.
What is an example of a password standard?
"Expiration interval." Password expiration interval is an example of a password standard.
After completing the annual audit for a publicly traded company, an external auditor issues a qualified opinion about the effectiveness of internal controls. What is the implication of this finding?
"The auditor identified at least one material weakness in internal controls." The standard for the audit opinion on internal controls is high. The auditor cannot issue an unqualified opinion if one material weakness in internal control is detected.
Which procedure should be followed when receiving goods?
"The clerk must count and inspect all deliveries to ensure receipt of the right product." All incoming and outgoing items should be physically counted to ensure accuracy.
In which two ways does an AIS safeguard assets?
-by providing tools to alerts managers when an unauthorized user attempts to use assets - by requiring a correct password to be entered to access the company network
match each function of an AIS with the type of improvement it provides. -a function that checks payroll entries for mistakes that would casue over payment or underpayment of employees -a function that provides up-to-the-minute information about inventory items that are a low in stock - a function that informs a supervisor when manufacturing production performance falls below standards
-a function that checks payroll entries for mistakes that would casue over payment or underpayment of employees = improves the internal control structure -a function that provides up-to-the-minute information about inventory items that are a low in stock = improves the effectiveness of the supply chain - a function that informs a supervisor when manufacturing production performance falls below standards = improves the quality and reduces the costs of products or services
What organizations help companies comply with myriad requirements of government regulations?
1. American Institute of Certified Public Accountants (AICPA) 2. Canadian Institute of Chartered Accountants (CICA) 3. Generally Accepted Privacy Principles (GAPP)
What are examples of detective controls?
1. Log analysis 2. Intrusion detection systems 3. Penetration testing 4. Continuous monitoring
Computer Incident Response Team (CIRT)
A team that is responsible for dealing with major security incidents. The CIRT team should include not only technical specialists but also senior operations management.
Border Router
A device that connects an organization's information system to the internet
Monthly statement
A document listing all transactions that occurred during the past month and informing customers about their current account balance
Remittance list
A document listing names and amounts of all customers payments received in the mail
Packing slip
A document listing the quantity and description of each item included in a shipment
Transaction File
A file that contains the individual business transactions that occur during a specific fiscal period. A transaction file is conceptually similar to a journal in a manual AIS.
Accounting information system
A system that collects, records, stores, and processes data to produce information for decision makers
Financing Cycle
Activities associated with raising money by selling shares in the company to investors and borrowing money as well as paying dividends and interest.
Revenue Cycle
Activities associated with selling goods and services in exchange for cash or a future promise to receive cash
What is processing?
Activities at the transaction level - CRUD (Create new records, Read existing records, Update existing records, Delete records or data).
Outbound logistics
Activities distribute finished products or services to customers
Which of the following is NOT an element of the fraud triangle? A. ethics B. justifiable reliance C. situational pressure D. opportunity E. All of the above are elements
B
Disadvantages of Purchasing
Costly Lack of Flexibility Might not cover all needs
Data V. Information
Data-collected, recorded, and stored in the system Information- organize the data within a context of a sales invoice (in which it is meaningful)
13. Which of the following is not an example of a processing control? a. hash total. b. record count. c. batch total. d. check digit
D
14. Which of the following is an example of input control test? a. sequence check b. zero value check c. spooling check d. range check
D
15. Which input control check would detect a payment made to a nonexistent vendor? a. missing data check b. numeric/alphabetic check c. range check d. validity check
D
3. Routine maintenance activities require all of the following controls except a. documentation updates b. testing c. formal authorization d. internal audit approval
D
30. All of the following concepts are associated with the black box approach to auditing computer applications except a. the application need not be removed from service and tested directly b. auditors do not rely on a detailed knowledge of the application's internal logic c. the auditor reconciles previously produced output results with production input transactions d. this approach is used for complex transactions that receive input from many sources
D
36. Which statement is not true? Embedded audit modules a. can be turned on and off by the auditor. b. reduce operating efficiency. c. may lose their viability in an environment where programs are modified frequently. d. identify transactions to be analyzed using white box tests.
D
Which of the following is not an example of preventative control? A. separation of responsibilities for the recording custodial, and authorization functions B. sound personnel practices C. documentation of policies and procedures D. password authentication software and hardware E. source documents for capturing sales data
D
Financial Statement Pressure Triangle
Financial, management characteristics and industry conditions
COSO's Internal Control Model consists of...
Five components and 17 Principles
CATTs
Imperative tools for auditor to conduct an audit in accordance with hightened auditing standards.
C: Delivery and Support.
Internal auditors at Henry Flower's Flower shop are undertaking a comprehensive review of outsourcing contracts and policies as part of improving service quality. In the COBIT model, this is best classified as an example of A: Planning and Organization. B: Acquisition and Implementation. C: Delivery and Support. D: Monitoring
Sequence codes
Items are numbered consecutively so that gaps in the sequence code indicate missing items that should be investigated. Examples include prenumbered checks, invoices, and purchase orders.
D: Support functions
Jiffy Grill has an ERP system. It has assigned responsibility for determining who has what access rights within the ERP system. Based on this, to whom is it most likely that Jiffy Grill has assigned this responsibility? A: Internal auditors. B: Other personnel. C: Management D: Support functions
Caller ID Spoofing
Displaying an incorrect number on the recipients caller ID display to hide the caller's identity
What is e-commerce? (compared to EDI)
E-Commerce is more generic term for all buying and selling transactions completed electronically
Support Activities in the Value Chain
Enable primary activities to be performed efficiently and effectively: 1. Firm infrastructure 2. Human resources 3. Technology 4. Purchasing
Which process are planning, authorizing, scheduling, accounting for, and controlling necessary parts of?
" Systems development process." A manufacturing process produces a complex product through a series of stages.
What represents an equipment failure risk in a communication system?
"A loss of databases stored on network servers." Equipment failures can result in the loss of databases and programs stored on network servers.
Why is a management reporting system a control?
"A management reporting system contains data that can be used to monitor the company." Management reporting systems are implemented at the discretion of organization management based on internal user needs to manage and control business activities.
In a system flowchart, how would a clerk's tasks of entering sales orders be depicted?
"Bucket-shaped symbol." The bucket-shaped symbol represents a manual process.
Which items reflect fixed assets?
"Buildings." Buildings can sold and converted to cash.
Which system should be selected if a firm needs to implement software immediately?
"Commercial system." Commercial systems can be implemented immediately.
Which three types of data management problems are a result of data redundancy?
"Data storage, data updating, and currency of information." Data storage, data updating, and currency of information problems are caused by data redundancy.
An organization uses a flat-file data management system. Which problem is caused when customers change their address?
"Data updating." When customers change their address, the address needs to be updated in every file where it appears. The address may be stored across different departments, and it would need to be updated with each one of them.
A disgruntled employee places a logic bomb to erase an organization's supplier list. Which type of fraud does this scenario reflect?
"Database management fraud." Database management fraud involves altering, deleting, corrupting, destroying, or stealing an organization's data.
Why would an organization decide to develop its own custom information system?
"It has unique information needs." An organization would develop its own custom information system when there is no readily available solution for its information needs.
What is a drawback of a backbone system such as an enterprise resource planning (ERP) system?
"Large cost." Customizing a commercial system can be expensive and time consuming.
While in-house, custom-designed systems dealt efficiently with their designated tasks, they did not provide strategic decision support at the enterprise level. What is the reason that they lacked support?
"They lacked the integration needed for information transfer across organizational boundaries." Customization made systems very organization specific. This specificity made combining with systems outside of the organization extremely difficult.
What is the importance of supervisory control?
"To review and examine content reported." This is the compensating control function that allows a manager to review all content of sales for accuracy.
Which standard does the Safe Harbor Agreement establish for information?
"Transmittal." The two-way agreement between the United States and the European Union establishes standards for information transmittal.
What is a risk associated with one clerk receiving inventory?
"Unauthorized purchases." Unauthorized purchases can cause excessive inventory and tie up funds.
Which function reflects the expenditure cycle?
"Updating inventory." Inventory is a part of the expenditure cycle because the quantities and condition are updated.
Which information technology (IT) test category verifies that credit checks and accounts payable (AP) three-way matches are performed by an application?
"Validity test." A validity test verifies that credit checks and AP three-way matches are properly performed by the application.
General accounting systems
"are designed to serve a wide variety of user needs." General accounting systems are designed to serve a wide variety of user needs. By mass-producing a standard system, the vendor is able to reduce the unit cost of these systems to a fraction of in-house development costs.
A digital signature is
"derived from the digest of a document that has been encrypted with the sender's private key." A digital signature is derived from the digest of a document that has been encrypted with the sender's private key. A digital signature is an electronic authentication technique that ensures the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied.
Which type of control is considered a compensating control for customer payments?
"supervision." Supervision is a compensating control for customer payments. Compensating controls are put in place when more effective controls are deemed too difficult or costly to implement. Supervision is the simplest and most common form of compensating control.
database
-A set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible. -A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications.
What are the phases of customer behavior online?
1. Discover 2. Research 3. Compare 4. Purchase
In managing endpoint security, what three areas deserve special attention:
1. Endpoint configuration 2. User account management 3. Software Design
What is the 80/20 rule?
80% of time designing the form so you only spend 20% of your time keeping it up (correcting the data)
MAC Address
A Media Access Control address is a hardware address that uniquely identifies each node on a network
Foreign key
A attribute in a table that is also a primary key in another table - used to link the two tables
What is a ledger?
A book or other collection of financial accounts of a particular type.
Cash flow budget
A budget that show projected cash inflows for a specified period
Data warehouse
A collection of information gathered from an assortment of external and operational databases to facilitate reporting for decision making and business analysis
Relational database
A database built using relational data model
Zombie
A hijacked computer, typically part of a botnet, that is used to launch a variety of internet attacks
Universal payment identification code (UPIC)
A number that enables customers to remit payments via an ACH credit requiring the seller to divulge detailed information about its bank account
Entity
A person, place or thing, something an organisation wishes to store data about
Committee of Sponsoring Organizations (COSO)
A private- sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Committee of Sponsoring Organizations (COSO)
A private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute
Cookie
A text file created by a Web site and stored on a visitor's hard drive. Cookies store information about who the user is and what the user has done on the site.
what are two traits of useful information? choose 2 answers
Accessibility Reiability
C: Risk assessment.
According to the 17 COSO control principles, organizational objectives primarily relate to which fundamental component of internal control: A: Control activities. B: Control environment. C: Risk assessment. D: Monitoring.
What are adjusting entries?
Accounting journal entries that convert a company's accounting records to be the accrual basis of accounting.
What is an audit trail?
Accounting records that trace transactions from their source documents to the financial statements
Firm infrastructure
Accounting, finance, legal, and general administration activities
this approach is used for complex transactions that receive input from many sources
All of the following concepts are associated with the black box approach to auditing computer applications except a. the application need not be removed from service and tested directly b. auditors do not rely on a detailed knowledge of the application's internal logic c. the auditor reconciles previously produced output results with production input transactions d. this approach is used for complex transactions that receive input from many sources
Spoofing
Altering some part of an electronic communication in order to gain the trust of the recipient
Data model
An abstract representation of database contents
Primary Key
An attribute or combination of attributes that can be used uniquely to identify a specific row in a table
Digital Certificate
An electronic document that certifies the identity of the owner of a particular public key and contains that party's public key
Sabotage
An intentional act where the intent is to destroy a system or some of its components
Business Intelligence
Analyzing large amounts of data for strategic decision making
Business intelligence
Analyzing large amounts of data for strategic decision making
Routers
Are special-purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the next packet
Understand the normal balance of an account.
Asset - Debit Liability - Credit Equity - Credit Expense - Debit Revenue - Credit
Identity Theft
Assuming someone's identity, usually for economic gain (unauthorized use of someone's personal information for the perpetrator's benefit)
Identity Theft
Assuming someone's identity, usually for economic gain.
Internal Auditing
Assurance and consulting activity designed to add value, improve organizational effectiveness and efficiency, and accomplish organization objectives
Generalized audit software (GAS)
Audit software that uses auditor-supplied specifications to generate a program that performs audit functions
Which scenario accurately represents the general approach used to test application controls for a batch processing application?
Auditor-created data are submitted in a transaction file." Auditor-created data are submitted in a transaction file.
Functions of Separation of Duties
Authorisation, Recording and Custody
Vulnerability Scanners
Automated tools designed to identify whether a given system possess any unused and unnecessary programs that represent potential security threats
Accessible
Available to users when they need it and in a format they can use
Accessible information
Available to users when they need it and in a format they can use.
Timely
Provide in time for decision makers to make decisions
Timely
Provided in time for decision makers to make decisions
Subschema
Subset of the schema- the way that a user defines the data and the data relationship
Information Overload
The point at which information incorporated into a decision begins to decline Information supplied exceeds human processing capacity
Attributes
The properties, identifying numbers, and characteristics of interest of an entity that is stored in a database. Examples are employee number, pay rate, name, and address.
Residual Risk
The risk that remains after management implements internal controls or some other response to risk.
What is the difference between batch and real time?
Batch systems assemble transactions into groups for processing. Real-time systems process transactions individually at the moment the economic event occurs.
Four levels of control to help management reconcile the conflict between one activity and control
Belief system, boundary system, diagnostic control system, and interactive control system
D: Lower fraud risk
Billy Bob's BarBQ has a small accounting staff and outsources payroll to a payroll service bureau. Which of the following is the most important advantage of outsourcing payroll? A: Improved batch control totals B: More accurate time recording by employees C: Hiring more qualified employees D: Lower fraud risk
Block Code
Blocks of numbers that are reserved for specific categories of data, thereby helping to organize the data (chart of accounts)
Public Company Accounting Oversight Board (PCAOB)
Board created by SOX that regulates the auditing profession
An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted the purchase order number. The best systems control to detect this error would be a a. batch total. b. completeness test. c. sequence check. d. reasonableness test. e. compatibility test.
C
New speciality for CPA's - CITP
CITP (Certified Information Technology Professional) designation reflects the AICPA's recognition of the importance of IT and its interrelationship with accounting. A CITP possesses a broad range of business, managerial, and technological knowledge, making it possible for the CITP to understand how organizations use IT to achieve their business objectives Topics include: information system management, business intelligence, fraud, risk assessment, internal control concepts, and how to test and evaluate an information system.
control frameworks
COBIT, COSO, COSO-ERM
Missing Data Check
Checks for incomplete or blank input fields.
Digital Watermark
Code embedded in documents that enables an organization to identify confidential information that has been disclosed
Patch
Code released by software developers that fixes a particular software vulnerability
What are block codes?
Coding scheme that assigns ranges of values to specific attributes such as account classifications.
coding systems
Common coding systems include sequential, block, hierarchical, mnemonic codes. These are four different types of codes; only one posting for each of the four codes
Computer Instructions Fraud
Computer instructions fraud includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity
Auditing
Conduct an official financial inspection of a business
on-page connector
Connects the processing flow on the same page; its usage avoids lines crisscrossing a page
Inbound logistics
Consists of receiving, storing, and distributing the materials
Transaction File
Contains records of a specific business for a period of time
COBIT
Control Objectives for Information and related Technology by ISACF generally applicable to IT systems security and controls practices to be placed by Board of Directors 1. Management to benchmark security/control practices of IT environments 2. User of IT services to be assured adequate security/control exist 3. Auditors to substantiate opinions on internal control + advise on IT sec/control
general controls, application controls, physical controls
Control activities under SAS 109/COSO include A. IT Controls, preventative controls, and Corrective controls B. physical controls, preventative controls, and corrective controls. C. general controls, application controls, and physical controls. D. transaction authorizations, segregation of duties, and risk assessment
Application controls
Controls that prevent, detect, and correct transaction errors and fraud in application programs
Public Company Accounting Oversight Board (PCAOB)
Created by SOX to control the auditing profession by setting and enforcing auditing, quality control, ethics, independence, and other auditing standards. It consists of 5 people who are appointed by the SEC.
What are the 4 different types of data processing activities?
Creating Reading Updating Deleting
IP Address Spoofing
Creating Internet Protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system
37. Generalized audit software packages perform all of the following tasks except a. recalculate data fields b. compare files and identify differences c. stratify statistical samples d. analyze results and form opinions
D
9. Which of the following is correct? a. check digits should be used for all data codes b. check digits are always placed at the end of a data code c. check digits do not affect processing efficiency d. check digits are designed to detect transcription and transposition errors
D
Providing timely information about transactions in sufficient detail to permit proper classification and financial reporting is an example of a. the control environment b. risk assessment c. information and communication d. monitoring
D
SOX legislation calls for sound internal control practices over financial reporting and requires SEC-registered corporations to maintain systems of internal control that meet SOX standards. An integral part of internal control is the appropriate use of preventive controls. Which of the following is not an essential element of preventive control? a. separation of responsibilities for the recording, custodial, and authorization functions b. sound personnel practices c. documentation of policies and procedures d. implementation of state-of-the-art software and hardware e. physical protection of assets
D
database system
DBMS and application programs that access the data
Data definition language (DDL)
DBMS language that builds the data dictionary, creates the database, describes logical views, and specifies record or field security constraints
What is the first step in the data processing cycle?
Data input
Information
Data that have been organized and processed to provide meaning and improve decision-making.
System flowchart
Depicts the relationship among system input, processing, storage, and output
System Flowchart
Depicts the relationships among system input, processing, storage, and output. System flowcharts are used to describe data flows and procedures within an AIS.
What two types of functions do internal controls provide?
Detective corrective
Preventive controls
Deter problems before they arise
Authorization
Determines what a person can access
Trust Services Framework
Developed jointly by the AICPA and CICA to provide guidance for assessing the reliability of information systems
Detective Internal Controls
Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls.
e. none of the above.
Disguising message packets to look as if they came from an authorized user of the host's network is a technique called a. smurfing b. IP spooling. c. denial of service attack. d. screening. e. none of the above.
Corruption
Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards (bribery and bid rigging)
What are the 3 types of information output produced by an AIS?
Document Reports Query
which tool is useful when analyzing internal control procedures?
Document flowchart
Picking ticket
Document that lists the items and quantities ordered and authorized the inventory control function to release that merchandise to the shipping department
What is a source document?
Documents that capture and formalize transaction data needed for processing by their respective transaction cycles.
What is EDI? (compared to e-commerce)
EDI is a transaction between two specific computers
What is Online or real-time processing? (OLRT)
Each journal entry is posted directly to the general ledger. Usually used with Point of Sale (POS) systems
Feasibility Study
Economic, Technical, Legal, Scheduling and Operational
The key criteria of business requirements for information:
Effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability.
asymmetric key encryption
Encryption system in which two keys are used: a public key used only to encrypt data, and a private key used only to decrypt it. SOTA code
Design Phase (SDLC)
Establishes descriptions of the desired features and operations of the system including screen layouts, business rules, process diagrams, pseudo code, and other documentation
Compliance Audit
Examination of organizational compliance with applicable laws, regulations, policies, and procedures
Documentation
Explains how a system works. (Including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls.)
Supply chain
Extended system that includes value chain as well as suppliers, distributers, and customers
XML
Extensible Markup Language, a standard language to communicate among businesses and users across the internet
Data
Facts that are collected, recorded, stored and processes
Data
Facts that are collected, recorded, stored, and processed by an information system
B: Revenue cycle.
Fictitious customers are an important risk of the A: General ledger cycle. B: Revenue cycle. C: Financing cycle. D: Expenditure cycle.
Data Entry Controls
Field Check, Sign Check, Limit Check, Range Check, Size Check
Information Output
Final stage in data processing cycle (soft copy or hard copy)
steps for better thinking
Foundation - knowing 1. identifying 2. exploring 3. prioritizing 4. envisioning
GAAS
Generally accepted auditing standards
Goal conflict V. Goal congruence
Goal conflict-When a subsystem's goals are inconsistent with the goals of another subsystem or the system as a whole. goal congruence - When a sub- system achieves its goals while contributing to the organiza- tion's overall goal.
Phase-In Conversion
Gradually replaces elements of old AIS with new one
What is a GUI? (what does it stand for)
Graphical User Interface
DFD
Graphical representation of a process using four symbols for the process, external entity (outside the boundary of an information system), data store, and data flow
B: Determine reporting procedures for vendor anomalies.
Griswold Corp. is planning a data analytics program to manage the risk of vendor fraud in purchasing. Which of the following activities would occur last in this process? A: Determine the risk of management override of controls over purchases. B: Determine reporting procedures for vendor anomalies. C: Screen data to remove html tags from harvested vendor data. D: Validate scraped data to match to existing vendor files.
Records
Group of related attributes about an entity
File
Group of related records
A: Bill of materials.
Hamish works in a factory that builds tractors in Des Moines, Iowa. He can't remember whether the B352 or the C917 sprocket is needed in building a X793 tractor. The document, form, or screen that would help him decide is: A: Bill of materials. B: Materials requisition. C: Move ticket. D: Picking ticket.
B: Materials requisition.
Hamish works in a factory that builds tractors in Des Moines, Iowa. He wants to get a B352 sprocket that is needed in building a X793 tractor. The document, form, or screen that would authorize this action is: A: Bill of materials. B: Materials requisition. C: Move ticket. D: Picking ticket.
Scheduled Reports
Have pre-specified content and format and are prepared on a regular basis
Interactive control system
Helps managers to focus subordinates attention key strategies issues and to be more involved in their decisions
What are two different types of databases?
Hierarchical and relational.
Context Diagram
Highest level DFD; a summary-level view of a system, showing the data processing system, its inputs and outputs, and their sources and destinations
Context Diagram
Highest-level DFD; a summary-level view of a system, showing the data processing system, its inputs and outputs, and their sources and destinations.
What is data visualization?
How you present your data (graphs, spreadsheets, etc.)
event ID
ID events which affect strategy implementation & achievement
How does AIS add value? (5)
IMPROVES: 1. quality and reducing the costs of products or services 2.efficiency 3.Sharing knowledge 4 efficiency and effectiveness of its supply chain 5.Internal control structure 6 decision making
Corrective Controls
Identify and correct problems as well as correct and recover from the resulting errors
Data Fraud
Illegally using, copying, browsing, searching or harming company data constitutes data fraud. The biggest cause of data breach is employee negligence.
Document Flowcharts
Illustrates the flow of documents and data among areas of responsibility within an organization
Document flowchart
Illustrates the flow of documents and data among areas of responsibility within an organization
Document Flow Chart
Illustrates the flow of documents through an organisation
Insert anomaly
Improper database organization that results in the inability to add records to a database
Update anomaly
Improper database organization where a non-primary key item is stored multiple times
C: Master file.
In a computer-based system, the equivalent of a subsidiary ledger is a A: Transaction file. B: Archive file. C: Master file. D: Reference file.
C: Transfer balances in temporary accounts to retained earnings.
In the accounting cycle, closing journal entries: A: Identify and record all liabilities, revenues, and expenses at the end of the fiscal year. B: Ensure the matching of revenue and expenses by period. C: Transfer balances in temporary accounts to retained earnings. D: Lessen the likelihood of deceptive manual journal entries.
revenue cycle
In which cycle does a company ship goods to customers?
technical controls
Include data encryption, access control software and passwords, transaction logging reports, range and reasonableness checks on transaction amounts, control totals
ISASs
Information systems auditing standards provides guidelines for conducting an IS/IT audit (issued by ISACA)
Systems Analysis
Initial investigation, systems survey, feasibility survey, information needs and requirements, systems analysis report
What aspects does a simple information system have?
Input, processing, storage, and output.
Enterprise Systems
Integrate business processes
What did COSO issue in 1992?
Internal Control-Integrated Framework (IC) which is widely accepted as the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities
D: Monitoring.
Internal auditors at Henry Flower's Flower Shop are undertaking a comprehensive review to determine if the company has complied with privacy regulations regarding customer data. In the COBIT model, this is best classified as an example of A: Planning and Organization. B: Acquisition and Implementation. C: Delivery and Support. D: Monitoring.
implementation phase of SDLC
Involves placing the system into production so users can begin to perform actual business operations with it
The Revenue Cycle
Involves processing cash sales, credit sales, and the receipt of cash following a credit sale. Have a physical and a financial component, which are processed separately. Sales Order Processing and Cash Receipts.
Security controls in wireless networks
It includes but not limited to: assigning roles and responsibilities, creating policies and procedures, conducting risk assessment on a regular basis.
Corporate Governance
It is a set of processes and policies in managing and organization with sound ethics to safeguard the interest of its stakeholders. It promotes accountability, fairness, and transparency in the organization's relationship with it's stakeholders.
C: Predictive and usually quantitative.
Key risk indicators are A: Indicators of internal control quality. B: Substantively equivalent to KPIs. C: Predictive and usually quantitative. D: Used primarily by risk-aware, risk-averse entities.
Value chain
Linking together of all of the primary and support activities in a business
Value Chain
Linking together of all the primary and support activities in a business. Value is added as a product passes through the chain.
Advantages of Outsourcing
Lower Costs Less Development Time Elimination of peaks-and-valleys usage Facilitation downsizing Asset Utilization A business solution
c. parity checks
Many techniques exist to reduce the likelihood and effects of data communication hardware failure. Ine of these is a. hardware access procedures b. antivirus software c. parity checks d. data encryption
What is a centralized data processing model?
Model under which all data processing is performed by one or more large computers, housed at a central site, that serve users throughout the organization.
Documentation
Narratives, flowcharts, diagrams, and other written materials that explain how a system works
Plaintext
Normal text that has not been encrypted
original equipment manufacturers
OEM
procure to payment
P2P
Lockbox
Postal address to which customers send their remittances
Cycle billing
Producing monthly statements for subsets of customers at different times
quote to cash
Q2C
B: Receivables billing.
RFID tagging is most helpful to A: Cash collections. B: Receivables billing. C: Shipping. D: Bank reconciliations.
What is the supply chain?
Refers to the flow of materials, information, payments, and services from suppliers through to the customer.
Traits of Useful Information
Relevant Reliable Complete Timely Understandable Verifiable Accessible
War Dialing
Searching for an idle modem (rogue) by programming a computer to dial thousands of phone lines
Symmetric Key Encryption
Sender and receiver use single, shared key
Segregation of Duties
Separation of employee duties to minimize incompatible functions. Example: separating transaction authorization and processing, separating asset custody and record keeping.
Database
Set of interrelated files
GAANT Chart
Shows an entire schedule for a complex project
DFD Diagram
Shows inputs and outputs into a system
PERT Chart
Shows project activities that require expenditure of time
Spamming
Simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something
What is the fraud triangle?
Situational pressure, opportunity, and ethics.
DNS Spoofing
Sniffing the ID of Domain Name System request and replying before the real DNS server
Intrusion Prevention Systems (IPS)
Software or hardware that monitors patterns in the traffic flow to identify and automatically blocks attacks
Canned Software
Software readily available from a store
Customer relationship management (CRM) systems
Software that organizes information about customers in a manner that facilitates efficient and personalized service
Splog
Spam blogs created to increase a website's Google PageRank, which is how often a webpage is referenced by other webpages
Four categories of objective settings for internal controls are:
Strategic, operations, reporting, compliance
Report
System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a companies business activities
Report
System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities.
How does carter classify computer crimes?
Taxonomy Fits at least one of four categories, may fit more Target, instrumentality, incidental, associated
Direct Conversion
Terminates old AIS when new one is introduced
What is the most significant contributing factor in most appropriations?
The absence of internal controls and/or the failure to enforce existing controls
Rationalization
The excuse that fraud perpetrators use to justify their illegal behavior
D: Funds, raw materials
The financing cycle contributes ___________ to the expenditure cycle, which contributes _____________ to the production cycle. A: Revenue, expenditures B: Raw materials, finished products C: Labor, raw materials D: Funds, raw materials
Change Controls and Control Management
The formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
management are required to certify their internal control system
The importance to the accounting profession of the Sarbanes-Oxley Act is that A. bribery will be eliminated B. management will not override the company's internal controls C. management are required to certify their internal control system D. firms will not be exposed to lawsuits
Black box
The information contained on the outside (imput, output )
Business process or transaction cycles
The major give-get exchanges that occur frequently in most companies
Credit limit
The maximum allowable credit account balance for each customer, based on past credit history and ability to pay
B: Sales invoice.
The most important document in the billing process is the A: Picking ticket. B: Sales invoice. C: Packing slip. D: Bill of lading.
Data Flow
The movement of data among processes, stores, sources, and destinations
Conceptual-level schema
The organization-wide view of the entire database that lists all data elements and the relationship between them
C: Data control clerk.
The position responsible for managing the flow of documents and reports in and out of the computer operations department is the A: Data entry clerk. B: Computer operator. C: Data control clerk. D: File librarian.
What is a value chain?
The primary activities (Inbound > Operations > Outbound > Marketing > Service)
A: Internal auditors; external auditors
The primary target audience of COBIT includes ___________ while the primary target audience of COSO includes __________________. A: Internal auditors; external auditors B: Board of directors; management C: Board of directors; external auditors D: Management; internal auditors
Log Analysis
The process of examining logs to identify evidence of possible attacks
Internal controls
The processes implemented to provide reasonable assurance for control objectives
Residual Risk
The risk that remains after management implements internal controls or some other response to risk
Input Fraud
The simplest and most common way to commit a computer fraud is to alter or falsify computer input
Inherent Risk
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control
Inherent Risk
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control A risk that exists before internal controls are instated
Fraud Triangle
The three conditions that exist for the occurrence of a fraud--1) incentive or the reason to commit fraud, 2) opportunity for the fraud to be perpetrated, 3) rationalize or the attitude that enables the individuals committing the fraud to rationalize it
Electronic funds transfer (EFT)
The transfer of funds through use of online banking software
A: Unauthorized payment of invoices.
The use of a voucher systems helps control A: Unauthorized payment of invoices. B: Unauthorized orders of goods C: The use of unauthorized vendors D: Underpayments to supplier
Predictive analysis
The use of data warehouses and complex algorithms to forecast future events, based on historical trends and calculated probabilities
Components of internal controls
There are 8 components of internal control are: Internal Environment, event identification, risk assessment, risk response, control activities, information and communication, monitoring.
Segregation of accounting duties
This process effectively segregates the Authorization function from, Custody and Recording.
Controls for Processing Integrity - Output
Threats/Risks - Use of inaccurate or incomplete reports - Unauthorized disclosure of sensitive information - Loss, alteration, or disclosure of information in transit Controls - Reviews and reconciliations, encryption and access controls, parity checks, message acknowledgement techniques
Controls for Processing Integrity - Input
Threats/Risks - Data that is: - Invalid - Unauthorized - Incomplete - Inaccurate Controls - Forms design, cancellation and storage of documents, authorization and segregation of duties controls, visual scanning, data entry controls
What is a characteristic of the flat-file approach to data management?
Users own the data files." Exclusive data ownership is a characteristic of the flat-file system.
Virtual Private Network (VPN)
Using encryption and authentication to securely transfer information over the Internet, thereby creating a "virtual" private network.
Virtual Private Networks (VPNs)
Using encryption and authentication to securely transfer information over the Internet, thereby creating a "virtual" private network.
Primary activities
Value chain activities that produce, market, and deliver products and services to customers and provide post-delivery service and support
Authentication
Verifying the identity of the person or device attempting to access the system
Data warehouse
Very large database containing detailed and summarized data for a number of years that are used for analysis rather than transaction processing
Three V's of Big Data
Volume, Variety, Velocity
specific types of big data
Web and social media Machine-to-machine Big transaction Biometric Human-generated
Goal congruence
When a subsystem achieves its goals while contributing to the organization's overall goals
the test transactions
When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing a. the test transactions b. error reports c. updated master files d. output reports
Buffer Overflow Attack
When the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system.
B: Hypocrisy (i.e., when management says one thing and does another)
Which of the following is an important threat to accountability in an organization's ERM practices? A: Excessive communication B: Hypocrisy (i.e., when management says one thing and does another) C: Escalation D: Deviations
What is a WAN?
Wide area network - covers a large geographic region, such as Eastern Seaboard
Narrative Description
Written, step-by-step explanation of system components and how they interact
field
a customer name would be a: database, file, field, record
decision
a decision-making step
which type of AIS output is a gross margin analysis by product line?
a report
what is inherent risk?
a risk that exists before internal controls are instated
Database
a set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible.
sign check
a specific inventory record indicates that there are twelve items on hand and a customer purchased two of them. when recording the order,the data entry clerk mistakenly entered twenty items sold. Which check would detect this order? A. numeric/alphabetic data check B. sign check C. sequence check D. range check
which two tools are project development and acquisition controls?
a strategic master plan system performance measurements
Implementation Plan
a written plan showing how the new system will be implemented; specifies when the project should be complete and the IS operational, including a completion timetable, cost estimates, task milestones, and who is responsible for each activity
7-11. a database is in third normal form (3NF) if it is second normal form and
a. all the data attributes in a record are well defined b. all the data attributes in a record depend upon a record key c. the data contain to transitive dependencies* d. the data can be storied in two or more separate tables
12-8. In selecting a new AIS, a company's management should:
a. always hire a consultant b. always consult with your accountant during the decision process * c. never rely on your accountant for help in this decision d. always use an Internet software service to make the decision
4-2. Data transcription is best described as:
a. an efficient process b. always necessary in AISs *c. Labor intensive and time consuming d. an important way to limit fraud and embezlement
8-3. An example of a validation rule is:
a. an input value must be an integer b. an input value must also have a default value c. an input value must be between 0 and 40 * d. you cannot delete parent records that have child records associated with them
14-8. A __________ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand held devices.
a. data encryption b. WAN c. checkpoint d. VPN *
The purpose of a checkpoint procedure is to facilitate restarting after a. data processing errors b. data input errors c. the failure to have all input data ready on time d. computer operator intervention e. none of the above
a. data processing errors
What is clean data?
accurate, uniform data in a software system
database management system (DBMS)
achieves data independence by interposing between the database and the users of the data acts as interface between database and various application programs "data warehouses"
Outbound Logistics
activities distribute finished products or services to customers
marketing and sales
activities help customers buy the organization's products or services
human resources
activities include recruiting, hiring, training, and compensating employees
efficient, data integrity (errors can be avoided), integrated, independent
advantages to using databases
What is text mining?
algorithms used to search non-numeric data
macro
are data flow diagrams more on the macro or micro level?
data flows
arrows e.g. deposit slips; remittance advice; checks
segregation of duties
authorization recording custody
Block Code
blocks of numbers are reserved for specific categories of data.
What is B2B?
business sells to business
What is B2C?
business sells to customer
databases are formed
by a set of interrelated files forms
how does an audit trail work in an AIS?
by capturing a transaction's path through the data processing system
a patio furniiture store uses its AIS to allow salespeople to check the inventory level of an item at the main warehouse. how does this functionality add value to the patio furniture store?
by improving knowledge sharing
which is the most important, basic, and effective control to deter fraud? a) enforced vacations b) logical access control c) segregation of duties d) virus protection controls
c) segregation of duties
techniques used to obtain confidential info, often by tricking people, are referred to as what? a) pretexting b) posing c) social engineering d) identity theft
c) social engineering
what type of software secretly collects personal info about users & sends it to someone else w/o the user's permission? a) rootkit b) torpedo software c) spyware d) malware
c) spyware
What is a file or table?
collection of records that relate to each other
Carter's Taxonomy - instrumentality
computer furthers a criminal end
corrective controls
controls that ID and correct problems as well as correct and recover from the resulting errors
Information
data that has been organized and processed to provide meaning and improve decision making process
Primary Key
database attribute, or combination of attributes, that uniquely identifies each row in a table (in attached table - combination of sales invoice # and Item #)
What is a DBMS?
database management system
Taxonomy
defines and describes each key data element (total assets, accounts, payable, net income) a way to organize knowledge; set of tags
DBMS languages
definition manipulation query
delete anomaly
deleting one transaction may remove information about a customer
system flowchart
depicts the relationships among system input, processing, storage, and output
Internal controls related to XBRL - risk of hardware and software failure
disaster recovery plan physical security uninterruptible/back-up power supplies
which threat applies to the HRM/Payroll cycle?
disclosing confidential salary information
Detective Controls
discover problems that haven't been prevented
data stores
double lines e.g. files
which is NOT one of the tangible or intangible benefits a company might obtain from a new system? a) cost savings b) improved customer service & productivity c) improved decision making d) improved data processing e) all are benefits of a new system
e) all are benefits of a new system
300
equity
Data
facts that are collected, recorded, stored, and processed by an information system
Data
facts that are collected, recorded, stored, and processed by an information system.
What is the Extranet?
gives access to company's network to suppliers, customers, etc. (target example)
data flow diagram
graphical description of data sources, flows, transformation process, storage, destination data flow in system; difference in timing
the percentage of gross profit
gross margin
What is a Mnemonic codes?
helps the user remember what they represent (like S, M, L, and XL on clothing)
physical view
how and where the data is physically arranged and stored in the computer system
risk assessment
how to manage? effect on achieving objectives?
logical view
how user/programmer conceptually organizes/understands the data
information & communitication
identified, captured, and communicated so employees can fulfill their responsibilities
what does an attacker do when scanning and mapping a target IS?
identifies computers that can be accessed remotely
What is data analysis?
identify relationships between data pieces
Extensible
if a particular concept does not already exist in a public taxonomy there is the ability to add to or change the elements to meet the company's needs; called extending the taxonomy. allows users to create new tags as the need arises; never finished
sabotage
intent to destroy a system or some of its components
fraudulent financial statement reporting
intentional/reckless conduct, whether by act/omission results in materially misstated financial statements
Internal controls related to XBRL - risk of inappropriate/missing authorizations
internal audit review of selected transactions periodic user training up-to-date procedures manuals
Analysis Phase of SDLC
involves a complete, detailed analysis of the systems needs of the end user. The analysis phase further refines the goals of the project into carefully specified functions and operations of the intended system
firm infrastructure
is the accounting, finance, legal, and general administration activities that allow an organization to function
200
liabilities
what is the value chain?
links together the different activities within an organization that provide value to the customer.
Physical Internal Controls
locks, security guards, badges, alarms
which two security controls detect intrusions?
log analysis security testing
schema
logical structure of the database conceptual external internal
Digital Signature
message digest of a document that is encrypted using the document creator's private key ensure data integrity
objective setting
mgt process to formulate strategic, operations, reporting, and compliance objectives to support mission & tolerance for risk
types of fraud
misappropriation of assets fraudulent financial reporting
conceptual-level schema
organization-wide view of entire database
FC storage symbols
parallelogram = general ledger cylinder = customer inventory filed by: date, number, logic (upside down triangle)
a company has a procedure that installs updates to all of its security programs and operating systems on a monthly basis. which type of corrective control does this scenriao describe?
patch management
Internal controls related to XBRL - risk of inappropriate taxonomies
periodic review and approval centralized approval process authorizations for tagging and taxonomy selection
easy to visualize and understand, reveal control weakness
positives of flowcharts:
quick to complete, give details and clarification
positives of narratives:
exposure/impact
potential dollar loss should a particular event become a reality
internal controls
processes/procedures implemented to provide reasonable assurance that control objectives are met prevent, detect, correct
Internal controls provide ____ assurance.
reasonable; because complete assurance is expensive and difficult to achieve
QuickBooks internal controls
reconciliation data validation validity check reports (e.g. audit trail) user accounts predetermined numbers (e.g. checks) matching (PO to bill)
What is a purchases journal?
records of credit purchase transactions
What is a sales journal?
records of credit sale transactions
What is a cash disbursements journal?
records of transactions in which cash is paid
disadvantages of one uniform table
redundancy insert, update, delete anomaly
What is a record?
relates fields of information
data independence
separation of data from the program applications that access and process data
What are block codes?
sequential codes in which blocks of numbers are reserved for a certain purpose
What are Sequence codes?
sequential set of numbers used to identify customer accounts, payroll checks, sales invoices, etc.
output
stolen, copied misused
What is data storage?
stores pieces of data collected in an organized fashion
contextual diagram
summary-level view of the system
web crawler
systematically browsing the world wide web to collect information
which task do IS auditors perform when they audit transaction processing?
testing the accuracy of data edit routines
cookies
text file created by web site and stored on visitor's hard drive to store information about who the user is and what the user has done
What is data extraction and transfer?
the ability to find the data needed and prepare it for analysis
Entity
the item about which information is stored in a record. Examples: employee, inventory item, a customer
Systems Implementation
the process of installing hardware and software and getting the IS up and running
Human Resources Management (HRM)/ Payroll Cycle
the recurring set of business activities and data processing operations associated with effectively managing the employee workforce.
Specification
the relationship between XBRL and XML. XBRL is one specific item in a family of languages called XML
why is sytem documentation created?
to help during transitiosn of IT employees
What is the purpose of a coding system?
to identify individual accounts and transactions as well as to classify account types
what is one purpose of the COBIT framework?
to provide assurance that data produced by an IS is reliable
Outsourcing
transferring portions of work to outside suppliers
relational data model
two dimensional table representation of data; each row represents a unique entity (record) & columns are field attributes carnality!
verifiable
two independent, knowledgeable people produce the same information
data flow diagrams, business process diagrams, flowcharts
types of diagramming:
processor
unauthorized systems 1) using, copying, browsing, search, harming 2) changing, damaging destroying, defacing
what is indentity theft?
unauthorized use of someone's personal information for the perpetrator's benefit
7. Define spam.
unsolicited e-mail that contains either advertising or offensive content
Spam
unsolicited e-mail that contains either advertising or offensive content
FC processing symbols
upside down trapezoid = manual process square = computer label with capital letters & list at bottom
DQL
used to interrogate; retrieves, sorts, orders, presents subsets in response to user queries
Data Warehouse
very large databases containing detailed and summarized data for a number of years that are used for analysis rather than transaction processing.
which threat to the payroll process applies to the disbursement of payroll?
wages being issued to a ficticiuos employee
expenditure cycle (procedure cycle)
what cycle is P2P in?
revenue cycle
what cycle is Q2C in?
Group Codes
which are two or more subgroups of digits used to code items, are often used in conjuction with block codes.
Flowchart
which is a graphical description of a system. There are several types of flow charts
purchasing
which of the following is a support activity in the value chain: purchasing, manufacturing, post-sales service, receiving materials
What is a UPS?
Uninterruptible Power Supply
System output ontrols
User Reviews, Reconciliation, Data transmission controls, check sums, parity checking
Virtual Private Network (VPN)
Using encryption and authentication to securely transfer information over the internet, thereby creating a "virtual" private network
Semantic data modeling
Using knowledge of business processes and information needs to create a diagram that shows what to include in a fully normalized database
Supervision
Which of the following is often called a compensating control? A. Transaction B. Supervision C. Accounting Records D. Segregation of Duties
10-6. which of the following source documents is common to both the sales and the purchasing processes?
a. cash receipts forecast and cash requirements forecasts b. financial statement information * c. discrepancy reports and bad debt reports d. none of the above
all inventory records
which of the following would be identified as a file: a customer's name, data about one customer, all inventory records, data about one inventory item
Authorization controls are often implemented by creating an...
access control matrix
Marketing and Sales
activities help customers buy the organization's products or services
purchasing
activities procure raw materials, supplies, machinery, and the buildings used to carry out the primary activities
which would most likely be a PRIMARY key? a) supplier name b) suppliers number c) supplier zip code d) supplier acct balance
b) supplier number
kiting
creating cash using lag between time check is deposited and time it clears the bank alteration or issuance of check with insufficient funds (money is used to approve loans)
What is an access point?
device that connects wireless communication devices together to form a network
Defense-in-Depth
employing multiple layers of controls to avoid a single point-of-failure
Technical Internal Controls
firewalls, intrusion detection, access controls, cryptography, anti-virus software
reliable
free from error or bias; accurately represents organization events or activities
AIS
set of interrelated activities, documents, and technologies designed to collect data (input), process it, and report information (output). Also, systems include storage and internal controls
file
set of logically related records
Specialized journal v general journal
specialized journals - A jour- nal used to record a large number of repetitive transac- tions such as credit sales, cash receipts, purchases, and cash disbursements. general journal - A journal used to record infrequent or nonrou- tine transactions, such as loan payments and end-of-period adjusting and closing entries.
What is an algorithm?
step-by-step process for solving a problem
Accounting Information Systems (AIS)
system collects, records, stores, and processes data to produce info for decision makers. (transforms data into information to provide adequate controls) Consists of.... People (who use the system) Processes Technology Controls to safeguard information .
which events are part of the revenue cycle?
taking orders from customers, shipping FG, and depositing payments in the bank
white-collar criminals
usually biz people resort to trickery/cunning to violate trust/confidence
when you want to buy something
when do you send out a purchase order?
Expenditure Cycle
where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash
expenditure cycle
where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash
Expenditure Cycle
where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or for a future promise to pay cash.
What is the outcome of a formal and well-controlled systems development process?
"Accounting information systems applications that are free from internal control weaknesses." A materially flawed financial application can corrupt financial data, which may then be incorrectly reported in financial statements.
The major difference between the financial reporting system (FRS) and the management reporting system (MRS) is the
"FRS provides information to external users; the MRS provides information to internal users." The FRS produces the financial statements as required by law. The MRS provides information to management for decision making such as budgets, forecasts, customer orders.
Five Components of Internal Control Model
- Control environment - Risk assessment - Control activities - Information and communication - Monitoring
Legally, for an act to be fraudulent, there must be:
1 A false statement, representation or disclosure 2 A material fact 3 An intent to deceive 4 A justifiable reliance 5 An injury or loss
What are the five components of the COSO Internal Control Model?
1 Control Environment 2 Risk Assessment 3 Control Activities 4 Information and Communication 5 Monitoring
Four operations of Data Processing Cycle
1 Data Input 2 Data Storage 3 Data Processing 4 Information Output *Users are also involved in entire process
The Treadway Commission recommended what four actions to reduce fraudulent financial reporting:
1 Establish an organizational environment that contributes to the integrity of the financial reporting process 2 Identify and understand the factors that lead to fraudulent financial reporting 3 Assess the risk of fraudulent financial reporting within the company 4 Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting
Characteristics of Useful Information
1 Relevant 2 Reliable 3 Complete 4 Timely 5 Understandable 6 Verifiable 7 Accessible
What are the five major transaction cycles?
1. Revenue Cycle 2. Ependiture Cycle 3. Production/Conversion Cycle 4. HRM/Payroll Cycle 5. Financing Cycle
Internal Controls
1. Segregation of Duties 2. Transaction Authorization 3. Accounting Process 4. Access Controls 5. Independent Verification 6. Supervision
Support activities of the value chain? (4)
1. firm infrastructure (accounting, finance, legal and general administration actives) 2. Human Resources 3. Technology 4. Purchasing
Expenditure Cycle
A recurring set of business activities and related data processing operations associated with the purchase of and payment for goods and services.
Query
A request for the data base to provide the information needed to deal with a problem or answer to a question. The information is retrieved, displayed or printed, and/or analyzed as requested
Batch Processing
Accumulating transaction records into groups or batches for processing at a regular interval such as daily or weekly. The records are usually sorted into some sequence (such as numerically or alphabetically) before processing.
Batch Processing
Accumulating transaction records into groups or batches for processing at regular interval sch as daily or weekly
Financing cycle
Activities associated with raising money by selling shares in the company to investors and borrowing money as well as paying dividends and interest
Operations
Activities transform inputs into final products/services
Certificate Authority
An organization that issues public and private keys and records the public key in a digital certificate
Operating systems
Application, disk drive, mouse, printer, keyboard, monitor.
4. Which statement is correct? a. compiled programs are very susceptible to unauthorized modification b. the source program library stores application programs in source code form c. modifications are made to programs in machine code language d. the source program library management system increases operating efficiency
B
who inspects fraud?
Certified Fraud Examiners (from ACFA)
C: Public Company Accounting Oversight Board (PCAOB)
Copyright © 2017 by the American Institute of Certified Public Accountants, Inc., is reprinted and/or adapted with permission. Which of the following organizations was established by the Sarbanes-Oxley Act of 2002 to control the auditing profession? A: Information Systems Audit and Control Foundation (ISACF) B: IT Governance Institute (ITGI) C: Public Company Accounting Oversight Board (PCAOB) D: Committee of Sponsoring Organizations (COSO)
A: Governance and Culture
BigWig Costume Rentals recently implemented an initiative to attract and retain web programmers and systems analysts as a part of its expanded web development to support online sales. This initiative most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting
10. Which statement is not correct? The goal of batch controls is to ensure that during processing a. transactions are not omitted b. transactions are not added c. transactions are free from clerical errors d. an audit trail is created
C
18. Which check is not an input control? a. reasonableness check b. validity check. c. spooling check d. missing data check
C
What are order entry, manufacturing, procurement, accounts payable, payroll, and human resources examples of?
"Key processes of an organization." Key processes of the organization include order entry, manufacturing, procurement, accounts payable, payroll, and human resources.
Which type of system would an organization purchase if it is looking for a commercial system that is developed and maintained by a provider?
"Vendor-supported system." A vendor-supported system is a system that a vendor develops and maintains for a client organization.
Schema
A description of the data elements in a database, the relationships among them, and the logical model used to organize and describe the data
b. derived from the digest of a document that has been encrypted with the sender's private key
A digital signature is a. the encrypted mathematical value of the message sender's name b. derived from the digest of a document that has been encrypted with the sender's private key c. the computed digest of the sender's digital certificate d. allows digital messages to be sent over analog telephone lines
Back order
A document authorizing the purchase or production of items that is created when there is insufficient inventory to meet customer orders
Sales invoice
A document notifying customers of the amount of a sale and where to send payment
Credit memo
A document, approved by the credit manager, authorizing the billing department to credit a customer's account
What is a flat-file structure?
A file structure that does not support the integration of data. Describes an environment in which individual data files are not related to other files.
General Ledger
A ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization.
Chart of Accounts
A listing of all the numbers assigned to balance sheet and income statement accounts. The account numbers allow transaction data to be coded, classified, and entered into the proper accounts. They also facilitate financial statement and report preparation.
A: Preventive.
An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls? A: Preventive. B: Detective. C: Corrective. D: Compliance.
A: Data definition language.
An overall description of a database, including the names of data elements, their characteristics, and their relationship to one another, would be defined by using a A: Data definition language. B: Data control language. C: Data manipulation language. D: Data command interpreter language.
System
A set of two or more interrelated components that interact to achieve a goal
Encryption
A standard method for encoding data. preventative control providing confidentiality and privacy for data transmission and storage
Intrusion Detection Systems (IDC)
A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions
Control Activities (Def)
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
Cardinalities
Describe the nature of relationships between entities
General ledger and reporting system
Information-processing operations involved in updating the general ledger and preparing reports for both management and external parties
IIA
Institute of internal auditor. .. based on audit tools and other data analysis techniques when conducting internal audits.
4 Basic Expenditure Cycle Activities
Ordering materials, supplies, and services Receiving materials, supplies, and services Approving supplier invoices Cash Disbursements
Performing a comprehensive fraud risk assessment
Overland Stage and Transport uses a fraud risk assessment heat map that charts the significance (on the vertical axis) and the likelihood (on the horizontal axis) of frauds as a part of its fraud risk management program. The company's use of a fraud risk heat map best relates to which of the following activities? A: Establishing a fraud risk management program B: Selecting, developing, and deploying fraud controls C: Selecting, developing, and deploying evaluation and monitoring processes D: Performing a comprehensive fraud risk assessment
Inherent Risk
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal controls. It is a risk that exists before internal controls are instated.
Encryption is a preventive control that can be used to protect both _____ & _____
confidentiality, privacy
What is Intranet?
connects separate LANS within a company, often using the internet
What is a field?
one piece of information
D: Cost effective.
Today organizations are using microcomputers for data presentation because microcomputer use, compared to mainframe use, is more A: Controllable. B: Conducive to data integrity. C: Reliable. D: Cost effective.
True or False? The task of creating meaningful test data is time-consuming.
True
Internal Control Flowchart
Used to describe, analyze, evaluate internal controls, including identifying system strengths, weaknesses, and inefficiencies.
What is shadow data?
Data tracked outside the official accounting system (IE vacation days)
Primary Activities in the Value Chain
Value chain activities that produce, market, and deliver products and services to customers and provide post-delivery service and support 1. Inbound logistics 2. Operations 3. Outbound logistics 4. Marketing and sales 5. Service
electronic data entry
Electronic data entry device such as a computer, terminal, tablet, or phone
B: Self.
Jim is responsible for setting system access parameters in Kentucky Fried Opossums' ERP system. Each month, he reviews any issues related to setting access parameters and writes a report about them. This type of monitoring is: A: Continuous. B: Self. C: Oversight. D: Supervisory.
What are the components of accounting information system.
People, procedures and instructions, data, software, information technology infrastructure and internal controls.
General controls
Make sure an organization's information system and control environment is stable and well managed
E-Mail Spoofing
Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source
Compatibility Test
Matching the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource
Which list shows the details of vendor shipments and expected receipts of products and components needed for an order?
Materials requirements list." The materials requirements list shows the details of vendor shipments and expected receipts of products and components needed for the order.
Security Controls that prevent threats from occuring
People Creating of a "security-aware" culture Training Processes: User access controls (authentication and authorization) IT Solutions Anti-malware Network access controls (firewalls, intrusion prevention systems, etc.) Device and software hardening (configuration controls) Encryption Physical security: access controls (locks, guards, etc.) Change controls and change management
Understandable
Presented in a useful and intelligible format
The Fraud Triangle
Pressure, Opportunity and Rationalization (POR)
inbound logistics, operations, outbound logistics, marketing and sales, service
Primary activities of the value chain
Information
Processed data used in decision making
Which test is used to determine that an application creates an adequate audit trail?
Recording all transactions." Audit trail tests include obtaining evidence that the application records all transactions.
turn around documents
Records of company data sent to an external party and then returned to the system as in- put are called For example, a utility bill is sent to a customer, who then returns the bill with payment
Turnaround document
Records of company data sent to an external party and then returned to the system as input. Turnaround documents are in machine-readable form to facilitate their subsequent processing as input records. An example is a utility bill.
Relevant
Reduces uncertainty, improves decision making, or confirms or corrects prior expectations
Relevant
Reduces uncertainty, improves decision making, or confirms/corrects prior expectations
True or False? Rounding errors are an opportunity for fraud.
True
Verifiable Information
Two independent, knowledgeable people produce the same information.
Group Code
Two or more subgroups of digits that are used to code an item. A group code is often used in conjunction with a block code.
Spam
Unsolicited e-mail that contains either advertising or offensive content
Transaction found under the Revenue cycle
Update credit rating, sales, ship inventory, invoice customer.
Transaction found under Hr/Payroll
Update employee master data, employee time tracking, create tax slips, government reporting, calculate employee payroll.
What is lapping?
Use of customer checks, received in payment of their accounts, to conceal cash previously stolen by an employee.
Dictionary Attack
Using special software to guess company e-mail addresses and send them blank e-mail messages. Un-returned messages are usually valid e-mail addresses that can be added to spammer e-mail lists
C: Skills inventory report.
What document is useful in determining which employee should be assigned a new job duty? A: U.S. form 941. B: Workforce inventory. C: Skills inventory report. D: Cumulative earnings register.
TRUE or FALSE - A DFD consists of the following 4 basic elements: data sources & destination, data flows, transformation processes, & data stores. Each is represented on a DFD by a different symbol
TRUE
Log Analysis
The process of examining logs to identify the evidence of possible attacks
Patch Management
The process of regularly applying patches and updates to software
Address Resolution Protocol (ARP) Spoofing
Sending fake ARP messages to an Ethernet LAN. ARP is a computer networking protocol for determining a network host's hardware address when only its IP or network address is known
Information Rights Management (IRM)
Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.
Data Loss Prevention (DLP)
Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect
Control Account
Title given to a general ledger account that summarizes the total amounts recorded in a subsidiary ledger
expenditure cycle
Which transaction cycle includes interactions between an organization and its suppliers: Revenue cycle, expenditure cycle, human resources/payroll cycle, General ledger and report system?
C: Revenue, financing
Which two cycles receive (get) cash? A: Expenditure, production B: Production, HR C: Revenue, financing D: Revenue, expenditure
how are data sources & destinations represented in a data flow diagram? a) square b) curved arrow c) circle d) 2 parallel lines e) none of the above
a) square
What is an example of a payroll system information technology (IT) control?
"Direct deposit." Direct deposit is an example of an IT control.
How an AIS can add value to an organization
1) improving the quality and reducing the costs of products or services 2) improving efficiency 3) sharing knowledge 4) improving the efficiency and effectiveness of its supply chain 5) improving the internal control structure 6) improving decision making
Six Components of an AIS
1) the people who use the system 2) the procedures and instructions used to collect, process, and store data 3) the data about the organization and its business activities 4) the software used to process the data 5) the information technology infrastructure, including the computers, peripheral devices, and network communications devices used in the AIS 6) the internal controls and security measures that safeguard AIS data
Enterprise Risk Management - Integrated Framework (ERM)
A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control-Integrated
Enterprise Risk Management—Integrated Framework (ERM)
A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control—Integrated.
What are check digits?
A control digit (or digits) that is added to the data code when it is originally assigned. This allows the integrity of the code to be established during subsequent processing.
Remittance advice
A copy of sales invoice returned with a customers payment that indicates the invoices, statements, or other items being paid
post-sales service
Which of the following is a primary activity in the value chain: Purchasing, Accounting, Post-sales service, human resource management?
Deep Packet Inspection
A process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers
What is a balance sheet and what is the proper dating?
A statement of the assets, liabilities, and capital of a business or other organization at a particular point in time. The proper dating contains a specific date, rather than for a reporting range.
Prevention of employee collusion to commit fraud
Which of the following benefits is least likely to result form a system of internal controls? A. Reduction of cost of an external unit B. Prevention of employee collusion to commit fraud C. Availability of reliable data for decision making purposes D. Some assurance of compliance with the foreign corrupt practices act of 1977 E. some assurance that important documents and records are protected
9-9. which of these is not a typical part of a printed report using access
a. report header b. report footer c. navigation bar * d. detail line
which is an individual user's view of the database? a) conceptual-level schema b) external-level schema c) internal-level schema d) logical-level schema
b) external-level schema
6-2. The feasibility evaluation:
a. is completed prior to detailed systems design b. includes economic, schedule, technical, legal, legal and operational feasibility *c. both a & b are true d. neither a nor b is true
13-13. segregation of duties is a fundamental concept in an effective system of internal control. But, the internal auditor must be aware that this safeguard can be compromised through:
a. lack of training of employees b. collusion among employees * c. irregular employee reviews d. absence of internal auditing
12-5. which of the following is a distinguishing characteristic of an enterprise-wide (ERP) system?
a. must be a hosted solution b. multiple databases c. integration of business functions * d. low cost
8-9. the difference between (1) using an update query and (2) updating a single record is:
a. nothing - same thing b. the first updates all selected records, the second only affects one record * c. the first updates more than one table, the second updates only one record d. none of these is correct
9-7. which of these best identifies the underlying data source for an Access report?
a. only tables b. only queries c. both tables and queries * d. tables, queries, and forms
An integrated group of programs that supports the applications and facilitates their access to specified resources is called a(n) a. operating system b. database management system c. utility system d. facility system e. none of the above
a. operating system
10-3. AIS reports should be consistent in at least three ways. Which of the following is NOT one of those ways?
a. over time b. across firms * c. across departmental or divisional levels d. with general accounting practice
Which of the following disaster recovery techniques may be least optimal in the case of a wide spread natural disaster? a. Empty shell b. Internally provided backup c. ROC d. They are all equally beneficial
c. ROC
5-4. document flowcharts would not be able to represent:
a. the flow of information when ordering office supplies b. the flow of information when hiring new employees c. the flow of info when creating orders for new magazine subs. *d. the logic in performing payroll processing
monitoring
ongoing basis for modification
the internal-level schema provides a high-level view of the database
which of the following statements is false: the data dictionary contains information about the structure of the database, the internal-level schema provides a high-level view of the database, the DDL is used to build the data dictionary, the conceptual-level schema is the organization-wide view of the entire database
Document Flowchart
which shows the flow of documents and information between departments or areas of responsibility
narrative description
written, step-by-step explanation of system components and how they interact
interest calculations are truncated at 2 decimal places, and the excess decimals are put into an account that the perpetrator controls. what is this fraud called? a) typosquatting b) URL hijacking c) chipping d) round-down fraud
d) round-down fraud
Which is NOT an advantage of an ERP system? a. Better access control b. Standardization of procedures & reports c. Improved monitoring capabilities d. Simplicity & reduced costs
d) simplicity & reduced costs
referential integrity rule
ensures consistency of the database if two tables are related, there will be a FK
Biometric Identifier
A physical or behavioral characteristic that is used as an authentication credential
Zero-Day Attack
An attack between the time a new software vulnerability is discovered and "released it into the wild" and the time a software developer releases a patch to fix the problem
section 404 report
Management AND independent auditors review and comment on the internal control system using an established framework
C: review its strategy and business objectives.
McDowell's fast food (motto: our hamburger buns got no sticky, icky sesame seeds!) determines that its financial performance for the recently ended year evidences a different risk profile than that which was expected. In response to this finding, the company should: A: expand its risk tolerance. B: revise its mission, vision, and core values. C: review its strategy and business objectives. D: reassess the costs and benefits of risk analysis.
SDLC
Methodology for designing, implementing, and maintaining an information system. Steps include: 1 Initiation/planning; 2. Requirements analysis; 3. Design; 4. Build; 5. Test; 6. Implementation; 7. Operations and maintenance
A: Desktop client, application, and database.
Most client/server applications operate on a three-tiered architecture consisting of which of the following layers? A: Desktop client, application, and database. B: Desktop client, software, and hardware. C: Desktop server, application, and database. D: Desktop server, software, and hardware.
coso internal control integrated framework
Most commonly used framework used by management and independent auditors to evaluate internal control and risk management. Includes five components: control environment, risk assessment, control activities, information and communication, monitoring.
Private Key
One of the keys used in asymmetric encryption systems. It is kept secret and known only to the owner of that pair of public and private keys
Public Key
One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.
Hash
Plaintext that has been transformed into short code
Human resources
Recruiting, hiring, training, and compensating
Expected Loss
The mathematical product of the potential dollar loss that would occur should a threat become a reality (impact or exposure) and the risk or probability that the threat will occur (likelihood). Expected loss = Impact × Likelihood
Data Store
The place or medium the data is stored
B: Bill of materials
Which document lists the components needed in making a product? A: Inventory report B: Bill of materials C: Move ticket D: Operations list
B: Both
Which of the following statements of risk appetite related to factory floor accidents is acceptable? · "Low" · " < 3 per year" A: Neither B: Both C: "Low" but not " < 3 per year." D: " < 3 per year" but not "Low."
D: Review the cumulative earnings register.
Winifred, an internal auditor, wants to determine if employee pay rates are accurate. Her best strategy for accomplishing this goal is to A: Review W-2s. B: Review Form 941. C: Review W-3s. D: Review the cumulative earnings register.
which is a type of fraud in which later payments on acct are used to pay off earlier payments that were stolen? a) lapping b) kiting c) Ponzi scheme d) salami technique
a) lapping
Data differ from info in which way? a. Data are output and info is input b. Info is output and data are input c. Data are meaningful bits of info d. No difference
b. Info is output and data are input
balancing creativity and control
belief system boundary system diagnostic control system interactive control system
someone redirects a website's traffic to a bogus website, usually to gain access to personal & confidential info. what is this computer fraud technique called? a) vishing b) phising c) pharming d) phreaking
c) pharming
transformation process
circle
Which of the following is NOT an SDLC control issue during an audit? a. user and computer services management properly authorized the project b. a preliminary feasibility study showed that the project had merit c. a cost-benefit analysis was conducted using reasonably accurate values d. the detail deign was an appropriate and accurate solution to the user's problem e. all of the above are specific points for review
e. all of the above are specific points for review
What is XBRL?
eXtensible Business Reporting Language (XBRL) - Built on XML - computer readable format for financial statements
3NF
each field is dependent on PK; relation FK if necessary
What are digital certificates?
electronic documents digitally signed by a trusted party certifying identity of owners
400
expenses
which task is part of the selecting and training personnel step of implementing an AIS?
experimenting with the new system in a controlled environment
Documentation
explains how a system works, including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls. Popular means of documenting a system include diagrams, flowcharts, tables, and other graphical representations of data and information.
What is an access log?
file with information about each access to a file or website
insert anomaly
no way to store information about prospective customers until they actually make a purchase
What is WiFi?
wireless form of ethernet
Who oversees systems development?
"An internal steering committee." The internal steering committee oversees systems development.
A firewall is
"a system used to insulate an organization's intranet from the Internet." A firewall is a system used to insulate an organization's intranet from the Internet. It can be used to authenticate an outside user of the network, verify his or her level of access authority, and then direct the user to the program, data, or service requested. In addition to insulating the organization's network from external networks, firewalls can also be used to protect LANs from unauthorized internal access
The operating system is
"the computer's control program." The operating system is the computer's control program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers.
The goal of data processing is
"the production of useful information." Data is not information. Data is data. Data needs to be consolidated, processed, summarized and converted into information for management decision-making.
MOD 4- A copy of the purchase order (PO) is sent to the
"vendor." A copy of the purchase order (PO) is sent to the vendor. The purchase order is the formal document that tells the vendor what material is needed, at what price, in what quantity and on what date.
a check is prepared using data saved on a magnetic tape. which documentation tool represents this process?
*image* (represented by magnetic tape symbol, rectamgular process symbol, and document symbol) the magnetic tape storage symbol looks like this...
this is an example of a simple program flowchart. which step is the decision point in the program?
*image* (represented by rhombus) 2
which MANUAL function does the MANAGEMENT dept (Susan) perform according to this flowchart?
*image* (represented by trapezoid) approve and sign checks
which query will list the city and zipcode, sorted in ASCENDING order by CITY, for all customers in MINNESOTA who purchased BLUE PENS?
*image* Criteria should include "MN" for state :Minnesota, and "blue pens" for item description :blue pen. Sort should include 'Ascending' for the order of the list of cities Show should include marked checkboxes for customer name, city, and Zipcode
Process for determining if the new AIS meets post-implementation objectives
- Does system meets goals and objectives? - Are users satisfied? - How have users benefited? - Is cost in line with expectation? - Is system reliable? - Does system produce accurate/complete data? - Is information timely? - Is system compatible with existing systems? - Does system have proper controls and security? - Are there proper error-handling procedures? - Has there been proper training? - Communications? - Are organizational changes beneficial or harmful? - Is system documentation complete and accurate?
Audit Planning
- Establish scope & objectives - Organize the audit team - Develop knowledge of business operations - Review prior audit results - identify risk factors - prepare an audit program.
Communication of Audit Results
- Formulate audit conclusions; - develop recommendations for management; - - prepare audit report; - present audit results to management.
Auditing Process
- Planning - Collecting evidence - Evaluating evidence - Communicating audit results
Strengths of Developing In-House AIS
- User creation, control, and implementation - Systems that meet user needs - Timeless - Freeing up of systems resources - Versatility and ease of use
which two steps are part of the HRM/Payroll cyce? choose 2 answers
- adding new employees to the master database - recording rate changes for employees who have received raises
Evaluation of Audit Evidence
- assess quality of internal controls; - assess reliability of information; - consider need for additional evidence; - consider risk factors; - consider materiality factors; - document audit findings.
which two tasks are part of the process of auditing computer-based IS? choose 2 answers
- evaluating evidence in a systematic manner - providing recommendations for improvement
which two recommendations are included in a post-implementation review report? choose 2 answers
- improvements to the new system - improvements to the development process
which three actions are part of the revenue cycle? choose 3 answers
-initiating back orders for FG that are out of stock -approving credit sales of FG -receiving and answering customer inquires
which two issues do IS auditors look for when they audit security provisions? choose 2 answers
-proper procedures for assigning user IDs -effective use of data encryption
Two steps in Data Input
1 Capture transaction data (each activity, resource affected, and people participating) 2 Verify captured data are accurate and complete
ERM is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risks, and provide reasonable assurance that the company achieves its objectives and goals. What are the basic principles behind ERM?
1 Companies are formed to create value for their owners 2 Management must decide how much uncertainty it will accept as it creates value 3 Uncertainty results in risk 4 Uncertainty results in opportunity 5 The ERM framwork can manage uncertainty as well as create and preserve value
Data Processing Model
1 Input Fraud 2 Processor Fraud 3 Computer Instructions Fraud 4 Data Fraud 5 Output Fraud
The Trust Services Framework organizes IT-related controls into five principles that jointly contribute to systems reliability:
1 Security 2 Confidentiality 3 Privacy 4 Processing Integrity 5 Availability
What are two fundamental information security concepts?
1 Security is a management issue, not just a technology issue 2 Defense-in-depth and the time-based model of information security
Statement on Auditing Standards (SAS) No. 99 (effective December 2002), requires auditors to:
1 Understand fraud 2 Discuss the risks of material fraudulent misstatements 3 Obtain information 4 Identify, assess, and respond to risks 5 Evaluate the results of their audit tests 6 Document and communicate findings 7 Incorporate a technology focus
What are the 10 internationally recognized best practices for protecting the privacy of customers' personal information set forth by GAPP?
1. Management 2. Notice 3. Choice and consent 4. Collection 5. Use and retention 6. Access 7. Disclosure to third parties 8. Security 9. Quality 10. Monitoring and enforcement
environment
1. Management's philosophy, operating style, and risk appetite 2. The board of directors 3. Commitment to integrity, ethical values, and competence 4. Organizational structure 5. Methods of assigning authority and responsibility 6. Human resource standards 7. External influences
What are advantages of shadow data?
1. convenience 2. ease of use 3. analytical tools available
What are disadvantages of a database management system?
1. cost 2. training 3. chance of breakdowns 4. audit trail may be obscured 5. specialized backup and recovery procedures
What are costs invoiced when choosing new software?
1. cost of software 2. cost of hardware 3. cost of consultants (training staff) 4. maintenance/support 5. data translation
Steps in Expenditure Cycle
= Request goods and services be purchased - Prepare, approve, send purchase orders to vendors - Receive goods/services and complete a receiving report - Store goods - Receive vendor invoices - Credit accounts payable / debit expense or inventory = Approve vendor invoices for payment - Pay vendors for goods and services - Debit accounts payable / credit cash - Handle purchase returns, discounts, and allowances - Prepare management reports - Send appropriate information to the other cycles
1. Which statement is not correct? The audit trail in a computerized environment a. consists of records that are stored sequentially in an audit file b. traces transactions from their source to their final disposition c. is a function of the quality and integrity of the application programs d. may take the form of pointers, indexes, and embedded keys
A
20. Run-to-run control totals can be used for all of the following except a. to ensure that all data input is validated b. to ensure that only transactions of a similar type are being processed c. to ensure the records are in sequence and are not missing d. to ensure that no transaction is omitted
A
27. Which statement is not true? a. An audit objective for systems maintenance is to detect unauthorized access to application databases. b. An audit objective for systems maintenance is to ensure that applications are free from errors. c. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to program version numbers. d. An audit objective for systems maintenance is to ensure that the production libraries are protected from unauthorized access.
A
Application controls are classified as A. input, processing, output B. input, processing, output, storage C. input, processing, output, control D. input, processing, output, storage, control E. collecting, sorting, summarizing, reporting
A
Audit Trail
A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin. It is used to check the accuracy and validity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.
a. a smurf attack.
A ping signal is used to initiate a. a smurf attack. b. Internet protocol spoofing. c. digital signature forging d. URL masquerading e. a SYN-ACK packet.
File
A set of logically related records, such as the payroll records of all employees.
Corporate governance
A set of processes and policy in managing an organization with ethics to safeguard the interest of its stakeholders.
Business process
A set of related, coordinate, and structured activities and tasks, performed by a person, computer, or machine that help accomplish a specific organizational goal
A: Competence and objectivity.
According to the COSO framework, evaluators who monitor controls within an organization should have which of the following sets of characteristics? A: Competence and objectivity. B: Respect and judgment. C: Judgment and objectivity. D: Authority and responsibility.
Human resource/payroll cycle
Activities associated with hiring, training, compensating, evaluating, promoting, and terminating employees
Marketing and Sales
Activities help customers buy the organization's products or services
Technology
Activities improve a product/service
Service
Activities provide post-sale support to customers
A: Governance and Culture
Adventureland, a start-up Pittsburgh theme park, has a series of meetings with its investors, management, and employees to help identify its risk culture. This initiative most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting
the test data is easily compiled
All of the following are advantages of the test data technique except a. auditors need minimal computer expertise to use this method b. this method causes minimal disruption to the firm's operations c. the test data is easily compiled d. the auditor obtains explicit evidence concerning application functions
What is phishing?
An attempt to trick someone into revealing his/her user name and password or confidential information
B: 1. risk range, 2. risk ceiling, 3. risk floor
An international manufacturing company has the following three statements in its enterprise risk management documents. Please identify the concepts in the COSO ERM framework that these statements best represent. 1. The annual acceptable number of factory accidents will be between zero and four. 2. We will not invest in cybercurrencies, e.g., bitcoin. 3. We commit to investing at least 15% of the capital budget in emerging artificial intelligence projects. A: 1. risk floor, 2. risk ceiling, 3. risk range B: 1. risk range, 2. risk ceiling, 3. risk floor C: 1. target risk, 2. risk ceiling, 3. risk range D: 1. risk floor, 2. risk ceiling, 3. target risk
SAS No. 99
Auditor responsibility: RISK understand the fraud discuss risks of material misstatement obtain information ID, access, respond to risks evaluate results of audit tests document/communicate findings incorporate tech focus
7. Program testing a. involves individual modules only, not the full system b. requires creation of meaningful test data c. need not be repeated once the system is implemented d. is primarily concerned with usability
B
Computer applications use routines for checking the validity and accuracy of transaction data called a. operating systems. b. edit programs. c. compiler programs. d. integrated test facilities. e. compatibility tests.
B
How are transactions in real time processing systems edited? A. in a separate computer run B. in online mode as transactions are entered C. during a backup procedure D. not edited due to time constraints E. editing transactions in real time is not necessary
B
11. An example of a hash total is a. total payroll checks-$12,315 b. total number of employees-10 c. sum of the social security numbers-12,555,437,251 d. none of the above
C
16. The employee entered "40" in the "hours worked per day" field. Which check would detect this unintentional error? a. numeric/alphabetic data check b. sign check c. limit check d. missing data check
C
21. Methods used to maintain an audit trail in a computerized environment include all of the following except a. transaction logs b. Transaction Listings. c. data encryption d. log of automatic transactions
C
23. Which statement is not correct? a. only successful transactions are recorded on a transaction log b. unsuccessful transactions are recorded in an error file c. a transaction log is a temporary file d. a hardcopy transaction listing is provided to users
C
24. Input controls include all of the following except a. check digits b. Limit check. c. spooling check d. missing data check
C
26. Which test of controls will provide evidence that the system as originally implemented was free from material errors and free from fraud? Review of the documentation indicates that a. a cost-benefit analysis was conducted b. the detailed design was an appropriate solution to the user's problem c. tests were conducted at the individual module and total system levels prior to implementation d. problems detected during the conversion period were corrected in the maintenance phase
C
33. All of the following are advantages of the test data technique except a. auditors need minimal computer expertise to use this method b. this method causes minimal disruption to the firm's operations c. the test data is easily compiled d. the auditor obtains explicit evidence concerning application functions
C
5. Which control is not a part of the source program library management system? a. using passwords to limit access to application programs b. assigning a test name to all programs undergoing maintenance c. combining access to the development and maintenance test libraries d. assigning version numbers to programs to record program modifications
C
6. Which control ensures that production files cannot be accessed without specific permission? a. Database Management System b. Recovery Operations Function c. Source Program Library Management System d. Computer Services Function
C
8. The correct purchase order number, 123456, was incorrectly recorded as shown in the solutions. All of the following are transcription errors except a. 1234567 b. 12345 c. 124356 d. 123454
C
A control designed to validate a transaction at the point of data entry is a. recalculation of a batch total. b. a record count. c. a check digit. d. checkpoints. e. recalculation of hash total
C
An electronic walk-through of the application's internal logic is called a. a salami logic test. b. an integrated test. c. tracing. d. a logic bomb test.
C
An example of a control designed to validate a transaction at the point of data entry A. recalculation of a batch total B. a record digit C. a check digit D. checkpoints E. recalculation of hash total
C
Ensuring that all material transactions processed by the information system are valid and in accordance with management's objectives is an example of A. transaction authorization B. supervision C. accounting records D. independent verification
C
What is the process for posting to accounting records in a computer system? A. master file is updated to a transaction file B. master file is updated to an index file C. transaction file is updated to a master file D. master file is updated to a year-to-date file E. current balance file is updated to an index file
C
Which of the following is NOT a common type of white box test of controls? a. completeness tests b. redundancy tests c. inference tests d. authenticity tests
C
D: Engage the owner in direct participation in the activities, including financial record-keeping, of the business.
Checkpoint auto leasing is a small company with six employees. The best action that it can take to increase its internal control effectiveness is A: Hire temporary employees to aid in the segregation of duties. B: Hire a bookkeeper to perform monthly "write up" work. C: Clearly delegate responsibilities to each employee for the functions that they are assigned. D: Engage the owner in direct participation in the activities, including financial record-keeping, of the business.
3. Describe software that may be used for auditing.
Computer-Assisted Audit Techniques (CAATs) refer to audit software, often called Generalized Audit Software (GAS), that uses auditor-supplied specifications to generate a program that performs audit functions, thereby automating or simplifying the audit process. Two of the most popular software packages are: a. Audit Control Language (ACL) and b. Interactive Data Extraction and Analysis (IDEA). CAATs is ideally suited for examining large data files to identify records needing further audit scrutiny.
D: processes and controls; data management architecture
Consider the following two descriptions: 1. They help an entity create and maintain reliable data. 2. They include models, policies, rules, or standards that determine which data is collected and how it is stored, arranged, integrated, and used in systems and in the organization. In relation to COSO's ERM framework related to leveraging information systems, statement 1 relates to ______________ while statement 2 relates to ____________________. A: data and information governance; processes and controls B: data and information governance; data management architecture C: processes and controls; data and information governance D: processes and controls; data management architecture
Report writer
DBMS language that simplifies report creation
What are secondary storage devices?
DVD, flash drives, etc
Asymmetric Encryption Systems
Encryption systems that use two keys (one public, the other private); either key can encrypt, but only the other matching key can decrypt
Mnemonic Code
Letters and numbers that are interspersed to identify an item. The mnemonic code is derived from the description of the item and is usually easy to memorize
What are examples of preventative controls?
People: creating a "security aware" culture and training Processes: user access controls IT Solutions: anti-malware, network access controls(firewalls, intrusion prevention systems, etc), device and software hardening(configuration controls), encryption Physical Security: access controls (locks, guards, etc) Change controls and change management
Information overload causes
Personal factors Information characteristics Task and process parameters Organizational design Information technology
What is a database?
Physical repository for financial data
B: Reducing the likelihood of the theft of payroll payments.
Requiring direct deposits instead of paying employees by checks improves accounting controls by: A: Separating duties in cash receipts. B: Reducing the likelihood of the theft of payroll payments. C: Facilitating advanced analytics of payroll data. D: Reducing the risk of violations of employment law.
Financial electronic data interchange (FEDI)
The combination of EFT and EDI that enables both remittance data and funds transfer instructions to be included in one electronic package
Data Store
The place or medium where system data is stored
Field
The portion of a data record where the data value for a particular attribute is stored
Verifiable
Two independent, knowledgable people produce same information
Verifiable
Two independent, knowledgeable people produce the same information
sequence check
Which check is NOT a file interrogation? A. header label B. expiration date check C. sequence check D. version check
Data Flow Diagram (DFD)
a graphical description of the flow of data within an organization, including data sources/destinations, data flows, transformation processes, and data storage
11-7. which of the following automated systems help minimize inventory costs?
a. JIT systems * b. ABC systems c. job order costing systems d. process costing systems
9-1. in access, you can use a form to perform all the following tasks except:
a. create a new record in a specific table b. change the information in an existing record of a table c. view the information from many different records sequentially d. all of these are tasks that can be performed with an access form*
7-1. which of these does not characterize a typical database?
a. large number of records b. irreplaceable data c. high need for accuracy d. simple systems *
14-9. Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed.
a. specific b. general c. application * d. input
Computer fraud can be categorized using the...
data processing model
Internal controls related to XBRL - Risk of tagging errors
electronic review independent review after tagging periodic user training
2.5 question (F-G) Which of the following actions update a master file and which would be stored as a record in a transaction file?
f. Record production variances g. Record sales commissions a. Update customer address change b. Update unit pricing information CHAPtEr 2 ovERvIEw oF tRAnSACtIon PRoCESSIng AnD ERP SyStEmS 43 Find more at http://www.downloadslide.com c. Record daily sales d. Record payroll checks e. Change employee pay rates f. Record production variances g. Record sales commissions h. Change employee office location i. Update accounts payable balance j. Change customer credit limit k. Change vendor payment discount terms l. Record purchases
Access Control Matrix
is a table used to implement authorization controls
What is bluetooth?
networking standard for small personal area networks
database
set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible
Carter's Taxonomy- Target
targets the system or its data
Digital Envelope
this method blends both symmetric and asymmetric
which action improves data accuracy during the data input process?
using prenumbered source data
What is the purpose of authorized vendors?
" To reduce fraud." The purpose of authorized vendors is to reduce vendor fraud schemes.
What are sources for researching software?
1. internet 2. recommendations form similar businesses 3. trade journals 4. trade shows 5. auditors/CPA firm
Big Data
a collection of data from traditional and digital sources inside and outside your company that represents a source for ongoing discovery and analysis
which tool shows the flow of bills of lading and packing slips between the shipping department and the A/R department?
a document flowchart
Foreign key
an attribute in a table that is also a primary key in another table; used to link the two tables (Customer # in attached table is the primary key in the customer table and a foreign key in the sales table)
document
an electronic or paper document or report
Preventive Controls
deter problems before they arrise
Which condition of the Safe Harbor Agreement addresses the privacy concern related to the purposes for which an organization collects and uses information?
" Notice." An organization must provide individuals with clear notice of "the purposes for which it collects and uses information about them and the types of third parties to which it discloses the information."
If a firm purchases an accounts payable module, which type of system is it purchasing?
" General accounting system." Accounts payable is an example of a general accounting system module.
Chart of Accounts
A listing of all the numbers assigned to the balance sheet and income statement accounts
System Flowchart
A logical representation of system inputs, processes and outputs
Tuple
A row in a table that contains data about a specific item in a database table
17. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a. numeric/alphabetic data checks b. limit check c. range check d. reasonableness check
B
entity integrity rule
every row in every relation must represent data about some specific object in the real world PK cannot be null and each table must have a PK
Financial Audit
examination of the reliability and integrity of financial transactions, accounting records, and financial statements
Control Activities
policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
recording
preparing source documents; entering data into online systems; maintaining journals, ledgers, files, or databases; preparing reconciliations; and preparing performance reports
preventing/detecting fraud
make fraud less likely to occur (culture) increase difficulty of committing fraud (controls) improve detection methods (auditors) reduce fraud losses (insurance)
Limitations of purchasing/renting an AIS
- Canned software may not meet all of a company's information needs
Information needed to acquire capital
- Cash flow projections - Pro Forma financial statements - Loan amortization schedule
Strengths of purchasing/renting an AIS
- Companies can rent software from application service providers (ASPs), who deliver software over the Internet. - This provides scalability as the business grows and global access to information - Automates software upgrades; reducing software costs and administrative overhead - Software can be test driven - Some physical design, implementation, and conversion steps can be omitted.
Corrective Controls
- Computer incident response teams (CIRT) - Chief information security officer (CISO) - Patch management
Auditing Software
- Computer-Assisted audit techniques (CAATs) or generalized audit software (GAS)
Production Cycle Steps
- Design products - Forecast, plan, and schedule production - Request raw materials for production - Manufacture products - Store finished products - Accumulate costs for products manufactured - Prepare management reports - Send appropriate information to the other cycles
Financing Cycle
- Forecast cash needs - Sell stock/securities to investors - Borrow money from lenders - Pay dividends to investors and interest to lenders - Retire debt - Prepare management reports - Send appropriate information to the other cycles
Steps to Implement an AIS
- Implementation Planning - Select and Train Personnel - Prepare Site; Install and Test Hardware - Complete Documentation - Test System - Conversion
Challenges of outsourcing an AIS
- Inflexibility on contract terms - Loss of control - Reduced competitive advantage - Locked-in system - Unfulfilled goals - Poor service - Increased risk
What is the SDLC (System development life cycle)?
A DITTO - System Analysis - Design - Implementation and Conversion - Training - Testing - Operations and maintenance
Transaction File
A file that contains the individual business transactions that occur during a specific fiscal period
Cross-footing balance test
A processing control which verifies accuracy by comparing two alternative ways of calculating the same total.
manual operation
A processing operation performed manually
Exploit
A program designed to take advantage of a known vulnerability
Data Masking
A program that protects privacy by replacing personal information with fake values
UNIT 5 FORM B - A type of backbone, enterprise resource planning (ERP), offers a vast array of modules for dealing with almost every conceivable business process. What is a major drawback of a system with such extensive customization?
" A drawback of extensive customization is expense." Customizing a commercial system can be expensive.
How do inventory control functions adjust inventory at the time of a return?
"A credit memo issues automatically." An approved credit memo triggers the system to adjust the inventory when items are returned.
Primary key
Database attribute, or combination of attributes, that uniquely identifies each row in a table
Primary Key
Database attribute, or combination of attributes, that uniquely identifies each row in a table Usually, the primary key is a single attribute. In some tables, two or more attributes are needed to identify uniquely a specific row in a table. Can't be null
Data Coding Schemes
Involves creating simple numeric or alphabetic codes to represent complex economic phenomena that facilitate efficient data processing.
Which is NOT a means by which info improves decision making? a. Increases info overload b. Reduces uncertainty c. Provides feedback about the effectiveness of prior decisions d. Identifies situations requiring management action
a) Increases info overload
increased error rates, disruptions, and sabotage are examples of which of the following? a) aggression b) avoidance c) projection d) payback
a) aggression
which causes the majority of computer security problems? a) human errors b) software errors c) natural disasters d) power outages
a) human errors
once fraud has occurred, which of the following will reduce fraud losses? SELECT ALL THAT APPLY a) insurance b) regular backup of data & programs c) contingency plan d) segregation of duties
a) insurance, b) regular backup, c) contingency plan
which of the following conditions is/are usually necessary for a fraud to occur? SELECT ALL THAT APPLY a) pressure b) opportunity c) explanation d) rationalization
a) pressure, b) opportunity, d) rationalization
5-5. which of the following is NOT true about system-flowcharts?
a. they can depict the flow of information in computerized AISs b. they use standardized symbols *c. they cannot show how documents flow in an AIS d. they often document an audit trail
3-3. what is it called when someone intentionally changes data before, during, or after they are entered into a computer (with the intent to illegally obtain information or assets)?
a. trojan horse b. logic bomb *c. data diddling d. a cookie
13-7. COSO recommends that firms _____________ to determine whether they should implement a specific control.
a. use cost-benefit analysis * b. conduct a risk assessment c. consult with the internal auditors d. identify objectives
5-7. the sandwich rule states that:
a. you should only create logic diagrams that have some "meat" in them b. every diagram should have a cover page and a summary page *c. a processing symbol should be between an input and an output symbol d. avoid showing error routines or similar exception tasks
Which of the following is NOT a test for identifying application control errors? a. access tests b. user acceptance tests c. field tests d. range tests e. all of the above
b. user acceptance tests
Administrative Internal Controls
badges, security policy, training, reviews, supervision, procedures manuals, password strength, rotation policies
What is a denial-of-service attack?
one computer (or group) bombards another computer with a flood of network traffic, causing it to eventually be overwhelmed and crash
General Ledger/Financial Reporting System
System that produces traditional financial statements, such as income statements, balance sheets, statements of cash flows, tax returns, and other reports required by law. This type of reporting is called non discretionary reporting because the organization has few or no choices in the information it provides.
Production Cycle
The recurring set of business activities and related data processing operations associated with the manufacture of products.
B: Analyze transactions.
Which of the following steps in the accounting cycle comes before posting entries to accounts? A: Journalize closing entries. B: Analyze transactions. C: Prepare reports. D: Prepare post-closing trial balance.
C: File.
Which of the following structures refers to the collection of data for all vendors in a relational data base? A: Record. B: Field. C: File. D: Byte.
C: Online.
Which of the following transaction processing modes provides the most accurate and complete information for decision making? A: Batch. B: Distributed. C: Online. D: Application.
Batch Processing
Processing transactions in a group without user interaction, e.g. Payroll Check
What is a CPU?
Central Processing Unit
Basic Activities of Revenue Cycle
1. sales order entry 2. shipping 3. billing 4. cash collections
Understandable
Presented in a useful and intelligent format
Decryption
Transforming ciphertext back into plaintext
100
assets
input
directions of computer instructions transferring data that should not be there
What is transmission media?
physical path between nodes on a network
What are output devices?
printer, speaker, computer screen/monitor
gross profit
sales - returns/discounts
What does the letter N in an inverted triangle mean in a system flowchart?
"It is a temporary file using a numeric filing system." The inverted triangle means that it is a temporary file and the N means that it uses a numeric filing system.
UNIT 3 FORM A - Which item reflects vital information such as quantities and unit prices?
"Sales order." The sales order contains vital information such as unit prices and quantities.
What exemplifies the use of continuous auditing?
"Searching electronic transactions for anomalies." An intelligent control agent searches electronic transactions for anomalies.
The systems development process constitutes
"a set of activities by which organizations obtain IT-based information systems." The systems development process constitutes a set of activities by which organizations obtain IT-based information systems. Systems development is like any manufacturing process that produces a complex product through a series of stages.
In contrast to a real-time system, in a batch processing system
"there is a lag between the time when the economic event occurs, and the financial records are updated." Batch systems group transactions and they process when it is most efficient, often on an hourly, daily, or weekly basis. Batch systems process transactions in bulk when required or when convenient. These systems are appropriate when there is no urgency to the information.
Control Objectives for Information and Related Technology (COBIT)
(COBIT) - A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that reliable and adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters. ▪ Meeting stakeholder needs. COBIT helps users customize business processes and procedures to create an information system that adds value to its stakeholders. It also allows the company to create the proper balance between risk and reward. ▪ Covering the enterprise end-to-end. COBIT does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes. ▪ Applying a single, integrated framework. COBIT can be aligned at a high level with other standards and frameworks so that an overarching framework for IT governance and management is created. ▪ Enabling a holistic approach. COBIT provides a holistic approach that results in effective governance and management of all IT functions in the company. ▪ Separating governance from management. COBIT distinguishes between governance and management.
6. Discuss how organizations use enterprise resource planning (ERP) systems to process transactions and provide information.
(ERP) - A system that integrates all aspects of an organization's activities along with a traditional AIS into one system.
Committee of Sponsoring Organizations (COSO)
(COSO) - A private- sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. ▪ Control environment (AKA internal Control COSO contains only 5 compenents) This is the foundation for all other components of internal control. The core of any business is its people—their individual attributes, including integrity, discipline, ethical values, and competence—and the environment in which they operate. They are the engine that drives the organization and the foundation on which everything rests. 1) Commitment to integrity and ethics 2) Internal control oversight by the board of directors, independent of management 3) Structures, reporting lines, and appropriate responsibilities in the pursuit of objectives established by management and overseen by the board 4) A commitment to attract, develop, and retain competent individuals in alignment with objectives 5) Holding individuals accountable for their internal control responsibilities in pursuit of objectives ▪ Risk assessment The organization must identify, analyze, and manage its risks. Managing risk is a dynamic process. Management must consider changes in the external environment and within the business that may be obstacles to its objectives. 6) Specifying objectives clearly enough for risks to be identified and assessed 7) Identifying and analyzing risks to determine how they should be managed 8) Considering the potential of fraud 9) Identifying and assessing changes that could significantly impact the system of internal control ▪ Control activities Control policies and procedures help ensure that the actions identified by management to address risks and achieve the organization's objectives are effectively carried out. Control activities are performed at all levels and at various stages within the business process and over technology. 10) Selecting and developing controls that might help mitigate risks to an acceptable level 11) Selecting and developing general control activities over technology 12) Deploying control activities as specified in policies and relevant procedures ▪ Information and communication Information and communication systems capture and exchange the information needed to conduct, manage, and control the organization's operations. Communication must occur internally and externally to provide information needed to carry out day-to-day internal control activities. All personnel must understand their responsibilities. 13) Obtaining or generating relevant, high-quality information to support internal control 14) Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control 15) Communicating relevant internal control matters to external parties ▪ Monitoring The entire process must be monitored, and modifications made as necessary so the system can change as conditions warrant. Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board. 16) Selecting, developing, and performing ongoing or separate evaluations of the components of internal control 17) Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors, where appropriate
Production Cycle
- Design products - Forecast, plan, and schedule production - Request raw materials for production - Manufacture products - Store finished products - Accumulate costs for products manufactured - Prepare management reports - Send appropriate information to the other cycles
Information needed to pay taxes
- Government regulations - Total wage expense - Total sales
relationships
1-1 [art gallery] 1-many (FK) [prof-courses] many-many [students-courses]
What are the two primary techniques used to identify undesirable traffic patterns?
1. Simplest approach is to compare traffic patterns to a database of signatures of known attacks 2. More complicated approach is involves developing a profile of "normal" traffic and using statistical analysis to identify packets that do not fit that profile
COSO Internal Control Framework
1. The Control Environment 2. Risk Assessment 3. Information and Communication 4. Monitoring 5. Control Activities
What are advantages of online (or real-time) processing?
1. up-to-the-minute information 2. simple (fewer steps)
What are advantages of decentralized processing?
1. usually cheaper 2. easier to add processing power 3. faster processing time when under heavy use 4. problems at one location don't shut down the entire system
6 components of AIS
1.people 2procedures and instructions 3data + organizations, 4 software, 5 information technology infrastructure 6 internal controls + security measures
The controls in a computerized system are classified as a. input, processing, and output. b. input, processing, output, and storage. c. input, processing, output, and control. d. input, processing, output, storage, and control. e. collecting, sorting, summarizing, and reporting.
A
Which of the following is an example of an input control ? A. making sure that reports are distributed to the proper people B. monitoring the work of data entry clerks C. collecting accurate statistics of historical transactions while gathering data D. performing a check-digit test on a customer account number E. having another person review the design business form
A
Internal Control - Integrated Framework (IC)
A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.
ERP systems
A modular, relational database designed to include all business process and provide comprehensive information for decisions. Modules include customer relationship management, financial management, human resource management, and supply chain management
Botnet
A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware
Entity integrity rule
A non-null primary key ensures that every row in a table represents something and that can be identified
Turnaround Documents
A paper-based document sent from an organisation to a customer and then returned.
Master File
A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records within a master file are updated to keep them current
Control Objectives for Information and Related Technology (COBIT)
A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
Access Control List (ACL)
A set of IF-THEN rules used to determine what to do with arriving packets
B: Ledger accounts.
After journal entries are recorded, they are posted to: A: General journals. B: Ledger accounts. C: Income statement. D: Expense reports.
Transaction
Agreement between two entities to exchange goods or services
Define Transaction
Agreement between two entities to exchange goods, services, or any other event that can be measured in economic terms by an organization
What is centralized processing?
All data kept and processed at a central location (even if PC is connected to a LAN to allow data entry remotely)
legal risk
All of the following are components of audit risk except A. control risk B. legal risk C. detection risk D. inherent risk
missing data check
An employee in the sales department keyed in a customer sales order from a terminal and inadvertently omitted the sales order number. What edit would best detect this error? A. access test B. completeness test C. validity test D. missing data check E. Redundancy check
Off-page connector
An entry from, or an exit to, another page
1. Explain the auditing process.
Auditing - Objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria. a. *Stage 1 - Planning* Establish Scope and objectives Organize audit team Develop knowledge of business operations Review prior audit results Identify risk factors Prepare audit program b. *Stage 2 - Collecting Evidence* Observation of operating activities Review of documentation Discussions with employees Questionnaires Physical examination of assets Confirmation through third parties Reperformance of procedures Vouching of source documents Analytical review Audit sampling c. *Stage 3 - Evaluating Evidence* Assess quality of internal controls Assess reliability of information Assess operating performance Consider need for additional evidence Consider materiality factors Document audit findings d. *Stage 4 - Communicating Audit Results* Formulate audit conclusions Develop recommendations for management Prepare audit report Present audit results to management
In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control technique to detect this action using employee identification numbers would be a a. batch total. b. record count. c. hash total. d. subsequent check. e. financial total.
C
A: Greater integration
Compared to a more risk-averse entity, the ERM of a more risk-aggressive entity demands __________. A: Greater integration B: A discrete, autonomous ERM unit C: Lower-velocity data D: Lower performance expectations
C: Timeliness of information.
Compared to batch processing, real-time processing has which of the following advantages? A: Ease of auditing. B: Ease of implementation. C: Timeliness of information. D: Efficiency of processing.
C: Increased, increased, decreased
Compared to manual systems, automated systems have ____ risks related to remote access, ____ risks related to the concentration of information, and, ______ opportunities for directly observing processes: A: Increased, increased, increased B: Decreased, decreased, decreased C: Increased, increased, decreased D: Increased, decreased, increased
Logical view
How people conceptually organize, view, and understand the relationships among data items
Open-invoice method
Method for maintaining accounts receiving in which customers typically pay according to each invoice
System Flowchart
Depicts the relationships among system input, processing, storage, and output.
Source documents
Documents used to capture transaction data at its source - when the transaction takes place. Examples include sales orders, purchase orders, and employee time cards.
What are source documents?
Documents used to obtain the information put into the system. (IE sales invoice, time sheets, check)
Complete
Does not omit important aspects of the events or activities it measures
Computer based storage concepts
Entity Attributes Field Record Data Value File Master file Transaction File Database
Operational Audit
Examination of the economical and efficient use of resources and the accomplishment of established goals and objectives
True or False? SDLC controls do not apply to the maintenance phase.
False
Employee Pressure Triangle
Financial, emotional and lifestyle
Referential integrity rule
Foreign keys which link rows in one table to rows in another table most have values that correspond to the value of a primary key in another table
Reliable
Free from error or bias; accurately represents organization events or activities
Reliable
Free from error or bias; accurately represents organizations, events or activities
Types of control
General and application controls
B: Lack of strategic focus
Gus McCrae, an accountant at Lonesome Dove Cattle Ranch, builds a spreadsheet to track cow movements between locations. However, there are so few movements of cattle between locations that the spreadsheet is unhelpful. This problem illustrates which of the following issues? A: Inadequate scope and scalability B: Lack of strategic focus C: Lack of strategic engagement D: Digitization
Turnkey System
Hardware and software sold as a package
Triggered Exception Reports
Have a pre-specified content and format but are only prepared in response to abnormal conditions (Inventory Shortages)
7. Identify the purpose and basic activities of the human resources management (HRM)/payroll cycle.
Human Resources Management (HRM)/Payroll Cycle - The recurring set of business activities and data processing operations associated with effectively managing the employee workforce. a. Recruiting and hiring new employees b. Training c. Job assignment d. Compensation (payroll) e. Performance evaluation f. Discharge of employees due to voluntary or involuntary termination
Program Flowchart
Illustrates the sequence of logical operations performed by a computer in executing a program A program flowchart describes the specific logic used to perform a process shown in a system flowchart.
Program Flowchart
Illustrates the sequence of logical operations performed by a computer in executing a program.
Pilot Conversion
Implements a system in one part of an organisation e.g. a branch
Delete anomaly
Improper organization of a database that results in the loss of all information about an entity when a row is deleted
Fraudulent Financial Reporting
International or reckless conduct, whether by act or omission, that results in materially misleading financial statements
Cross-functional analysis
In a database system, relationships, such as the association between selling costs and promotional campaigns, can be explicitly defined and used in the preparation of management reports.
A: Managing remote access.
In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator? A: Managing remote access. B: Developing application programs. C: Reviewing security policy. D: Installing operating system upgrades.
B: Internal audit staff who report to the board of directors.
In a large public corporation, evaluating internal control procedures should be the responsibility of A: Accounting management staff who report to the CFO. B: Internal audit staff who report to the board of directors. C: Operations management staff who report to the chief operations officer. D: Security management staff who report to the chief facilities officer.
C: CFO and CEO
In a public company, which of the following officers must certify that the accuracy of their firms' financial statements as filed with the SEC? A: CEO and CAO B: CAO and CFO C: CFO and CEO D: CEO and COO
physical controls
Includes controlled access, computer room entry log record, data backup storage, preprinted limits ond documents, inconspicuous location.
administrative controls
Includes security checks on personnel, segregation of duties, program testing after modification, rotation of computer duties, transaction limit amounts
Revenue Principle
Income is recorded when it is earned and irrespective of when the associated cash is is actually received by the business. A cornerstone of accrual accounting together with the matching principle.
electronic output
Information displayed by an electronic output device such as a terminal, monitor, or screen
Which general ledger accounts would have subsidiary ledgers?
Inventory, accounts payable, payroll, and accounts receivable.
Pay-and-Return Scheme
Involves a clerk with check-writing authority who intentionally pays a vendor twice for the same invoice for the purchase of inventory or supplies. The vendor, recognizing that its customer made a double payment, issues a reimbursement check to the victim company, which the clerk intercepts and cashes.
What is the separation of duties important for internal control?
It is intended to prevent fraud and error by having more than one person required to complete a task.
Sequence Code
Items are numbered consecutively so that gaps in the sequence code indicate missing items that should be investigated.
What is a LAN?
Local Area Network
Security Controls that detect Intrusions
Log analysis Intrusion Detection Systems Penetration Testing Continuous Monitoring
Disadvantages of developing in-house
Logic and Development Errors Inadequately tested applications Inefficient systems Poorly controlled and documented systems System incompatibilities Duplication of systems data; wasted resources Increased Costs
D: 1 mission, 2 vision, 3 core values
Match the statements below with the associated categories in ERM: 1. We will improve the quality of life of ... 2. We will be known for outstanding ... 3. We will treat our customers and employees with respect ... A: 1 core values, 2 risk appetite, 3 mission B: 1 strategy, 2 values, 3 vision C: 1 tolerance, 2 mission, 3 appetite D: 1 mission, 2 vision, 3 core values
Data Processing
Once data has been entered into the system, they must be processed to keep the databases current. Data processing activities are broken down into 4 activities (Also known as CRUD): 1. Creating new data records, such as adding a newly hired employee to the payroll database. 2. Reading, retrieving, or viewing existing data. 3. Updating previously stored data. Figure 2-4 depicts the steps required to update an accounts receivable record with a sales transaction. The two records are matched using the account number. The sale amount ($360) is added to the account balance ($1,500) to get a new current balance ($1,860). 4. Deleting data, such as purging the vendor master file of all vendors the company no longer does business with.
Parallel Conversion
Operates new and old AIS simultaneously for a period
Five fundamental control objective
Protect itself from users, protect users from each other, themselves, be protected from itself and it's environment.
Document
Records of transaction or other company data (checks, invoices, receiving reports, and purchase requisitions)
Most Important Tasks of the HRM/Payroll Cycle
Recruiting and training new employees Training Job assignment Compensation (payroll) Performance Evaluation Discharge of employees due to voluntary or involuntary termination
Characteristics of Useful Information
Relevant, reliable, complete, timely, understandable, verifiable, accessible
Advantages of Purchasing
Saves Time Simplifies the decision-making process Reduces Errors Avoids potential for disagreement
Web-Page Spoofing
See phishing
Pass Through Fraud
Similar to the shell company fraud with the exception that a transaction actually takes place. The false vendor then purchases the needed inventory from a legitimate vendor. The false vendor charges the victim company a much higher than market price for the items, but pays only the market price to the legitimate vendor. Perpetrator pockets the difference.
B: The method of communicating the risks to internal stakeholders.
The Buy N Large Company is a diversified, multinational consumer and wholesale products company. Which of the following is least likely to be a consideration in defining the company's risk appetite related to sustainability and climate change risk? A: The resources (e.g., financial and human) available to manage the risks. B: The method of communicating the risks to internal stakeholders. C: The risk profile. D: The risk capability.
D: Discuss the CEO's behavior and challenge the CEO to overcome these issues.
The CEO of Duke & Duke has been known to yell at employees. When the board first hears about such behavior, the role of the board in relation to the CEO's behavior is most likely to be to: A: Determine if the board is independent of the CEO. B: Define the organizational culture as risk averse. C: Fire the CEO. D: Discuss the CEO's behavior and challenge the CEO to overcome these issues.
COBIT 5 Framework
The COBIT 5 framework describes best practices for the effective governance and management of IT. COBIT 5 is based on the following five key principles of IT governance and management. These principles help organizations build an effective governance and management framework that protects stakeholders' investments and produces the best possible information system.
who designs and implements procedures that prevent attackers from penetrating a company's AIS?
The Cheif Information Security Officer (CISO)
D: Information, Communication, and Reporting.
The ERM component that includes email, board meeting minutes, and reports as important elements is A: Governance and Culture. B: Performance. C: Review and Revision. D: Information, Communication, and Reporting.
D: Establishing a communication program to obtain information about potential frauds
The Wasabi Electronics employee survey related to fraud risk includes this question: "Employees who report suspected improprieties are protected from reprisal." This question best relates to which of the following fraud management principles and processes? A: Establishing a fraud risk management program B: Selecting, developing, and deploying fraud controls C: Selecting, developing, and deploying evaluation and monitoring processes D: Establishing a communication program to obtain information about potential frauds
A: Database administrators.
The ability to add or update documentation items in data dictionaries should be restricted to A: Database administrators. B: System programmers. C: System librarians. D: Application programmers.
A: Business transactions.
The accounting cycle begins by recording _____________ in the form of journal entries. A: Business transactions. B: Financial information. C: Corporate minutes. D: Business contracts.
The Expenditure Cycle
The acquisition of materials, property, and labor in exchange for cash.
Process
The action that transforms data into other data or information
Data Value
The actual value stored in a field that describes a particular attribute of an entity
Data Value
The actual value stored in a field. It describes a particular attribute of an entity. For example, the customer name field would contain "ZYX Company" if that company was a customer.
Value of information
The benefit provided by information less the cost of producing it
Sales order
The document created during sales order entry listing the item numbers, quantities, prices, and terms of sales
limit check
The employee entered "40" into the "hours worked per day" field. Which check would detect this unintentional error? A. numeric/alphabetic data check B. validity check C> limit check D. Reasonableness check
Data Source
The entity that produces or sends the data that is entered into a system
Data Destination
The entity that receives data produced by a system
White box
The information contained within the black box on the inside ( processing )
Entity
The item about which information is stored in a record (employee, inventory item, customer)
Entity
The item about which information is stored in a record. Examples include an employee, an inventory item, and a customer.
Electronic data interchange (EDI)
The use of computerized communications and a standardized coding scheme to submit business documents electronically in a format that can be automatically in a format that can be automatically processed by the recipients
Multimodel Authentication
The use of multiple authentication credentials of the same type to achieve a greater level of security
1-b. Define AIS
a system of collecting, storing and processing financial and accounting data that is used by decision makers
Expected Loss
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood). = Impact X Likelihood
B: An employee.
The perpetrator of a fictitious vendor fraud is usually A: A stakeholder. B: An employee. C: A mountebank. D: A customer.
Database administrator (DBA)
The person responsible for coordinating, controlling, and managing the database
database administrator
The person responsible for coordinating, controlling, and managing the database.
Bot Herder
The person who creates botnet by installing software on PCs that responds to the bot herder's electronic instructions
Field
The portion of a data record where the data value for a particular attribute is stored. For ex: in a spreadsheet each row might represent a customer and each column is an attribute of the customer. Each cell in a spreadsheet is a field.
Which is most likely to be a GL control account? a. Accounts receivable b. Petty cash c. Prepaid rent d. Retained earnings
a) AR
Patch Management
The process for regularly applying updates to all software used by an organisation
Hardening
The process of modifying the default configuration of endpoints to eliminate unnecessary settings and services
Authorization
The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform
Encryption
The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext
Encryption
The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.
Data Storage
The process of updating one or more databases with new transactions. Databases are broken down into general and subsidiary ledgers.
Knowledge Management Systems
The process through which organizations generate value from their intellectual and knowledge-based assets
Database Management System (DBMS)
The program that manages and controls the data and the interfaces between the data and the application programs that use the data stored in the database.
Attributes
The properties, identifying numbers, and characteristics of interest of an entity that is stored in a database. Examples: employee number, pay rate, name, and address
Revenue Cycle
The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales
Revenue Cycle
The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. The revenue cycle's primary objective is to provide the right product in the right place at the right time for the right price.
Production Cycle
The recurring set of business activities and related data processing operations associated with the manufacture of products
Multifactor Authentication
The use of two or more types of authentication credentials in conjunction to achieve a greater level of security
Physical view
The way data are physically arranged and stored in the computer system
corruption
dishonest conduct by those in power involving actions that are illegitimate, immoral, incompatible w/ethical standards
System
Two or more interrelated components that interact to achieve a goal, often composed of subsystems that support the larger system. (eg. College of Accounting a subsystem of the College of Business which is a part of a University System)
3. Explain how data storage is accomplished within an AIS.
This promotes ease of access in that they need to know how to manage data for maimum corporate use. This can be done via coding and Audit trails. a. Data in ledgers is organized logically using coding techniques. Coding is the systematic assignment of numbers or letters to items to classify and organize them. b. The following guidelines result in a better coding system. The code should: o Be consistent with its intended use, (code designer determines desired system outputs prior to selecting the code) o Allow for growth. o Be as simple as possible to minimize costs, facilitate memorization and interpretation, and ensure employee acceptance. o Be consistent with the company's organizational structure and across divisions. c. An audit trail is a traceable path of a transaction through a data processing system from point of origin to final output, or backward from final output to point of origin.
What is the Toyota case?
Toyota Production System (TPS) philosophies, principles, and business processes supported by IT.
Transaction found under Expenditure/Procurement cycle
Track vendor performance, record inventory receipts using the goods receipt transaction, process vendor invoices, pay invoices.
Transaction v. transaction processing
Transaction-Agreement between two entities to exchange G+S V.S. Transaction processing Transaction data is used to create financial statements
Give-get exchange
Transactions that happen a great many times, such as giving up cash to get inventory from a supplier and giving employees a paycheck in exchange for their labor
Give-get exchange
Transactions that happen a lot- such as giving up cash to get inventory and giving employees a paycheck
Hashing
Transforming plaintext of any length into a short code called a hash
White-Collar Criminals
Typically, businesspeople who commit fraud. White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
Which of the following is NOT a step in the data processing cycle? a. Data collection b. Data input c. Data storage d. Data processing
a) Data collection
Hacking
Unauthorized access, modification, or use of an electronic device or some element of a computer system
Output Fraud
Unless properly safeguarded, displayed or printed output can be stolen
C: User accounts are not removed upon termination of employees.
When a client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk? A: User passwords are not required to be in alphanumeric format. B: Management procedures for user accounts are not documented. C: User accounts are not removed upon termination of employees. D: Security logs are not periodically reviewed for violations.
black box tests of program controls
When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing a. black box tests of program controls b. white box tests of program controls c. substantive testing d. intuitive testing
Confirming AR
When planning the audit, information is gathered by all of the following methods except A. completing questionnaires B. interviewing management C. observing activities D. confirming accounts receivable
Describe the Revenue Cycle.
Where goods/services are sold for cash or a future promise to receive cash. actions include: ~ Receive and answer customer inquiries ~ Take customer orders and enter them into the AIS ~ Approve credit sales ~ Check inventory availability ~ Initiate back orders for goods out of stock ~ Pick and pack customer orders ~ Ship goods to customers or perform services ~ Bill customers for goods shipped/services performed ~ Update (increase) sales and accounts receivable ~ Receive customer payments and deposit them in the bank ~ Update (reduce) accounts receivable ~ Handle sales returns, discounts, allowances, and bad debts ~ Prepare management reports Send appropriate information to the other cycles
D: Monitoring.
Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? A: Control environment. B: Risk assessment. C: Information and communication. D: Monitoring.
1-4. A dashboard is:
a summary screen typically used by managers
terminal
a beginning, end, or point of interruption in a process; also used to indicate an external party
what is the difference beetween a conceptual-level schema and an internal-level schema?
a conceptual-level sschema is a high-level view of the entire database, while an internal-level schema is a low-level, more detailed view of the database.
Data Flow Diagram (DFD)
a graphical description of data sources, data flows, transformation processes, data storage, and data destinations
which preventative control is designed to stop an attacker from installing a hardware-based keystroke logging device on a computer?
a physical access control
what is the difference between a primary key and a foreign key in a database?
a primary key uniquely identifies a specific row in a table, whereas a foreign key is a primary key in another table and is used to link the wo tables.
record
all the fields for one customer
during which step in the expenditure cycle could an incorrect posting to A/P occur?
approving supplier invoices
which activity in the expenditure cycle has the threat of discrepencies between the quoted price and the actual price charged?
approving supplier invoices
authorization
approving transactions and decisions
Turnkey systems
are completely finished and tested systems that are ready for implementation." Turnkey systems are completely finished and tested systems that are ready for implementation. These are often general-purpose systems or systems customized to a specific industry.
7. Define identity theft.
assuming somone's identity, usually for ecenomic gain
primary key
attribute (or combo) that uniquely IDs a specific row in a table
foreign key
attribute in a table that is a PK in another table; used to link
Computer-assisted audit techniques (CAATS)
audit software that uses auditor-supplied specifications to generate a program that performs audit functions
What is a server computer?
big computer used to 'serve data' for email, a database, or the internet
Which statement is FALSE? a) Flowcharts make use of many symbols b) A document flowchart emphasizes the flow of documents or records containing data c) DFDs help convey the timing of events d) Both a & b
c) DFDs help convey the timing of events
In which cycle does a company ship goods to customers? a. Production cycle b. Financing cycle c. Revenue cycle d. Expenditure cycle
c) Revenue cycle
which of the following attributes in the cash receipts table (representing payments received from customers) would most likely be a foreign key? a) cash receipt number b) customer check number c) customer number d) cash receipt date
c) customer number
Inbound Logistics
consists if receiving, storing , and distributing the materials an organization uses to create the services and products it sells
external-level schema
consists of a set of individual user views of portions of the database (aka subschema)
preventative controls
controls that deter problems before they arise
what are cost-effective controls?
controls that offer a higher risk reduction benefit than the controls cost
FC input/output symbols
devices or media from processing operations cut off rectangle = document terminal = bank, vendor, customer
Record layout
document that shows the items stored in a file, including the order and length of the data fields and the type of data stored
complete
does not omit important aspects of the events or activities it measures
audit committee
due to SOX: outside EE & independent directors -IC structure -financial reporting process -legal compliance
human resources cycle
during what cycle would the W4 be given out?
Which if the following is NOT an SDLC controllable activity? a. user specification b. systems authorization c. user test and acceptance procedures d. external audit participation e. all are SDLC controls
e. all are SDLC controls
Which of the following statements about the ITF technique for testing is NOT correct? a. applications may be tested directly without being removed from service b. ITF supports continuous monitoring of controls c. ITF has the potential to corrupt corporate databases d. during normal operations, test transactions are merged into the input stream of regular (production) transactions e. all of the above are correct statements
e. all of the above are correct statements
A user's application may consist of several modules stored in separate memory locations, each with its own data. One module must not be allowed to destroy or corrupt another module. This is an objective of a. EDI controls b. network controls c. Detection Risk controls d. application controls e. none of the above
e. none of the above
paper document file
file of paper documents; letters indicate file-ordering sequence: N = numerically, A = alphabetically, D = by date
which step does an attacker perform when conducting research for the purpose of penetrating an IS?
finds out the vulnerabilities of the software hat the company is using
What are potential computer crime related risks and threats?
fraud, error, service interruptions and delays, disclosure of confidential information, intrusions, information theft, information manipulation, malicious software, denial of service attacks, website defacements, extortion
proper authorization
general & specific
types of controls
general controls application controls
subsidiary ledger V general ledger
general ledger - A ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization. subsidiary ledger - A ledger used to record detailed data for a general ledger account with many individual subaccounts, such as accounts receivable, in- ventory, and accounts payable.
2NF
group the fields that belong together; no repeating rows; PK
understand the system, identify business documents, organize the flowchart, clearly label all symbols, use page connectors
guidelines for flow charts:
custodial
handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization's bank account
Disaster Recovery
identifies significant events that may threaten a firm's operations, outlining the procedures that ensure the firm's smooth resuming of operations in the case this event occurs
document flowchart
illustrates the flow of documents and data among areas of responsibility within an organization
program flowchart
illustrates the sequence of logical operations performed by a computer in executing a program
sales invoice number
in a sales table, the most likely primary key would be: sales invoice number, inventory item number, customer name, customer number
color and price
in an inventory table, the most likely nonkey would be: item number, color, price
FC flow & misc symbols
indicate flow of data/goods; also represent where operations begin/end, decisions are made and add explanatory notes
types of computer fraud
input processor output
Maintenance Phase (SDLC)
involves performing changes, corrections, additions, and upgrades to ensure the system continues to meet the business goals
system development life cycle
is the process of creating or modifying information systems to meet the needs of its user
how is cross-functional analysis a database benefit?
it allows dta relationships to be defined so that management reports can be easily prepared
which action does a company take during the customer order process in the revenue cycle?
it checks and approves customer credit
what is the purpose of information rights management (IRM) software?
it controls access to sensitive data
what is a benefit of a well-designed computer input screen?
it reduces data entry errors and ommissions
Sequence Codes
items are numbered consecutively to account for all items. Any missing items cause a gap in the numerical sequence. Examples include prenumbered checks, invoices, and purchase orders.
What is Batch Processing?
journal entries are completed in batches (in groups) being posted together at once
when employees start wokring at a company, they are given a formal job description and a policy and procedures manual. the manual includes the company's vision statements and code of conduct and explains the expected business practices and procedures used at the company. the job description and manual communicate components of this company's internal environment. which two components do they communicate?
methods to assigning authoritu and responsibility committment to integrity, ethical values, and competence
investment fraud
misrepresenting/leaving out facts to promote an investment that promises fantastic profits w/little to no risk
What are input devices?
mouse, keyboard, touch screen, bar code scanner
systems documentation
narratives, flowcharts, diagrams, other written materials that explain how a system works ID weak internal controls
which tool is an example of a preventative IS control?
network access passwords
production or conversion cycle
where raw materials are transformed into finished goods
discussion question and problem 2.3 2.3. What kinds of documents are most likely to be turnaround documents? Do an Internet search to find the answer and to find example turnaround documents. 2.3. An audit trail enables a person to trace a source document to its ultimate effect on the financial statements or work back from financial statement amounts to source docu- ments. Describe in detail the audit trail for the following: a. Purchases of inventory b. Sales of inventory c. Employee payroll
output from a computer, some extra information added to it, and then returned to become an input document. For example, meter cards are produced for collecting readings from gas meters, photocopiers, water meters etc. The audit trail for inventory purchases includes linking purchase requisitions, purchase orders, and receiving reports to vendor invoices for payment. All these documents would be linked to the check or EFT transaction used to pay for an invoice and recorded in the Cash Disbursements Journal. In addition, these documents would all be linked to the journal entry made to record that purchase. There would be a general ledger account number at the bottom of 3-3 each column in the journal. The journal reference would appear in the General Ledger, Inventory Ledger, and Accounts Payable ledge
Ciphertext
plaintext that was transformed into unreadable gibberish using encryption
Steps of SDLC
planning, analysis, design, implementation, maintenance
likelihood
probability that a threat will come to pass
normalization
process of removing redundant data to improve storage efficient, data integrity, scalability
Give 5 common activities of the production cycle
production cycle: give labor and give raw materials—get finished goods Design products Forecast, plan, and schedule production Request raw materials for production Manufacture products Store finished products Accumulate costs for products manufactured Prepare management reports
a company changes to a lean manufacturing process to minimize inventories in the manufacturing plant. which activity of the production cycle will this impact the most?
production operations
What is a trojan horse?
program that appears useful but contains hidden function that presents a security risk
What is a virus?
program that copies itself and then causes other programs to malfunction
examples of control
proper authorization of transactions & activities segregation of duties
a company has a policy that all purchase orders $100,000 or greater beapproved by the controller prior to being entered into the AIS. which category does this control procedure relate to?
proper authorization of transactions and activities
timely
provided in time for decision makers to make decisions
2.1. Table 2-1 lists some of the documents used in the revenue, expenditure, and human re- sources cycle. What kinds of input or output documents or forms would you find in the production (also referred to as the conversion) cycle?
requests for items to be produced • Documents to plan production • Schedule of items to be produced • List of items produced, including quantity and quality • Form to allocate costs to products • Form to collect time spent on production jobs • Form requesting raw materials for production process • Documents showing how much raw materials are on hand • Documents showing how much raw materials went into production • List of production processes • List of items needed to produce each product • Documents to control movement of goods from one location to another
SOX
requires companies to document processes and internal controls
control activities
responses, control policies and procedures are established and implemented throughout the various levels and functions
5 common activities of the revenue cycle
revenue cycle- encompasses all transactions involving sales to customers and the collection of cash receipts for those sales. give goods OR give service—get cash Receive and answer customer inquiries Take customer orders and enter them into the AIS Approve credit sales Check inventory availability Initiate back orders for goods out of stock Pick and pack customer orders Ship goods to customers or perform services Bill customers for goods shipped or services performed Update (increase) sales and accounts receivable Receive customer payments and deposit them in the bank Update (reduce) accounts receivable Handle sales returns, discounts, allowances, and bad debts Prepare management reports
Postimplementation Review
review made after a new system has been operating for a brief period to ensure that the new system is meeting its planned objectives, identify the adequacy of system standards, and review system controls
residual risk
risk that remains after management implements internal controls, or some other response
inherent risk
risks that exist before management takes any steps to control the likelihood or impact
firm infrastructure, human resource management, technology, purchasing
secondary activities of the value chain
Control Objectives for Information and Related Technology (COBIT)
security and control framework that allows management to benchmark the security and control practices of its IT environments, users of IT services to be assured that adequate security and control exist, and auditors substantiate their internal control opinions and advise on IT security and control matters (developed by the Information Systems Audit and Control Association [ISACA])
which tool is used to identify system vulnerabilities?
security testing
Segregation of Accounting Duties
separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud
How does XBRL benefit organizations?
serves as a means to electronically communicate business information to facilitate business reporting of financial and nonfinancial data to users. greatly enhances the speed and accuracy of business reporting. more efficient data collection and reporting easier data consumption and analysis Save costs by preparing data in one form and automatically generating many outputs analysis, forecasting and decision making improved relationships and communication with invenstors freedom from proprietary systems and software
which activity in the revenue cycle involves picking and packing a customer order?
shipping
What is the general ledger?
shows all transactions in each account type
What are two major privacy-related concerns?
spam and identity theft
data sources/destination
squares e.g. customers/banks
1-a. XBRL (extensible business reporting language) is
the computer language of choice for reporting business activities
logical view
the data view that shows how the user or programmer conceptually organizes and understand the data it the:
Database system
the data-base, the DBMS, and the applications programs that access the database through the DBMS
Data Flow
the movement of data among processes, stores, sources, and destinations.
If P > D + C then,
the organization's security procedures are effective, otherwise, security is ineffective
What is project management
the planning, organizing, supervising and directing of an IT project
flowchart
which are accountants more likely to use: flowcharts or BPD
Inherent Risk
the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control
costs of information
the time and resources spent to produce and distribute the information
Misappropriation of Assets
theft of a company assets by employees
DML
used for maintenance, including updating, inserting, deleting portions
DDL
used to: 1) build dictionary 2) initialize/create database 3) describe logical views 4) specifies limitations/constraints on security imposed on records/fields
What is web mining?
uses internet search engine to identify patterns on the web or on specific websites
What is symmetric cryptography?
uses the same key to both encode and decode data
What is data mining?
using algorithms to discover relationships or patterns in data
auditors must understand automated/manual processes used evidenced using narratives, flow charts, and business diagrams
what does SAS-94 say?
vendor performance
what information needs are generally associated with the acquire inventory business process
the purchase order triggers sales order from vendor
what is the difference in a purchase order and a sales order?
all of these
what tables were needed in the query that answered the question "how many televisions were sold in October": sales table, inventory table, sales-inventory table
financing cycle
where companies sell shares in the company to investors and borrow money and where investors are paid dividends and interest is paid on loans
Financing Cycle
where companies sell shares in the company to investors and borrow money, and where investors are paid dividends and interest is paid on loans
Human Resources/Payroll Cycle
where employees are hired, trained, compensated, evaluated, promoted and terminated
human resources/payroll cycle
where employees are hired, trained, compensated, evaluated, promoted, and terminated
all of these are requirements
which of the following is not a basic requirement of a relational database: every column in a row must be single valued, primary keys cannot be null, foreign keys, if not null, must have values that correspond to the value of a primary key in another table, all nonkey attributes in a table should describe a characteristic about the object identified by the primary key
it is inexpensive
which of the following is not a characteristic that makes information useful: it is reliable, its is timely, it is inexpensive, it is relevant
Chart of accounts
a listing of all numbers assigned to balance sheet and income statement accounts. The account numbers allow transaction data to be coded, classified, and entered into proper accounts. They also facilitate financial statement report preparation.
Steps in Data Processing Cycle
1. Data Input 2. Data storage 3. Data processing 4. Information output
The advantages of database systems
1. Data integration 2. Data sharing 3. Minimal data redundancy and data inconsistencies 4. Data independence 5. Cross-functional analysis
What is a hierarchical database?
An outdated method where you need data at a higher level to obtain data at a lower level.
flowchart
describe pictorially the transaction processing procedures a company uses and the flow of data through a system change of control; consistent timing
general controls
designated to ensure organization aid and control environment is stable/well managed 1. Information systems management controls 2. Security management controls 3. Information technology infrastructure controls 4. Software acquisition, development, and maintenance controls
D: An automated receiving system that includes multiple points of scanning of received goods
Happy's Nutty Clownery ordered 82 bags of balloons from a supplier but received only 28. Which of the following controls is most likely to have caught this error? A: Separation of duties in cash receipts B: Formalizing the process for authorizing the purchase of goods C: Requiring purchasing agents to disclose relationships with vendors and purchasers D: An automated receiving system that includes multiple points of scanning of received goods
B: The credit manager.
Harold is a sales person at a jeweler. His friend Robert wants to buy a ring for his fiancée. Who should establish the credit limit for Robert's purchase? A: Harold. B: The credit manager. C: The sales manager. D: Any of the above.
Demand Reports
Have a pre-specified content and format that are prepared only on request
Safeguard assets
Prevent/detect unauthorized acquisition/use
Functions of Internal Control
Preventative, Detective and Corrective
What are the three controls used to protect information systems?
Preventative, detective and corrective
Functions of internal control.
Prevention, detection and correction.
which component in this system flowchart represents a manual trasaction?
*image* compare & reconcile
what do the rectangles in this sytem flowchart represent?
*image* computer processes
Management can respond to risk in four ways:
1 Reduce 2 Accept 3 Share 4 Avoid
Foreign Key
An attribute in one table that is a primary key in another table
Data Flow Diagram
Shows the flow of data within a system
Common reasons for Information System failures
● Information is available to an unprecedented number of workers. Chevron, for example, has over 35,000 PCs. ● Information on distributed computer networks is hard to control. At Chevron, information is distributed among many systems and thousands of employees worldwide. Each system and each employee represent a potential control vulnerability point. ● Customers and suppliers have access to each other's systems and data. For example, Walmart allows vendors to access their databases. Imagine the confidentiality problems as these vendors form alliances with Walmart competitors.
Functions of Internal Controls
● Preventive Controls (Controls that deter problems before they arrive) ● Detective Controls (Controls designed to discover control problems that were not prevented ● Controls that identify and correct problems as well as correct and recover from the resulting errors
Management Response to Risk
● Reduce : Reduce the likelihood and impact of risk by implementing an effective system of internal controls. ● Accept : Accept the likelihood and impact of the risk. ● Share : Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions. ● Avoid : Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.
Bill of lading
A legal contract that defines responsibility for goods while they are in transit
File
A set of logically related records, such as payroll records of all employees
Timely information
Provided in time for decision makers to make decisions.
What is a limit check?
Used to identify field values that exceed an authorized limit.
Authentication
Verifies who a person is
7-2. the part of the data hierarchy that represents one instance of an entity is a:
a. field b. record * c. file d. database
which is a software program that runs a database system? a) DQL b) DBMS c) DML d) DDL
b) DBMS
database
data stored electronically in database
what is the formaula to calculate expected loss?
expected loss = impact * Likelihood
What is asymmetric cryptography?
person sending message has a public key and the receiver has a private key
What is the function of a CORRECTIVE control?
to remedy problems after they occur in an AIS
What can be used to assess the adequacy of a client's access controls?
" Penetration testing." Many firms are now performing penetration tests designed to assess access control by imitating known techniques that hackers use.
Which of the following is considered an intentional threat to the integrity of the operating system?
"individuals who browse the operating system to identify and exploit security flaws." These include systems programmers who access individual user files and operating systems developers who include a back door to avoid normal login procedures.
Access tests
"verify that individuals or programs are valid." Access tests verify that individuals or programs are valid. Access tests verify that individuals, programmed procedures, or messages (e.g., electronic data interchange [EDI] transmissions) attempting to access a system are authentic and valid. Access tests include verifications of user IDs, passwords, valid vendor codes, and authority tables.
The author distinguishes between the accounting information system and the management information system based on
"whether the transactions are financial or nonfinancial that directly affect the processing of financial transactions." The AIS captures financial transactions to support systems around the revenue, expenditure and conversion cycles. The MIS captures nonfinancial transactions to support systems for marketing, inventory, manufacturing and human resources.
rules of relational database
-every column must be single valued -PK cannot be null -FK (if not null) must have values that correspond to value of PK -all nonkey attributes must describe a characteristic of the object IDed PK
What are the 32 management processes set forth by the COBIT 5?
1 Align, plan and organize (APO) 2 Build, acquire, and implement (BAI) 3 Deliver, service and support (DSS) 4 Monitor, evaluate, and assess (MEA)
The Security-Life Cycle
1 Assess threats and select risk response 2 Develop and communicate policy 3 Acquire and implement solutions 4 Monitor performance
Data Storage Elements
1 Attributes 2 Data Values 3 Field 4 Entity 5 Records
Data Processing
1 Creating 2 Reading 3 Updating 4 Deleting
A typical misappropriation has the following important elements or characteristics. The perpetrator:
1 Gains trust or confidence of the entity being defrauded 2 Uses trickery, cunning, false or misleading info to commit fraud 3 Conceals the fraud by falsifying records or other info 4 Rarely terminates the fraud voluntarily 5 Sees how easy it is to get extra money 6 Spends the ill-gotten gains 7 Gets greedy 8 Grows careless or overconfident as time passes
Internal controls are often segregated into two categories:
1 General controls make sure an organization's control environment is stable and well managed 2 Application controls prevent, detect, and correct transaction errors and fraud in application programs
Primary Activities in Value Chain
1 Inbound Logistics 2 Operations 3 Outbound Logistics 4 Marketing and Sales 5 Service
Flowcharting Symbols Categories
1 Input/Output Symbols 2 Processing Symbols 3 Storage Symbols 4 Flow and Miscellaneous Symbols
Six Data Storage Concepts
1 Ledgers 2 Coding Techniques 3 Chart of Accounts 4 Journals 5 Audit Trail 6 Computer Based Storage Concepts
Four levels of control to help management reconcile the conflict between creativity and controls are... (set by Robert Simons)
1. Belief System: describes how a company creates value 2 Boundary System: helps employees act ethically 3 Diagnostic Control System: measures, monitors, and compares actual company progress to budget and performance goals 4 Interactive Control System: helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions
Data Input Steps (3)
1. Capture transaction data triggered by a business activity (event). 2. Make sure captured data are accurate and complete. Ensure company policies are followed (e.g., approval of transaction).
Three Important Business Functions Fulfilled by an AIS
1. Collect and store data about organizational activities, resources, and personnel. 2. Transform data into information so management can plan, execute, control, and evaluate activities, resources, and personnel. 3. Provide adequate controls to safeguard the organization's assets and data.
What are examples of corrective controls?
1. Computer incident response teams (CIRT) 2. Chief information security officer (CISO) 3. Patch management
Steps Attackers Take to Penetrate an Information System
1. Conduct Reconnaissance; Perusing an organization's financial statements, SEC filings, website, and press releases. Goal is to learn as much as possible about the target, and to identify potential vulnerabilities. 2. Attempt Social Engineering (Using deception to obtain unauthorized access to information resources 3. Scan and map the target; conduct more detailed reconnaissance to identify potential points of remote entry. Attacker may use automated tools to identify computers that can be remotely accessed and the types of software they are running. 4. Research; Once targets are identified, attackers learn as much as they can about software vulnerabilities. 5. Execute the attack; 6. Cover tracks; Cover tracks and Create "back doors" that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.
What are the basic steps criminals use to attack an organization's information system?
1. Conduct reconnaissance 2. Attempt social engineering (using deception to obtain unauthorized access to information resources) 3. Scan and map the target 4. Research 5. Execute the attack 6. Cover Tracks
What are ways you can make software user friendly?
1. Easy to Navigate 2. Customizable preferences 3. Efficient 4. Simple design, not too much information displayed...
Application Controls
1. Input Controls 2. Process Controls 3. Output Controls
What are the Application Controls for IT enviroments?
1. Input controls 2. Processing controls 3. Output controls
Four categories of flowcharting symbols
1. Input/output symbols 2. Processing symbols 3. Storage symbols 4. Flow and miscellaneous symbols
Flowchart Symbols
1. Input/output symbols show input to or output from a system. 2. Processing symbols show data processing, either electronically or by hand. 3. Storage symbols show where data is stored. 4. Flow and miscellaneous symbols indicate the flow of data, where flowcharts begin or end, where decisions are made, and how to add explanatory notes to flowcharts.
What are the three important factors that determine the strength of any encryption system?
1. Key length (longer=better) 2. Encryption Algorithm 3. Policies for managing the cryptographic keys
Components of internal environment
1. Management's philosophy, operating style, and risk appetite 2. Commitment to integrity, ethical values, and competence 3. Internal control oversight by the board of directors 4. Organizational structure 5. Methods of assigning authority and responsibility 6. Human resource standards that attract, develop, and retain competent individuals 7. External influences
COBIT 5 key principles
1. Meeting stakeholder needs : COBIT 5 helps users customize business processes and procedures to create an information system that adds value to its stakeholders. It also allows the company to create the proper balance between risk and reward. 2. Covering the enterprise end-to-end : COBIT 5 does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes. 3. Applying a single, integrated framework : COBIT 5 can be aligned at a high level with other standards and frameworks so that an overarching framework for IT governance and management is created. 4. Enabling a holistic approach : COBIT 5 provides a holistic approach that results in effective governance and management of all IT functions in the company. 5. Separating governance from management : COBIT 5 distinguishes between governance and management.
Activities in Expenditure Cycle
1. Ordering materials, supplies, and services 2. Receiving materials, supplies, and services 3. Approving supplier invoices 4. Cash disbursements
What steps should the CIRT team lead the organization's incident response process through?
1. Recognition that a problem exists 2. Containment of the problem 3. Recovery 4. Follow-Up
Objectives of Information Systems Audits
1. Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. 2. Program development and acquisition are performed in accordance with management's general and specific authorization. 3. Program modifications have management's authorization and approval. 4. Processing of transactions, files, reports, and other computer records is accurate and complete. 5. Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. 6. Computer data files are accurate, complete, and confidential.
The three major subsystems of the Accounting Information System.
1. The Management Information System 2. Transaction Processing System 3. General Ledger/Financial Reporting System
What are advantages of Batch processing?
1. able to correct errors before posting 2. Easer to trace transactions for auditing process 3. segregation od duties
What are advantages of centralized processing?
1. better data security 2. consistent processing
What are the main things to asses when choosing a new accounting software?
1. cost 2. budget 3. timeframe to implement
Knowledge Management Steps
1. create a supportive organizational culture 2. define business goals 3. perform a knowledge audit 4. create a visual map 5. develop a knowledge management strategy 6. purchase or build appropriate tools 7. Periodically reasses the value of the KMS and adjust accordingly
What are advantages of a database management system?
1. data redundancy 2. potential for data sharing between programs 3. data independence 4. data standardization 5. improved data security 6. availability of information and effectiveness
What are tips for average computer users to be safer?
1. don't write down your password 2. Have a good antivirus 3. never open email attachments unless you are certain of their source 4. never click links given in an email unless you are certain they are safe 5. avoid illegal software copying 6. maintain complete backup files incase you must start from scratch
match each description to its corresponding framework: 1. it contains only five components 2. it uses a three-dimensional model 3. it consoidates control standards from 36 control standards into a singe framework
1. it contains only five components = COSO's internal control framework 2. it uses a three-dimensional model = COSO's enterprise risk management framework 3. it consoidates control standards from 36 control standards into a singe framework = COBIT framework
What are the characteristics of a strong password?
1. length (longer is stronger) 2. complex (num, lowercase, uppercase, non num characters) 3. frequency of password change 4. password reuse (don't reuse a password)
What are disadvantages of shadow data?
1. poor error testing 2. poor data security 3. poor documentation
Data flow diagram
1.Data flow diagram represent the flow of data through a system such as one or more business processes. 2.They are constructed with increase detail to facilitate new system design 3.Uses limited symbols, easy to read and understand. 4.They are created in pairs, physical ( what position do the work) and logical views (what work gets done)
25. Which of the following is an example of an input error correction technique? a. immediate correction b. rejection of batch c. creation of error file d. all are examples of input error correction techniques
: D
b. may take the form of either a SYN flood or smurf attack.
A DDoS attack is more intensive than a. DoS attack because it emanates from single source. b. may take the form of either a SYN flood or smurf attack. c. is so named because it affects many victims simultaneously, which are distributed across the Internet. d. turns the target victim's computers into zombies that are unable to access the Internet. e. none of the above is correct.
computer processing
A computer-performed processing function; usually results in a change in data or information
Audit Trail
A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin. It is used to check the accuracy and validation of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance
Master File
A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records with a master file are updated to keep them current.
Master File
A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records within a master file are updated to keep them current.
Pressure
A person's incentive or motivation for committing fraud; split into financial statement pressure triangle and employee pressure triangle
detective control
A physical inventory count is an example of a A. preventive control B. detective control C. corrective control D. Feed-forward control
Document
A record of a transaction or other company data. Examples include checks, invoices, receiving reports, and purchase requisitions.
Enterprise Resource Planning Systems (ERP)
A system that integrates all aspects of an organizations activities such as accounting, finance, marketing, human resources, manufacturing, inventory management, into one system. An ERP system is modularized; companies can purchase individual modules that meet their specific needs. An ERP facilitates information flow among the company's various business functions and manages communications with outside stakeholders
ERP System
A system that integrates organisations information into one overall AIS
What is an accounting information system?
A system that records, processes, and reports both financial and non-financial information.
e. none of the above.
A user's application may consist of several modules stored in separate memory locations, each with its own data. One module must not be allowed to destroy or corrupt another module. This is an objective of a. EDI controls. b. network controls. c. computer center and security controls. d. application controls. e. none of the above.
Business Process Diagram
A visual way to describe the different steps or activities in a business process
Cross-Site Scripting (XSS)
A vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victims browser to execute code, thinking it came from the desired website
C: Change management.
According to COSO, the use of ongoing and separate evaluations to establish a new baseline after changes have been made can best be accomplished in which of the following stages of the monitoring-for-change continuum? A: Control baseline. B: Change identification. C: Change management. D: Control revalidation/update.
B: A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved.
According to COSO, which of the following activities provides an example of a top-level review as a control activity? A: Computers owned by the entity are secured and periodically compared with amounts shown in the records. B: A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. C: Reconciliations are made of daily wire transfers with positions reported centrally. D: Verification of status on a medical claim determines whether the charge is appropriate for the policy holder.
C: Information and communication.
According to the 17 COSO control principles, information quality primarily relates to which fundamental component of internal control: A: Control activities. B: Control environment. C: Information and communication. D: Monitoring.
B: The responsibilities never transfer to the outsourced party.
According to the COSO internal control framework, if an organization outsources certain activities within the business to an outside party: A: Responsibility also transfers to the outside party. B: The responsibilities never transfer to the outsourced party. C: The responsibilities only transfer if the outside party explicitly agrees to accept responsibility. D: The organization is no longer accountable for the outsourced activities.
Human Resources/Payroll Cycle
Activities associated with hiring, training, compensating, evaluating, promoting, and terminating employees.
Expenditure cycle
Activities associated with purchasing inventory for resale or raw materials in exchange for cash or a future promise to pay cash
Revenue cycle
Activities associated with selling goods and services in exchange for cash or a future promise to receive cash
Sarbanes-Oxley Act (2002)
Addresses plummeting institutional and individual investor confidence triggered in part by business failures and accounting restatements. Written to deal with problems related to capital markets, corporate governance, and the auditing profession, and has fundamentally changed the way public companies do business and how the accounting profession performs its attest function.
D: Unusual and manually posted.
Adjusting journal entries are of additional concern when they are A: Automated accruals or deferrals, B: RFID driven, C: Unusual and automated. D: Unusual and manually posted.
C: The controller.
Adjusting journal entries are often the responsibility of A: Production managers. B: The corporate finance officer. C: The controller. D: The JE clerk.
Flowchart
An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an IS in a clear, concise and logical manner
Foreign Key
An attribute in a table that is also a primary key in another table; used to link the two tables If not null, foreign keys must have values that correspond to the value of a primary key in another table (referential integrity rule)
B: Increased responsiveness and flexibility while aiding in the decision-making process.
An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? A: Modifications can be made to each module without affecting other modules. B: Increased responsiveness and flexibility while aiding in the decision-making process. C: Increased amount of data redundancy, since more than one module contains the same information. D: Reduction in costs of implementation and training.
Investigative Audit
An examination of incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities
Protyping
An experimental version of the system requested by users
C: Strategy and Objective-Setting
AppleNCheese Food Products recently completed a systematic analysis of the political, economic, social, technological, legal, and environmental conditions that it expects in the short and the long term. This analysis most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting
What items are reported on a Balance Sheet?
Assets, liabilities, and owner's equity.
22. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling) include all of the following actions by a computer criminal except a. gaining access to the output file and changing critical data values b. using a remote printer and incurring operating inefficiencies c. making a copy of the output file and using the copy to produce illegal output reports d. printing an extra hardcopy of the output file
B
Which of the following controls would best prevent the lapping of AR A. segregate duties so that the clerk responsible for recording in the AR subsidiary ledger has no access to the general ledger B. request that customers review their monthly statements and report any unrecorded cash payments C. separate the tasks of depositing cash receipts and posting to the AR subledger D. request that customers make checks payabale to the company
B
Which of the following is an example of an input control? a. making sure that output is distributed to the proper people b. monitoring the work of programmers c. collecting accurate statistics of historical transactions while gathering data d. recalculating an amount to ensure its accuracy e. having another person review the design of a business form
B
an employee in the receiving department keyed in shipment from a remote terminal and inadvertently omitted to the purchase order number. The best application control to detect this error would be a A. batch total B. missing data check C. completeness check D. reasonableness test E. compatibility test
B
A: An aged trial balance, to determine the age and collectability of accounts receivable.
Billy Bigswater reviews a listing of each customer and how long each amount owed by a customer has been outstanding. This is most likely A: An aged trial balance, to determine the age and collectability of accounts receivable. B: A customer order document, to determine if the correct items were shipped to a customer. C: A customer invoice, to determine if a customer's bill is correct. D: A bill of lading, to determine if the correct items were shipped to a customer.
Block code
Blocks of numbers that are reserved for specific categories of data, thereby helping to organize the data. An example is a chart of accounts.
UNIT 5 FORM A - How are vendors able to reduce the unit cost of general accounting systems to a fraction of in-house development costs?
By mass producing a standard system." By mass producing a standard system, the vendor can reduce the unit cost of these systems to a fraction of in-house development costs.
In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control to detect this action using employee identification numbers is a A. a batch tool B. a record count C. a hash total D.subsequent check E. financial total
C
cost of services
COS
Data Input
Capture transaction data and enter them into the system. The data capture process is usually triggered by a business activity. Data must be collected about three facets of each business activity: 1. Each activity of interest 2. The resource(s) affected by each activity 3. The people who participate in each activity
Source Data Automation
Captures data at the source when the transaction takes place Captures data at the source when the transaction takes place
Transaction found under financing cycle
Cash position analysis, debt repayment schedule, debt covenant management, send information to other business cycle.
Endpoints
Collective term for the workstations, servers, printers, and other devices that comprise an organization's network
COSO
Committee of Sponsoring Orgs (e.g. AICPA, AAA, FEI) guidance for eval/IC system for Management Control environment Risk assessment Control activities Information and communication Monitoring
The Conversion Cycle
Comprised of the production system and the cost accounting system. Production System: involves the planning, scheduling, and control of the physical product through the manufacturing process. The Cost Accounting System: monitors the flow of cost information including labor, overhead and raw materials related to production.
Nonrepudiation
Creating legally binding agreements that cannot be unilaterally repudiated by either party
Chief Information Security Officer
Critical enabler to achieve effective controls and security. Should be independent of other information systems functions and should report to either the COO or CEO
IT Controls that are used to preserve confidentiality
Encryption Training Access Controls Identify and Classify Information
Which of the following is NOT a test for identifying application errors? a. reconciling the source code b. reviewing test results c. retesting the program d. testing the authority table
D
Which of the following situations is NOT a segregation of duties violation? A. the treasurer has the authority to sign checks but gives the signature block to the assistant treasurer to run the check-signing machine B. the warehouse clerk, who has custodial responsibility over inventory in the warehouse, selects the vendor and authorizes purchases when inventories are low C. the sales manager has the responsibility to approve credit and the authority to write off accounts D. the department time clerk is given the the undistributed payroll checks to mail to absent employees E. the accounting clerk who shares the record-keeping responsibility for the AR subsidiary ledger performs the monthly reconciliation of the subsidiary ledger and the control account
D
Takes place as transactions are entered the system
Data validations of individual transactions in a direct access file processing system usually A. takes place in a separate computer run B. is performed at the beginning of each run C. takes place as transactions are entered into the system D. takes place during a backup procedure E. Is not performed because no batch exists in direct access file systems F. Is performed at the beginning of each run
Internal controls related to XBRL - risk of compromised data
Daily data backups firewalls mandatory password changes "Strong" password requirements password protected access virus protection software
Steps in the data processing cycle
Data Input Data Storage Data Processing Information Output
Data Processing Cycle
Data Input, Data Processing, Information Output, Data Store
The advantages of database systems
Data Integration Data Sharing Minimal data redundancy and data inconsistencies Data Independence Cross-functional analysis
What is the difference between data and information?
Data are raw facts (ie., numbers) that describe an event and have little meaning on their own. Information is data organized to be meaningful for the user. Data serves as an input.
Which access point is the most common for committing computer fraud?
Data collection." The data collection stage is the most common access point for perpetrating computer fraud.
B: staffing increases or decreases due to restructuring; email about decision making and performance.
Data from ______________ is typically structured, while data from ________ is typically unstructured. A: board meeting minutes; a governmental water scarcity report that is used by a beverage company B: staffing increases or decreases due to restructuring; email about decision making and performance. C: emerging interest in a new product from a competitor; an entity's risk tolerance D: marketing reports from website tracking services; government-produced geopolitical reports and studies
Processing Controls
Data matching, File Labels, Batch Total Recalculation, Cross footing and zero balance tests and write protection
The COBIT 5 Framework
Describes best practices for the effective governance and management of IT: 1 Meeting stakeholder needs 2 Covering the enterprise end-to-end 3 Applying a single, integrated framework 4 Enabling a holistic approach 5 Separating governance from management **Five processes referred to as EDM (evaluate, direct and monitor) (Governance)
Belief system
Describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values
Detective controls
Designed to discover control problems that were not prevented
Risk Based Audit Approach
Determine threats, Identify control procedures, evaluate control procedures and evaluate control weakness
Transaction Authorization
Ensuring that all material transactions processed by theinformation system are valid and in accordance with management's objectives is an example of A. transaction authorization B. Supervision C. Accounting Records D. Independent Verification
COSO-ERM
Enterprise Risk Mgt -reasonable assurance problems/surprises are minimized -achieve financial/performance targets -asses risk continuously & how to mitigate -avoid adverse publicity OBJECTIVES Internal environment Objective setting* Event ID* Risk assessment* Risk response* Control activities Info & communication Monitoring
Information Systems (Internal Control) Audit
Examination of the general application controls of an IS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets
Information overload
Exceeding the amount of information a human mind can absorb and process, resulting in a decline in decision-making quality and an increase in the cost of providing information
3. Identify the purpose and basic activities of the expenditure cycle.
Expenditure Cycle - A recurring set of business activities and related data processing operations associated with the purchase of and payment for goods and services. The primary objective in the expenditure cycle is to minimize the total cost of acquiring and maintaining inventories, supplies, and the various services the organization needs to function. a. *Ordering materials, supplies, and services * b. *Receiving materials, supplies, and services* c. *Approving Supplier Invoices* Threats: 1. errors on supplier invoices, such as discrepancies between quoted and actual prices charged or miscalculations of the total amount due. 2. Incorrect posting to A/P occur d. *Cash Disbursements*
What is a system flowchart?
Flowcharts used to show the relationship between the key elements - input sources, programs, and output products - of computer systems.
Normalization
Following relational database creation rules to design a relational database that is free from delete, insert, and update anomalies
Hijacking
Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge
What is a digital dashboard
Graphs and charts of key performance indicators are displayed on a single screen.
Special Purpose Analysis Reports
Have no specified content or format and are not prepared on a regular schedule
C: An anonymous hotline set up by Jiffy Grill.
Henry Higgins of Jiffy Grill has learned that the controller is likely embezzling money to fund an expensive drug and gambling habit. Ideally, Henry should communicate this information to: A: The controller. B: His boss. C: An anonymous hotline set up by Jiffy Grill. D: His employees.
C: Picking ticket.
Hildegard works at Amazon in the warehouse. What is the screen called that she most likely uses to assemble the goods for customers' orders for shipping? A: Sales order. B: Invoice. C: Picking ticket. D: Bill of lading.
Limited Brands supple case
How did Limited Brands solve these problems? What management, organization, and technology issues were addressed by the solution? Ans. Revolutionized their supply chain software Management - Limited Logistics Services launched several programs in attempt to ease the supply chain problems Organization - Limited Brands united their entire information operations under one entity called Limited Technologies Services Technology - Contracted Tibco to create a global SCM • Enabled OSCAR
D: Reducing system complexity
Hubert Humbert Fashion Designers is considering implementing an organization-wide ERP. Which of the following is least likely to be a motivation for implementing such a system? A: Reducing and eliminating data redundancy B: Improving organizational agility C: Improving data analytic capabilities D: Reducing system complexity
Corrective controls
Identify and correct problems as well as correct and recover from the resulting errors
4. Interpret a document flowchart and its components.
Illustrates the flow of documents and data among areas of responsibility within an organization. They trace a document from its cradle to its grave, showing wher each document originates, its distribution, its purpose, its disposition, and everything that happens as it flows through the system.
Time-Based Model of Security
Implementing a combination of preventative (P), detective (D), and corrective (C) controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and takes the steps to thwart it before any information is lost or compromised
c. authorized trading partners have access only to approved data
In an electronic data interchange (EDI) environment, when the auditor compares the terms of the trading partner agreement against the access privileges stated in the database authority table, the auditor is testing which audit objective? a. all EDI transactions are authorized b. unauthorized trading partners cannot gain access to database records c. authorized trading partners have access only to approved data d. a complete audit trail is maintained
c. access the vendor's inventory file with read-only authority
In an electronic date interchange environment (EDI), customers routinely a. access the vendor's accounts receivable file with read/write authority b. access the vendor's price list file with read/write authority c. access the vendor's inventory file with read-only authority d. access the vendor's open purchase order file with read-only authority
ERP System
Increased responsiveness and flexibility while aiding in the decision-making process. It is an enterprise-wide information system designed to coordinate all the resources, information, and activities needed to complete business processes such as order fulfillment or billing.
Disadvantages of Outsourcing
Inflexibility Loss of Control Reduced Competitive Advantage Lock-in-system Unfulfilled goals Poor service Increased Risk
Data dictionary
Information about the structure of the database, including a decision of each data element
What is mandatory information?
Information that is mandatory by law.
D: Recruiting and hiring employees.
James Victor's Snickers Joke House hires illegal workers. Which of the core activities of the HR department should have identified and prevented this violation of law? A: Complying with laws and regulations. B: Training and development. C: Salaries and benefits. D: Recruiting and hiring employees.
D: Monitor more important risks using direct information and less important risks using indirect information
Jeffrey Smiggles of Rajon Rondo Sportswear has developed a software application that helps monitor key production risks at company factories. In order to reduce costs, his approach to monitoring risks is likely to be: A: Monitor all risks using indirect information. B: Monitor all risks using direct information. C: Monitor more important risks using indirect information and less important risks using direct information. D: Monitor more important risks using direct information and less important risks using indirect information
B: Sharing.
Layton Company has implemented an enterprise risk management system and has responded to a particular risk by purchasing insurance. Such a response is characterized by COSO's Enterprise Risk Management Framework as: A: Avoidance. B: Sharing. C: Acceptance. D: Reduction.
prevents employee collusion to commit fraud
Management can expect various benefits to follow from implementing a system of strong internal control. Which of the following benefits is least likely to occur? A. reduced cost of an external audit. B. prevents employee collusion to commit fraud. C. availability of reliable data for decision-making purposes. D. some assurance of compliance with the Foreign Corrupt Practices Act of 1977.
A: Technology can identify conditions and circumstances that indicate that controls have failed or risks are present.
Management of Johnson Company is considering implementing technology to improve the monitoring of internal control. Which of the following best describes how technology may be effective at improving internal control monitoring? A: Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. B: Technology can ensure that items are processed accurately. C: Technology can provide information more quickly. D: Technology can control access to terminals and data.
D: Sharing.
Management of Warren Company has decided to respond to a particular risk by hedging the risk with futures contracts. This is an example of risk A: Avoidance. B: Acceptance. C: Reduction. D: Sharing.
C: Production
Mars Dreamy Clothing is a retailer with 15 locations. Which cycle is likely of least importance to Mars? A: Financing B: General ledger C: Production D: Revenue
Diagnostic control system
Measures, monitors, and compares actual company progress to budgets and performance goals
Balance-forward method
Method of maintaining accounts receivable in which customers typically pay according to the amount shown on a monthly statement, rather than individual invoices
data encryption
Methods used to maintain an audit trail in a computerized environment include all of the following EXCEPT A. transaction logs B. unique transaction identifiers C. data encryption D> log of automatic transactions
Forms of fraud
Misappropriation of Assets and Fraudulent Financial Reporting
Investment Fraud
Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk (ponzi schemes and securities fraud)
A: Guide managers, users, and auditors to adopt best practices related to the management of information technology.
One important purpose of COBIT is to A: Guide managers, users, and auditors to adopt best practices related to the management of information technology. B: Identify specific control plans that should be implemented to reduce the occurrences of fraud. C: Specify the components of an information system that should be installed in an e-commerce environment. D: Suggest the type of information that should be made available for management decision making.
What do we mean by the "matching principle?"
One of the basic underlying guidelines in accounting. Directs a company to report an expense on its income statement in the same period as the related revenues.
Foreign Corrupt Practices Act (FCPA) (1977)
Passed to prevent companies from bribing foreign officials to obtain business
Preventive Internal Controls
Passive techniques designed to reduce the frequency of occurrence of undesirable events.
C: Data-driven DSSs.
Peetie's Pet Care has a system that examines large data sets to determine patterns in clients' use of its facilities. This is most likely an example of: A: Operational systems. B: Management information systems (MISs). C: Data-driven DSSs. D: Model-driven DSS.
Preventive Controls
People : - Creation of a "security-aware" culture - Training Processes: User access controls (authentication & authorization) IT Solutions: - Anti-malware = Network access controls (firewalls, intrusion prevention systems, etc) - Device & Software Hardening (configuration controls) - Encryption Physical Security : access controls (locks, guards, etc) Change controls and change management
Master File
Permanent records, updated by transaction with the transaction file
Ciphertext
Plaintext that was transformed into unreadable gibberish using encryption
Control Activities
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out
4. Describe the process for determining if the new AIS meets post-implementation objectives.
Postimplementation Review - Review made after a new system has been operating for a brief period to ensure that the new system is meeting its planned objectives, identify the adequacy of system standards, and review system controls. Postimplementation Review Report - A report that analyzes a newly delivered system to determine if the system achieved its intended purpose and was completed within budget. Table of Contents I. Executive Summary of Postimplementation Review II. Overview of Development Project III. Evaluation of the Development A. Degree to Which System Objectives Were Met B. Analysis of Actual Vs. Expected Costs and Benefits C. User Reactions and Satisfaction IV. Evaluation of Project Development Team V. Recommendations A. Recommendations for Improving the New System B. Recommendations for Improving the System Development Process VI. Summary
Understandable information
Presented in a useful and intelligible format.
Conditions of Fraud
Pressures, Opportunities and Rationalisation
1. Explain how a well-designed AIS can help identify business problems and potential resolutions.
Prototyping - Advantages: a. Better definition of user needs b. Higher user involvement and satisfaction c. Fewer errors d. More opportunity for changes e. Less costly Disadvantages: f. Significant user time g. Less efficient use of system resources h. Inadequate tsting and documentation i. Negative behavioral reactions j. Never-ending development
Penetration Test
Provides a more rigorous way to test effectiveness of an organizations information security. It is an authorized attempt to break into the organization's information system.
Financial statements and internal controls.
Public company external audit firms must audit their clients': A: Financial statements. B: Internal controls. C: Financial statements and internal controls. D: Neither financial statements nor internal controls.
Turnaround Document
Records of company data sent to an external party and then returned to the system as input (sales orders, purchase orders, employee time cards)
What are retained earnings?
Refer to the percentage of net earnings not paid out as dividends, but retained by the company to be reinvested in its core business, or to pay debt.
A: Purchase orders.
Reggie is the purchasing agent for a wholesale paint store (Ye Ol' Paint Pots). Reggie's cousin, Earl-the-Earl, owns a small paint store. Reggie arranged for paint to be delivered to Earl-the-Earl's stores from paint manufacturers, thereby allowing Earl-the-Earl to get the paint at a wholesale (cheaper) price, which violates a policy of the Ye Ol' Paint Pots. Reggie was most likely able to violate this policy because of a failure in Ye Ol' Paint Pots' controls related to: A: Purchase orders. B: Cash disbursements. C: Bills of lading. D: Inventory control.
Characteristics of useful information
Relevant, reliable, complete, timely, verifiable, and accessible
What are the major transaction cycles?
Revenue Cycle Expenditure Cycle Production or Conversion Cycle Human Resources/Payroll Cycle Financing Cycle
C: Make changes to both the live and archive copies of programs.
Roberta is a programmer who writes applications for Parsnips Health Care. She also has access to the file library. This is a concern because she may: A: Grant system access inappropriately to others. B: Make changes in applications. C: Make changes to both the live and archive copies of programs. D: Fail to follow system change protocols.
Validity Check
Routines in a data entry program that test the input for correct and reasonable conditions, such as account numbers falling within a range, numeric data being all digits, dates having a valid month, day and year, etc. Example: When you enter your Social Security Number, the input test ensures that you have entered 9 digits.
to ensure that all data input is validated
Run-to-run control totals can be used for all of the following except a. to ensure that all data input is validated b. to ensure that only transactions of a similar type are being processed c. to ensure the records are in sequence and are not missing d. to ensure that no transaction is omitted
Information Rights Management (IRM)
Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files
Reports
System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities.
Boundary system
System that helps employees act ethically by setting boundaries on employee behavior
The Management Information System
System that processes non financial transactions not normally processed by traditional accounting information systems.
Systems Development Lifecycle
Systems analysis, conceptual design, physical design, implementation and conversation, operations and maintainence
True or False - Documentation methods such as DFDs, BPDs, and flowcharts save both time & money, adding value to an organization
TRUE
true or false - resistance is often a reaction to the methods of instituting change rather than to change itself
TRUE
Cloud Computing
Takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software (software as a service), data storage devices (storage as a service), hardware (infrastructure as a service), and entire application environments (platform as a service). This arrangement is referred to as a "private", "public", or "hybrid" cloud depending upon whether the remotely accessed resources are entirely owned by the organization, a third party, or a mix of the two.
What are substantive tests?
Tests that determine whether database contents fairly reflect the organization's transactions.
What are tests of controls?
Tests that establish whether internal controls are functioning properly.
MOD 14- Which of the following is true about the black box approach to auditing computer applications?
The application does not need to be removed from service and tested directly." The black box approach (also called auditing around the computer) does not require the application to be removed from service and tested directly.
Cost-effective Controls
The benefits of an internal control procedure must exceed its costs. Cost-effective controls should be implemented to reduce risk. Risk can be accepted if it is within the company's risk tolerance range.
C: A purchase requisition.
The best control to avoid ordering unneeded goods is A: A receiving report. B: A vendor invoice. C: A purchase requisition. D: Automated payment.
Source Data Automation
The collection of transaction data in machine readable form at the time and place of origin
Source Data Automation
The collection of transaction data in machine-readable form at the time and place of origin. Examples are point-of-sale terminals and ATMs.
Internal Environment
The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk
Internal environment
The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
Database System
The data-base, the DBMS, and the application programs that access the database through the DBMS.
A: CustomerNumber is an example of a field.
The following customer data is stored in the sales processing system to a regional produce distributor: CustomerNumber, CustomerName, CustomerPhone, CustomerContact, CustomerCreditLimit Which of the following is true? A: CustomerNumber is an example of a field. B: CustomerNumber is an example of a data value. C: CustomerNumber is an example of a record D: All of the above are true.
Control Account
The general ledger account corresponding to a subsidiary ledger
A: Transactions, reports
The general ledger cycle receives _____________ and generates ________________. A: Transactions, reports B: Reports, transactions C: Reports, funds D: Controls, funds
independent verification
The office manager forgot to record in the accounting records the daily bank deposit. Which control procedure would most likely prevent or detect this error? A. segregation of duties B. independent verification C. accounting records D. supervision
Database administrator
The person responsible for coordinating, controlling, and managing the database
Key Escrow
The process of storing a copy of an encryption key in a secure location
Internal Controls
The processes and procedures implemented to provide reasonable assurance that control objectives are met
Which trait is associated with an antiviral program?
The program is a safeguard for mainframes, networks, and personal computers." Antiviral programs are used to safeguard mainframes, networks, and personal computers.
Database management system (DBMS)
The program that manages and controls the data and the interfaces between the data and the application programs that use the data stored in the database
Database Management System (DBMS)
The program that manages and controls the data and the interfaces between the data and the application programs that use the data stores in the database
Attributes
The properties, identifying numbers, and characteristics of interest of an entity that is stored in a database (employee number, pay rate, name and address)
HRM/Payroll Cycle
The recurring set of business activities and data processing operations associated with effectively managing the employee workforce.
Revenue Cycle
The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. *Primary objective is to provide the right product in the right place at the right time for the right price*
Implementation of the control procedure should not have a significant adverse effect on efficiency or profitability
The underlying assumption of reasonable assurance regarding implementation of internal control means that A. auditors are reasonably assured that fraud has not occurred in the period B. auditors are reasonably assured that employee carelessness can weaken an internal control structure C. Implementation of the control procedure should not have a significant adverse effect on efficiency or profitability D. management assertions about control effectiveness should provide auditors with reasonable assurance E. a control applies reasonably well to all forms of computer technology
Controls for Processing Integrity - Processing
Threats/Risks - Errors in output and stored data Controls - Data matching, file labels, batch totals, cross-footing and zero-balance tests, write-protection mechanisms, database processing integrity controls
Functions of Control
Three functions of internal controls are: Preventive, Detective and corrective controls.
C: A higher return.
To be willing to accept higher risk, an organization should expect _________ A: A higher strategy. B: Vision questing. C: A higher return. D: A lower performance severity.
D: The planning and logistics team, which is responsible for opening new offices, is operating below capacity.
Umbrella Corporation sells office and factory equipment. Company management is concerned that the company has not assumed sufficient risks in opening new offices. Which of the following results would best indicate that the company has not assumed sufficient risk? A: The company opened more new offices than expected. B: A 4% decrease in calls to the whistleblower hotline. C: Firing the CRO. D: The planning and logistics team, which is responsible for opening new offices, is operating below capacity.
Understand the proper accounting for unearned revenue.
Unearned revenue should not be included as income yet; rather, it is recorded as a liability.
Spam
Unsolicited e-mail that contains either advertising or offensive content.
Spam
Unsolicited email that contains advertising or offensive content
Internal control flowchart
Used to describe, analyze, and evaluate internal controls, including identifying system strengths, weaknesses, and inefficiencies
C: Character, field, record, file.
What is the correct ascending hierarchy of data in a system? A: Character, record, file, field. B: Field, character, file, record. C: Character, field, record, file. D: Field, record, file, character.
Goal conflict
When a subsystem's goals are inconsistent with the goals of another subsystem or the system as a whole
Describe the Financing Cycle.
Where companies sell shares in the company to investors and borrow money, and where investors are paid dividends and interest is paid on loans. actions include: ~ Forecast cash needs ~ Sell stock/securities to investors ~ Borrow money from lenders ~ Pay dividends to investors and interest to lenders ~ Retire debt ~ Prepare management reports Send appropriate information to the other cycles
D: Ledgers, journals, invoices
_____, ______, and ______ are all elements of a manual accounting system. A: Journals; ledgers; e-vouchers B: Ledgers, automated transactions, assets C: Journals, receivables ledgers, concentration of information D: Ledgers, journals, invoices
General Journal
a journal used to record infrequent or nonroutine transactions, such as loan payments and end-of-period adjusting and closing entries.
What is data encryption?
a method of scrambling a readable message/document into an unreadable message/document
What is a workstation?
a node operated by end users
10-9. if a manager wanted to sort out any differences between quantities or amounts on the purchase order, the receiving report, and the purchase invoice, which of the following AIS reports would be most useful?
a. a purchase analysis report b. an inventory control report c. a check register report d. a discrepancy report *
4-1. all of the following are reasons why IT is important to accountants except:
a. accountants often help clients make IT decisions b. auditors must evaluate computerized systems c. IT questions often appear on professional certification exams *d. the costs of IT are skyrocketing
6-5. In selecting a new AIS, the steering committee should consider:
a. all expected costs and benefits of the new systems, including maintenance and operating costs b. support that a vendor can provide, including training, maintenance, and backup *c. compatibility of new system with existing systems d. all of the above are considerations in selecting a new system e. only a & b are important considerations in selecting the new systems
15-3. auditing around the computer:
a. is the approach to auditing that is recommended in most cases to reduce IT audit costs b. focuses on computerized control procedures c. assumes that accurate output is sufficient evidence that processing operations are appropriate * d. follows the audit trail through internal computer operations
15-7. in auditing program change control, the IT auditor will:
a. make sure that only computer programmers have tested the changes they made to programs b. ensure an organization is following the process described in their documentation for program change control * c. not need to inspect program authorization forms for signatures d. make sure that only computer programmers mover their own changes into a production environment
8-2. the differences between (1) a database management system (DBMS) and (2) a database, is:
a. nothing - these terms are synonyms b. the first is hardware, the second is software c. the first is program software, the second is proprietary data and related files* d. the first refers to a complete accounting system, the second refers to a subset of that
15-6. which of the following is NOT an audit technique for auditing computerized AIS?
a. parallel simulation b. use of specialized control software c. continuous auditing d. all of the above are techniques used to audit computerized AIS *
Tracing is a technique that a. performs an electronic walk through of computed logic b. allows test data to be merged with production data and traces the effects in the database c. reviews interest calculations to identify a salami fraud d. none of these
a. performs an electronic walk through of computed logic
14-3. fault-tolerant systems are designed to tolerate computer errors and are built on the concept of ________
a. redundancy * b. COBIT c. COSO d. integrated security
Firm Infrastructure
accounting, finance, legal, and general administrative activities that allow an organization to function
Technology
activities improve a product or service
technology
activities improve a product or service
Human Resources
activities include recruiting, hiring, training, and compensating employees
Purchasing
activities procure raw materials, supplies, machinery, and the buildings used to carry out the primary activities
Service
activities provide post-sale support to customers
service
activities provide post-sale support to customers
outbound logistics
activities that warehouse and distribute the finished goods to the customers
Operations
activities transform inputs into final products or services
operations
activities transform inputs into final products or services
which two activities occur during the A/R file updating process?
adding a transaction amount to a customer's account balance comparing the customer's new balance to the cutomer's credit limit
Billing Schemes
also known as vendor fraud, and are perpetrated by employees who cause their employer to issue a payment to a false supplier (vendor) by submitting invoices for fictitious goods or services, inflated invoices, or invoices for personal purchases.
risk appetite
amount of risk a company is willing to accept in order to achieve its goals and objectives
improving products or services through information that increases quality and reduces costs, providing timely and reliable information to decision makers
an AIS provides value by:
fraud
any and all means a person uses to gain an unfair advantage over another person false statement, representation, disclosure material fact intent to deceive justifiable reliance injury/loss
What is a NODE?
any device connected to a network
"audit trail"
audit trail - A path that allows a transaction to be traced through a data processing sys- tem from point of origin to out- put or backwards from output to point of origin. It is used to check the accuracy and valid- ity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.
accessible
available to users when they need it and in a format they can use
risk response
avoid reduce share accept
Which transaction cycle includes interactions between an organization and its suppliers? a. Revenue cycle b. Expenditure cycle c. HR/payroll cycle d. GL and reporting system
b) Expenditure cycle
Which would contain the total value of all inventory owned by an organization? a. Source document b. General ledger c. Cash budget
b) General ledger
which is the planning technique that identifies implementation activities & their relationships, constructs a network of arrows & nodes, and then determines the critical path thru the network? a) Gantt chart b) PERT diagram c) physical model d) data flow diagram
b) PERT diagram
all are recommended guidelines for making flowcharts more readable, clear, concise, consistent, and understandable EXCEPT: a) divide a document flowchart into columns w/labels b) flowchart all data flows, especially exception procedures & error routines c) design flowchart so that flow proceeds from top to bottom and from left to right d) show the final disposition of all documents to prevent loose ends that leave the reader dangling
b) flowchart all data flows, especially exception procedures & error routines
which type of fraud is associated w/50% of all auditor lawsuits? a) kiting b) fraudulent financial reporting c) Ponzi schemes d) lapping
b) fraudulent financial reporting
how a user conceptually organizes & understands data is referred to as the a) physical view b) logical view c) data model view d) data organization view
b) logical view
the relational data model portrays data as being stored in a) hierarchies b) tables c) objects d) files
b) tables
how can an AIS for the value chain activity of operations?
by transforming inputs into final products or services
update anomaly
changing the customer data would require reviewing the entire table and selecting each occurrence for that one change
relevant, reliable, complete, timely, understandable, verifiable, accessible
characteristics of useful information
which control is applied to the payroll preparation step of the payroll cycle?
comparing hash totals of employee numbers
When an employee attempts to access a particular information systems resource, the system performs a ....
compatibility test
What is decentralized processing?
computer applications and processing are distributed over many locations
Carter's Taxonomy - incidental
computer is not required for the crime but is related to the criminal act
What is is routing devices?
computers used for directing traffic on a network (IE bridges, routers, and gateways)
lapping
concealing theft of $ by means of series of delays in posting collections to A/R pocketing cash until the posting date which will be covered by the next customer (Ponzi scheme)
opportunity
condition/situation that allows a person/org to commit/conceal a dishonest act & convert it to personal gains commit conceal convert
inbound logistics
consists of receiving, storing, and distributing the materials an organization uses to create the services and products it sells
What is C2C?
consumers sell to each other (IE FaceBook Marketplace)
fields
contain data about one customer e.g. name, address
Instance Document
contain the actual dollar amounts or the details of each of the elements within the firm's XBRL database
data dictionary
contains information about the structure of the database; serves as a repository of facts about elements employed in applications
detective controls
controls designated to discover control problems that were not prevented
application controls
controls that prevent, detect, correct transaction errors and fraud in application programs -accuracy -completeness -validity -authorization
how can information sharing between customers ad suppliers contribute to information system failures?
customers and suppliers having access to each others'systems and data can lead to breaches in confidentiality
which would managers most likely use to retrieve info about sales during the month of October? a) DML b) DSL c) DDL d) DQL
d) DQL
broad types of big data
descriptive, predictive, prescriptive
which is NOT a reason why companies make changes to their AIS? a) gain a competitive advantage b) increase productivity c) keep up w/business growth d) downsize company ops e) all of the above
e) all of the above
Which of the following is NOT a control concern in a distributed data processing environment? a. Redundancy b. Hiring qualified professionals c. Incompatibility d. Lack of standards e. All of the above are control concerns
e. All of the above are control concerns
Which of the following is not an operating system objective? a. The operating system must protect itself from users b. The operating system must protect users from themselves c. The operating system must be protected from its environment d. The operating system must protect users from each other e. All of the above are operating system objectives
e. All of the above are operating system objectives
When someone disguises the source of Internet messages to make appear that it is coming from a different source, this is called: a. Deep packet inspection b. Message packet switching c. Dual-homed signaling d. IP screening e. None of the above
e. None of the above
entity file record fields
entity - the item about which information is stored in a re- cord. Examples include an em- ployee, an inventory item, and a customer. file - A set of logically related records, such as the payroll re- cords of all employees. record - A set of fields whose data values describe specific at- tributes of an entity, such as all payroll data relating to a single employee. An example is a row in a spreadsheet. field - the portion of a data record where the data value for a particular attribute is stored. For example, in a spreadsheet each row might represent a customer and each column is an attribute of the customer. Each cell in a spreadsheet is a field.
rationalization
excuse fraud perpetrators use to justify their illegal behavior attitude justification lack of personal integrity
revenue cycle, expenditure cycle, production or conversion cycle, human resources/payroll cycle, financing cycle
five major business process or transaction cycles:
give 5 common activities of the human resource/ payroll cycle
give cash—get labor Human Resources/Payroll Recruit, hire, and train new employees Evaluate employee performance and promote employees Discharge employees Update payroll records Collect and validate time, attendance, and commission data Prepare and disburse payroll Calculate and disburse taxes and benefit payments Prepare employee and management reports Send appropriate information to the other cycles
reliable information
information that is accurate, unbiased, and verifiable
Auditing
objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria
linking table
junction: associates 2+ PKs of tables for many-many
internal-level schema
low-level view of databases of how the data is stored and accessed record layouts definitions addresses indexes
why is data in an internet-based system somtime not protected as well as data in a centralied computer system?
many companies fail to completely understand the control implcations of moving to an internet-based system.
takes time to create/maintain, missing some clarifications
negatives of flow charts
may not see see separation of duties, documents are harder to trace
negatives of narratives:
nonkey attribute
neither PK or FK; describe a characteristic about the object identified by the primary key
Carter's Taxonomy - associated
new versions of traditional crime
1NF
no repeating columns; not storing two pieces of information in one field
Plaintext
normal text that has not been encrypted
Security Controls that Correct Intrusions
o Computer incident response teams (CIRT) o Chief information security officer (CISO) o Patch management
pressure
person's incentive/motivation for committing crime employee's -financial -lifestyle -emotional financial statement -financial -industry conditions -mgt characteristics
understandable
presented in a useful and intelligible format
fraud triangle
pressure opportunity rationalization
data mining
process of analyzing data repositories for new knowledge about company data and biz processes
Authentication
process that establishes the origin of information or determines the identity of a user, process, or device
Backbone systems
provide a basic system structure on which to build." Backbone systems provide a basic system structure on which to build. Backbone systems come with all the primary processing modules programmed. The vendor designs and programs the user interface to suit the client's needs. Some systems such as enterprise resource planning (ERP) offer a vast array of modules for dealing with almost every conceivable business process, and all are interfaced seamlessly into a single system.
What is a cash receipts journal?
records of transactions in which cash is received
What is a payroll journal?
records payments to employees
What is a General Journal?
records transactions that are not recorded in other journals
benefits of information
reduced uncertainty, improved decisions, and improved ability to plan and schedule activities
relevant information
reduces uncertainty, improves decision making, or confirms or corrects prior expectations
revelant
reduces uncertainty, improves decision making, or confirms or corrects prior expectations
Data loss prevention (DLP)
software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.
What is a worm?
special virus that can run independently and copies itself over a network (not attaching to other programs)
Data Value
the actual value stored in a field. It describes a particular attribute of an entity. Ex: the customer field name would contain "ZYX company" if that was a customer.
value of information
the benefit provided by information less the cost of producing it
"value of information"
the benefit provided by information less the cost of producing it. educed uncertainty, improved decisions, and improved ability to plan and schedule activities. The costs include the time and resources spent to produce and distribute the information. Information costs and benefits can be difficult to quantify
data mining
the use of statistical and other advanced software to discover non obvious patterns hidden in a database
primary and support
the value chain concept is composed of the following two types of activities:
physical view
the way data are physically arranged and stored in the computer system is:
misappropriation of assets
theft of company assets by EE gains trust uses trickery conceals fraud ease of money access spends gains gets greedy/needy grows careless
Primary activities of the value chain? (5)
to provide value to their customers 1. inbound logistics - receive, store, distribute 2. operations - manufacturing, repackaging 3. outbound logistics - distribute +shipping 4. marketing and sales-advertising, sales 5. Service - repair/maintenance
internal environment
tone or culture of a company and helps determine how risk conscious employees are
which activity is part of the Human resource Management (HRM)/Payroll cycle?
tracking the job assignments of each employee at a company
Social Engineering
using deception to obtain unauthorized access to information resources
Data mining
using sophisticated statistical analysis to "discover" un-hypothesized relationships in the data
Objectives of Internal Controls
● Safeguard assets—prevent or detect their unauthorized acquisition, use, or disposition. ● Maintain records in sufficient detail to report company assets accurately and fairly. ● Provide accurate and reliable information. ● Prepare financial reports in accordance with established criteria. ● Promote and improve operational efficiency. ● Encourage adherence to prescribed managerial policies. ● Comply with applicable laws and regulations.
when we are going to give something as a product or service
when do you receive a purchase order?
Revenue Cycle
where goods and services are sold for cash or a future promise to receive cash
revenue cycle
where goods and services are sold for cash or a future promise to receive cash
Production/Conversion Cycle
where raw materials are transformed into finished goods
data privacy
which of the following is not an advantage of database systems: data sharing, data independence, data privacy, data integration
System Flowchart
which shows the relationship among the input, processing, and ouput in an information system
Program Flowchart
which shows the sequence of logical operations a computer performs as it executes a program.
Overall Security: Audit procedures - Test of Controls
~ Observe and test computer-site access procedures ~Observe the preparation of and off-site storage of backup files ~Test assignment and modification procedures for user IDs and passwords ~Investigate how unauthorized access attempts are dealt with ~Verify the extent and effectiveness of data encryption ~Verify the effective use of data transmission controls ~Verify the effective use of firewalls and virus protection procedures ~Verify the use of preventive maintenance and an uninterruptible power supply ~Verify amounts and limitations on insurance coverage ~Examine the results of disaster recovery plan test simulations
Reasons why data isn't protected wisely
● Some companies view the loss of crucial information as a distant, unlikely threat. ● The control implications of moving from centralized computer systems to Internet-based systems are not fully understood. ● Many companies do not realize that information is a strategic resource and that protecting it must be a strategic requirement. For example, one company lost millions of dollars because it did not protect data transmissions. A competitor tapped into its phone lines and obtained faxes of new product designs. ● Productivity and cost pressures motivate management to forgo time-consuming control measures.
1.3) Compare the strengths and limitations of OUTSOURCING an AIS.
*Strengths* ▪ A business solution ▪ Asset utilization ▪ Access to greater expertise and better technology ▪ Lower costs ▪ Loss development time ▪ Elimination of peaks-and-valleys usage ▪ Facilitation of downsizing *Limitations* ▪ Inflexibility ▪ Loss of control ▪ Reduced competitive advantage ▪ Locked-in system ▪ Unfulfilled goals ▪ Poor service ▪ Increased risk
2-6. which of the following is true?
*a. XBRL is a subset of XML b. XML is a subset of TCP c. PBX is a subset of HTML d. none of these is true
Source Documents
Documents used to capture transaction data at its source - when the transaction takes place
Objectives of AIS
Information security, program development and acquisition, program modification, computer processing, source files, data files
B: Zero out the revenue and expense accounts.
One purpose of closing entries is to A: Record accruals and deferrals. B: Zero out the revenue and expense accounts. C: Estimate unrecorded liabilities. D: Comply with laws and regulations.
Transaction processing
Process of capturing transaction data, processing it, storing it for later use, and producing information output, such as managerial report or a financial statement
Production/Manufacturing
Process raw material into finish product, update inventory for raw material, create standard costs using production recipe and overhead allocation.
2-a. Define spoofing
Pretending to be someone else in order to get unauthorized access by someone else
4 Basic Revenue Cycle Activities
Sales Order Entry Shipping Billing Cash Collections
Online Real-Time Processing
The computer system processes data immediately after capture and provides updated information to users on a timely basis
Online, Real-time Processing
The computer system processes data immediately after capture and provides updated information to users on a timely basis.
Information technology
The computers and other electronic devices used to store, retrieve, transmit, and manipulate data
Opportunity
The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain (three C's: commit, conceal, convert)
Which information from timecards provides an audit trail to support financial reporting?
The correct answer is "Hours worked." Payroll expenses should be supported with hours worked by employees on a specified date.
124356
The correct purchase order number, 123456, was incorrectly recorded as shown in the solutions. All of the following are transcription errors EXCEPT A. 1234567 B. 12345 C. 124356 D. 123457
D: Optical disc recorder.
Which of the following devices "burns" data onto a surface? A: Magnetic tape reader. B: Supercomputer. C: ROM. D: Optical disc recorder.
In the value chain concept, upgrading IT is considered what kind of activity? a. Primary activity b. Support activity c. Service activity d. Structured activity
b) Support activity
Which IS a function of AIS? a. Reducing the need to identify a strategy & strategic position b. Transforming data into useful information c. Allocating organizational resources d. Automating all decision making
b) Transforming data into useful info
A report telling how well all approved vendors have performed in the past 12 months is info that is MOST needed in which business process? a. Paying vendors b. Acquiring inventory c. Selling merchandise d. Paying employees
b) acquiring inventory
the constraint that all primary keys must have non-null data values is referred to as... ? a) referential integrity rule b) entity integrity rule c) normalization rule d) relational data model rule
b) entity integrity rule
A DFD is a representation of which of the following? a) the logical ops performed by a computer program b) flow of data in an organization c) decision rules in a computer program d) computer hardware configuration
b) flow of data in an organization
a database contains data that can be used by many authorized users. which benefit of a database does this example describe?
data sharing
which step in the data processing cycle relies on coding techniques, such as sequence codes and block codes, to organize data in ledgers?
data storage
Symmetric Encryption Systems
Encryption systems that use the same key both to encrypt and to decrypt
Database system
The database, the DBMS, and the application programs that access the database through DBMS
Which efficiencies do real-time general ledger/financial reporting systems have on an organization's ability to produce financial statements?
" A real-time general ledger/financial reporting system uses integrated transaction processing for concurrent posting in the system." An efficiency of a real-time general ledger/financial reporting system is integrated transaction processing, which allows concurrent posting in the system.
Which attributes are used to describe data that are reliable for use according to the Safe Harbor Agreement?
" Accurate, complete, and current." Organizations need to ensure that the data they maintain are accurate, complete, and current, and thus reliable for use.
An organization could have more than one system in place; there could be an in-house system along with a newer commercial system. How is the communication among many different systems made possible?
" By applying special software patches where needed." Special software patches need to be applied.
What is the main difference between centralized data processing (CDP) and distributed data processing (DDP)?
" CDP uses a common data center for all the processing needs of the organization; in DDP, every department has its own processing capabilities." The CDP uses common processing capabilities for the whole organization, while the DDP encourages localized processing.
UNIT 2 FORM B- What does efficiency mean in the data collection process?
" Collecting data only once." Efficiency in data collection means that data is collected only once.
An organization uses a flat-file data management system. The shipping department receives notice that shipping costs are increasing by 10% effective immediately. Customers placing new orders are still billed with the old shipping costs. Which problem is exemplified in this scenario?
" Currency of information." The shipping department must inform the billing department of any changes in shipping costs, or the bills will be issued based on outdated information.
A vendor-supported system provides the development and maintenance of database tables for an application. What is being provided when a vendor does this? Database support
" Database support." Database support involves developing and maintaining database tables for an application.
What is a potential result of redundant tasks in a closed database environment?
" Delays in orders." Delays could be caused by redundant data entry.
How does implementation affect the success of a system?
" Improper implementation leads to system failure." Most system failures are due to poor designs and improper implementation.
What does the letter C in an inverted triangle mean in a system flowchart?
" It is a temporary file using a chronological filing system." The inverted triangle means that it is a temporary file and the C means that it uses a chronological filing system.
What describes an efficient information system?
" Makes data available for multiple requests." An efficient system makes the same data available for requests from different users.
UNIT 4 FORM B- What is the role of a database management system (DBMS)?
" Provides controlled access to a database." The DBMS provides controlled access to the database. It is programmed to know which data elements each user is authorized to access.
An enterprise resource planning (ERP) system is more than simply an elaborate transaction processing system. What else does an ERP system provide?
" Real-time decision-making information." It is a decision support tool that supplies management with real-time information and permits timely decisions that are needed to improve performance and achieve competitive advantage.
Which statement describes the condition of onward transfer?
" Sharing information with organizations that belong to or follow the Safe Harbor Agreement principles unless instructed otherwise." Unless they have the individual's permission to do otherwise, organizations may share information only with those third parties that belong to the Safe Harbor Agreement or that follow its principles.
Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information lacks summarization?
" The decision maker is overwhelmed by the amount of detail in the information." As information flows upward through an organization, decision makers need more summarized data.
Why are accountants involved in the information system development team?
" They are the domain experts, determining the nature of the information required, its source, its destination, and the rules that need to be applied." The accountants have a very specialized role due to understanding what data are needed, where data can be found within the system, and what rules need to be applied.
Which comparison serves as a tool for managers by using data from the budget master file and from the responsibility center file?
"A comparison of budgets to actual amounts and review of the variance." A comparison of budgeted amounts in accounts to actual revenue and expense amounts by responsibility center in accounts can signal accounts that require further inquiry.
Which department is responsible for receiving the supplier's invoice, the purchase order, and the receiving report in order to post the acquisition of fixed assets?
"Accounts Payable." Accounts Payable receives the supplier's invoice, purchase order, and receiving report to post the acquisition of fixed assets in the accounts payable subledger.
According to the Public Company Accounting Oversight Board (PCAOB) Standard No. 5, auditors need to understand transaction flows, including the controls pertaining to how transactions are initiated, authorized, recorded, and reported. Which accounts are affected by this requirement?
"All financial accounts with material implications for financial reporting." The auditors are interested in the financial accounts that can materially affect the accuracy of the financial statements.
What is the role of management regarding the effectiveness of internal controls over financial reporting, according to the Sarbanes-Oxley Act (SOX)
"Assess their effectiveness." SOX mandates that management must assess the effectiveness of the organization's internal controls over financial reporting.
Who reconciles simulation output with production data?
"Auditor." The auditor reconciles simulation output with production data.
Which systems come with all primary processing modules programmed and are basic system structures on which to build?
"Backbone systems." Backbone systems provide a basic system structure on which to build, and they come with all the primary processing modules programmed.
What might a vendor-supported system offer?
"Backup and recovery of programs and data as part of an organization's disaster recovery plan." This is one of the available options for organizations purchasing vendor-supported systems.
What is a characteristic incorporated into a disaster recovery plan of a vendor-supported system?
"Backup of programs." Storing and retrieving data is part of an organization's disaster recovery plan.
flowchart
"Big picture" of what is happening using columns to designate segregation of duties and various symbols to depict inputs, processes, outputs, and storage
How do accountants provide technical support during the systems development phase?
"By choosing the correct depreciation method." The accountant must provide expertise to the systems design process.
Which control framework does the general ledger/financial reporting system (GL/FRS) follow?
"Committee of Sponsoring Organizations of the Treadway Commission (COSO)." The discussion of GL/FRS control activities follows the COSO framework.
An office manager receives the following marketing fax from a current supplier: "Our company is having a promotion this month for all our main products. Please call for more information." Which characteristic of useful information is missing from this scenario?
"Complete." The fax does not include all the information necessary to take appropriate action: phone number, products that fall under the promotion, promotion terms etc.
Which of the following statements about continuous auditing is true?
"Continuous auditing enables the auditor to review transactions at frequent intervals or as they occur." Continuous auditing enables the auditor to review transactions at frequent intervals or as they occur. The growth of electronic commerce requires the auditors to rethink their traditional practices. Using intelligent electronic agents, transactions can be continuously monitored, and alarms can sound when an anomaly occurs.
What describes encryption?
"Conversion of data into a secret code." Encryption is the conversion of data into a secret code for storage in databases and transmission over networks.
Which operation represents the steps for the encryption of data?
"Convert cleartext message, encrypt into ciphertext, decode back to cleartext message". The sender uses an encryption algorithm to convert the original message (called cleartext) into a coded equivalent (called ciphertext). At the receiving end, the ciphertext is decoded (decrypted) back into cleartext.
All business processes are examined to identify waste and non-value-added activities and to take steps to eliminate them. Which non-value-added activity can a responsive, user-oriented information system eliminate?
"Counting inventory." The responsive, user-oriented information system can eliminate counting of items and inventory. Counting does not add value.
Which systems often have long development timelines for firms?
"Custom in-house systems." Months or even years of development may pass before a custom system can be fully implemented.
Which entry is made to record wages payable?
"Debit work-in-process; credit wages payable." To record wages payable, the general ledger accountant will debit work-in-process and credit wages payable.
Why is there is a high degree of data redundancy in a closed database environment?
"Distinct, separate, and independent databases exist because the data remain in the application." Each department and functional area has its own database.
MOD 8 - Which of the following is one of the core ERP applications?
"Distribution." The core ERP applications are sales, distribution, business planning, shop floor control and logistics. Core applications are those applications that operationally support the day-to-day activities of the business. If these applications fail, so does the business. Typical core applications include, but are not limited to, sales and distribution, business planning, production planning, shop floor control, and logistics. Core applications are also called online transaction processing (OLTP) applications.
Which system represents multiple module software packages that evolved primarily from traditional manufacturing resource planning (MRP II) systems?
"Enterprise resource planning (ERP) system." ERPs evolved from in-house systems that were not able to successfully integrate with systems outside the organization.
Why does a simulated application reprocess transactions that a production application previously processed?
"For reconciliation purposes." The results obtained from the simulation are reconciled with the results of the original production run to determine if application processes and controls are functioning correctly.
Which of the following is NOT a reasonable control for fixed assets?
"Fully depreciated assets are disposed of immediately." Requiring that fully depreciated assets be disposed of immediately is not a reasonable control for fixed assets. Fully depreciated assets may have years of useful life remaining. For example, manufacturing machinery may be depreciated over three years but many factories use machines that are 10, 15, or 20 years old if they are well maintained.
Accountants will provide technical expertise in
"GAAP, GAAS, SEC requirements and IRS codes." Accountants will provide technical expertise in GAAP, GAAS, SEC Requirements and IRS Codes. The implementation of a new accounting or financial information system will need to be sure to include data and reporting that assists the accounting and finance departments in following GAAP, GAAS and meeting SEC and IRS requirements. Accountants are the experts. They guide the project team in meeting these needs.
What is one of the four areas that ethical issues in business can be divided into?
"Honesty." Ethical issues in business can be divided into the areas of equity, rights, honesty, and exercise of corporate power. These areas can be used to assess any ethical situation, whether it is a computer-based issue or not.
What contributes to the success of the electronic data interchange system?
"Implementation of agreements." Implementation of agreements contributes to the success by circumventing discrepancies.
An objective of internal control is to mitigate the risk from errors and fraud. What is the primary risk associated with revenue cycle transactions?
"Inaccurately recording sales and cash receipt transactions in journals and accounts." Recording sales and cash receipt transactions in journals and accounts must be accurate.
UNIT 6 FORM B- Which component of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is being considered when an auditor is reviewing a walk-through and process narrative of an established process and decides to gain an understanding of the process by tracing a single transaction from the source documents through the accounting information system to the financial statements?
"Information and communication." By gaining an understanding of the process and following a transaction through the system an auditor can assess how the system processes information (transaction processing) and communicates the results (reporting). Testing a single transaction would not qualify as testing of the control environment , ensuring monitoring or showing how management assesses risk. It would help in gaining an understanding of what information is in the system and how it is reported.
Which of the following is true about commercial software?
"It can be installed faster than a custom system." Commercial software can be installed faster than a custom system. One of the major advantages of a commercial system, especially one chosen because of its ability to support the firm and meet the firm's requirements, is that it can be installed more quickly than a custom system. Programs have been written and tested. Modules have been documented. Controls to meet audit requirements are in place. In a custom development, all of these must be built from scratch.
Which characteristic applies to black box testing?
"It is used for inputs and outputs that are easily reconciled." Black box testing is feasible for applications that are relatively simple with inputs and outputs that are easily reconciled.
What function does prescriptive analytics serve?
"It tells the user what actions should be taken in response to specific questions." Prescriptive analytics tells the user what actions should be taken in response to specific questions. For example, some companies use predictive analytics to optimize trade promotions. Prescriptive analytics helps them determine which campaigns to run and for which products.
Why are journal vouchers reviewed and approved before entry into the general ledger (GL)?
"Journal vouchers are reviewed and approved as part of a system of internal control to ensure GL entries are authorized." Journal vouchers are entered into the GL and require a level of review and approval to ensure information is accurate, complete, authorized, and supported.
What is a limitation of the preventive-detective-corrective (PDC) control model?
"Lacks practical guidance." Conceptually, the PDC framework addresses all necessary areas regarding preventing, detecting, and correcting errors, but it fails to give specific examples of controls to implement.
What do stronger application controls translate into?
"Lower financial reporting risk." There is less room for risk.
According to the Sarbanes-Oxley Act (SOX), what is management's responsibility regarding controls designed to prevent and detect fraud that could lead to financial statements being materially misstated?
"Management is responsible for implementing controls." Management is responsible for implementing the controls designed to prevent and detect fraud that could lead to financial statements being materially misstated.
UNIT 2 FORM A - Li has implemented a new accounting information system (AIS) to help him manage his construction company. Li uses the information captured by the system to plan each project, forecasting the requirements for raw materials and the cash flow expected. Which AIS subsystem helps Li in planning?
"Management reporting system (MRS)." The MRS subsystem of the AIS provides management with special reports that aid in budgeting and forecasting.
It is a standard and a necessity to maintain the master file integrity of an organization so that if the current master files become corrupt, destroyed, or plagued with errors, the organization has a recourse. What should the organization have in place in case of such an event?
"Master file backup." IT professionals can retrieve the most current backed-up file from the archives and use it to reconstruct the current version of the master file
Which digital computer file contains account data that are updated by transactions and includes the general ledger and subsidiary ledgers?
"Master file." The general ledger and subsidiary ledgers are examples of master files.
Which internal control is primarily supported by a manager's review of a checklist after a task has been completed?
"Measure compliance with an organization's prescribed policies and procedures." The primary purpose of reviewing a checklist after the fact would be to ensure that the proper procedures and policies had been followed. The review process itself may not be efficient, but the assumption is that making sure employees are following established policies and procedures should help with safeguarding assets, accuracy of information, and more efficient operations overall.
A system flowchart is a graphical representation of the physical relationships among key elements of a system. What do these elements include?
"Organizational departments." Organizational departments are included in system flowcharts.
How would shipping logs be depicted in a system flowchart?
"Parallelogram symbol." The parallelogram symbol is used to depict many types of hard-copy accounting records.
Which of the following situations represents an internal control weakness?
"Paychecks are distributed by the employees' immediate supervisor." The distribution of paychecks by the employees' immediate supervisor is an internal control weakness. Paychecks should go directly to employees either by mail or through direct deposit. Giving the responsibility for distribution to the supervisor creates the possibility of loss, theft, or withholding of pay from an employee that the supervisor simply does not like. An additional risk arises if the employee is absent on payday and the supervisor has no secure storage for the check until the employee is back.
What is a common form of contra-security behavior?
"Post-it syndrome." The post-it syndrome, in which passwords are written down and displayed for others to see, is a contra-security behavior.
What was designed to overcome a private key encryption security weakness?
"Public key." Public key encryption uses two different keys: one for encoding messages and the other for decoding. Receivers never need to share private keys with senders, which reduces the likelihood the keys will fall into the hands of an intruder.
What is a type of data source for the accounting information system (AIS)?
"Raw material is moved into work-in-process." Transferring raw material into work-in-process is an internal transaction that involves the movement of resources within the organization. This is a data source for the AIS.
Why is there no lag time with real-time systems?
"Real-time systems process transactions individually when the events occur." Because transactions happen at the same time, no time lags exist between occurrence and processing.
UNIT 6 FORM A- An organization's internal controls have been deemed effective by management and external audits for the last five years. A proposal is made to upgrade the enterprise resource planning (ERP) system at a significant cost. The proposal mentions slightly increased IT controls to better detect errors. Which modifying assumption would keep management from implementing the upgrade?
"Reasonable assurance." The reasonable assurance modifying assumption states that the four objectives of internal control are met in a cost-effective manner. The upgrade is expensive, and the benefits will be limited. Since the current system is effective, the management team may decide to reject the upgrade due to cost-effectiveness.
What is the purpose of the blind copy?
"Reconcile and verify contents." The blind copy is used to force the clerk to count contents to verify items match.
Which task is included when a supervisor reviews and approves employee time (timecards, time sheets, and job tickets)?
"Review and approval of the numbers of hours worked." Supervisors review and approve the number of hours worked to determine if information is accurate and complete
Which component of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is being considered when an auditor is comparing a company's organization chart to the prior year's chart to identify new personnel who are responsible for internal controls?
"Risk assessment." Risk assessment's purpose is to identify, analyze, and manage risks related to financial reporting. New personnel create risk because they may not fully understand or be aware of an organization's internal controls.
What is an advantage of sequential codes?
"Sequential coding supports the reconciliation of a batch of transactions at the end of processing." If the transaction processing system detects any gaps in the sequence of transaction numbers, it alerts management to the possibility of a missing or misplaced transaction.
What is used in a traditional system to provide proof that a transaction has occurred?
"Signed invoices." Physical documents, sales agreements, and signed invoices are used to provide proof that a transaction has occurred in traditional systems.
Which individuals have an interest in a system but are not formal end users?
"Stakeholders." Stakeholders are individuals who have an interest in a system but are not formal end users. These include the internal steering committee that oversees systems development, internal auditors including IT auditors, and external auditors acting as consultants or serving in the role of internal auditor.
Which systems development participants are outside consultants who work with a development team to ensure that the systems development process is properly implemented and controlled?
"Stakeholders." Stakeholders work with the development team to ensure that users' needs are met, that adequate internal controls are designed into the information systems under construction, and that the systems development process itself is properly implemented and controlled.
The applications that emerge from the systems development life cycle (SDLC) must possess controls that are in accordance with the provisions of which Statement on Auditing Standards?
"Statement on Auditing Standards No. 109." The applications that emerge from the SDLC must possess controls that are in accordance with the provisions of Statement on Auditing Standards No. 109.
What are two general forms of risk related to the technology of network communications?
"Subversive threats and equipment failures." The technology of network communications is subject to two general forms of risk: subversive threats and equipment failures.
What causes system failures?
"System design." A poorly designed system will fail.
What is the multistage process that guides an organization's management through the in-house development or purchase of information systems?
"Systems development life cycle (SDLC)." The systems development life cycle is the process of acquiring new information systems.
Which flat-file system problem is solved by using a database approach?
"Task-data independence." Task-data independence is a problem of flat files that a database approach can solve.
UNIT 3 FORM B- Which strategic agreement is made between buyer and seller for electronic data interchange?
"The agreement details the quantities to be sold, guaranteed delivery times, payment terms, and methods of handling disputes." The strategic agreement of the electronic data interchange technology has specific terms agreed on prior to utilization of the service.
Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information is incomplete?
"The decision maker does not have enough information in order to act." The decision maker is using an incomplete set of information, which leads to either needing to seek additional information or taking a risk that the missing information materially affects.
Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information is inaccurate?
"The decision maker receives materially wrong information." The decision maker needs information that has no material errors.
Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information is untimely?
"The decision maker wastes resources analyzing outdated information." The decision maker spends time and resources on the outdated information, which delays the optimal decision.
Why is the general ledger history file used for comparative financial reports?
"The file uses the same format as the general ledger master, and therefore, the account structures will be the same for information year to year." The same format and account structures allow for transactions to be grouped and categorized consistently from year to year.
Management is required to provide external auditors with documented evidence of functioning controls related to selected material accounts in a report on control effectiveness. How is this evidence obtained?
"The internal audit department documents this evidence." The internal audit department of the organization would perform and document the necessary tests.
Which control objective ensures that no module should be allowed to destroy or corrupt another module?
"The operating system must be protected from itself." The operating system is made up of modules. For the operating system to be protected from itself, no module should be allowed to destroy or corrupt another module.
Which important information does external feedback about the level of uncollected customer accounts indicate to the management information system?
"The organization needs to review its credit-granting policies." The uncollected customer accounts are an indication that some customers have received too much credit, and management should review those policies.
A characteristic of the management reporting system (MRS) is
"that it focuses on internal decision-making information." The management reporting system (MRS) focuses on internal decision-making information. The MRS is the source for reports that managers will use to analyze business performance such as variance analysis, production efficiency, sales, and purchases.
Which risk is associated with charge accounts within the revenue cycle?
"The sales clerk allows customers who are not creditworthy to buy items on the charge account." The clerk can be careless and allow purchases from individuals who do not pay their bills.
Which of the following is an advantage of the test data technique?
"The test data technique requires extensive computer expertise on the part of the auditor." To employ this approach, the auditor requires detailed and current systems documentation: (1) program flowcharts that describe the application's internal logic and allow the auditor to determine which logic branches to test, and (2) record layout diagrams that describe the structure of transaction and master files, which will allow the auditor to create test data.
What is the circular symbol labeled A in the system flowchart?
"This is an on-page connector used to replace flow lines that otherwise would cause excessive clutter on the page." The connector replaces the lines that signify the movement. Lines should be used whenever possible to promote clarity. Restricted use of connectors, however, can improve the readability of a flowchart.
Why is an accumulator routine used in a banking application?
"To address rounding errors." An accumulator routine is a special technique used to keep track of the rounding differences between calculated and reported balances.
Why should the systems development function be separated into two independent groups: new systems development and systems maintenance?
"To improve systems documentation." The segregation of duties between the new systems development team and the systems maintenance team leads to improved systems documentation. The maintenance group needs to have adequate documentation to perform their maintenance duties.
Sara has started a very successful online company selling custom-made jewelry. One of her competitive advantages is a state-of-the-art information system that promotes visibility within the supply chain. Which one of the information system's subsystems helps Sara manage the customer orders she receives?
"Transaction processing system (TPS)." The TPS records the orders as financial transactions in the accounting records.
Which information does the management reporting system (MRS) provide?
"Variance reports." The MRS provides the internal information needed to run a business (e.g., variance reports).
Which third-party trust organization issues three classes of certificates?
"Verisign, Inc." Verisign, Inc. issues three classes of certificates to individuals, businesses, and organizations.
A data mart is
"a data warehouse created for a single function or department." A data mart is a data warehouse created for a single function or department. Modern data warehouses may contain gigabytes of data for use by all business functions and departments. To maximize value for single functions or departments, a data mart may be created within the data warehouse that contains the data specific to the function's requirements. For example, a sales data mart will contain all of the data related to customers, salespeople, inventory, sales orders, etc., but not manufacturing or financial data.
MOD 1 - The primary input to the transaction processing system is
"a financial transaction." The financial transaction is the primary input to the transaction processing system. Financial transactions are economic events that affect assets and equities and are reflected on the financial statements.
MOD 9 -Verisign is
"a for-profit organization that provides assurance regarding the security of transmitted data." Verisign is a for-profit organization that provides assurance regarding the security of transmitted data. Its mission is to provide digital certificate solutions that enable trusted commerce and communications. Its products allow customers to transmit encrypted data and verify the source and destination of transmissions.
Which of the following is considered an unintentional threat to the integrity of the operating system?
"a hardware flaw that causes the system to crash." A hardware flaw that causes the system to crash is an unintentional threat to the integrity of the operating system. Modern computer hardware is very reliable, but problems do happen. Common flaws occur in moving parts such as spinning discs. Disc drive failure is called a head crash and results in the read/write heads touching the disc surface, destroying it. To protect the data, backups are done on a regular basis.
When a firm wants its coding system to convey meaning without reference to any other document, it would choose
"a mnemonic code." When a firm wants its coding system to convey meaning without reference to any other document, it would choose a mnemonic code. For example, colleges and universities use mnemonic codes- such as "Acct 101" for Intro to Accounting- to define courses by department and level. These mnemonic codes provide helpful information for decision making.
A VAN is
"a network that is used for EDI." In an EDI environment, a client's trading partner's computer automatically generates electronic transactions, which are relayed across a value-added network (VAN), and the client's computer processes the transactions without human intervention.
An accounting system that maintains an adequate audit trail is implementing which internal control procedure?
"accounting records." Adequate audit trails use accounting records as an internal control procedure. The accounting records of an organization consist of source documents, journals, and ledgers. These records capture the economic essence of transactions and provide an audit trail of economic events. The audit trail enables the auditor to trace any transaction through all phases of its processing from the initiation of the event to the financial statements.
Which department is least likely to be involved in the revenue cycle?
"accounts payable." The accounts payable department is least likely to be involved in the revenue cycle. Accounts payable is charged with managing the segment of the expenditure cycle that involves payments to vendors and creditors.
The departments involved in the purchasing process are purchasing, receiving, inventory control and
"accounts payable." The departments involved in the purchasing process are purchasing, receiving, inventory control and accounts payable. Accounts payable completes the purchasing process by authorizing and executing the cash disbursement based on a signal from receiving or inventory control.
The greatest risk of misappropriation of funds occurs in
"accounts payable." The greatest risk of misappropriation of funds occurs in accounts payable. This may take the form of payments for goods not ordered or received and to vendors that do not exist. The risk can be reduced through supervision, segregation of duties, independent verification, or automated processes.
Systems development is separated from data processing activities because failure to do so
"allows programmers access to make unauthorized changes to applications during execution." Systems development is separated from data processing activities because failure to do so allows programmers access to make unauthorized changes to applications during execution. Consolidating these functions invites fraud. With detailed knowledge of an application's logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during program execution. Such changes may be temporary (in real-time) and will disappear with little or no trace when the application terminates.
A key offering for a vendor supported system is
"application installation, system configuration, data conversion, personnel training, and trouble shooting and maintenance." Vendor-supported systems are systems that the vendor develops and maintains for the client organization. The vendor will offer services in application installation, system configuration, data conversion, personnel training, and trouble shooting and maintenance.
Seals of assurance
"are evidence that a web-based business is trustworthy." In response to consumer demand for evidence that a web-based business is trustworthy, a number of trusted third-party organizations are offering seals of assurance that businesses can display on their website home pages. To legitimately bear the seal, the company must show that it complies with certain business practices, capabilities, and controls. This best known six seal-granting organizations are - Better Business Bureau (BBB), TRUSTe, Verisign, Inc., International Computer Security Association (ICSA), AICPA/CICA WebTrust, and AICPA/CICA SysTrust.
Most organizations implement data warehousing
"as part of a strategic ERP initiative." Most organizations implement a data warehouse as part of a strategic IT initiative that involves an ERP system. Implementing a successful data warehouse involves installing a process for gathering data on an ongoing basis, organizing it into meaningful information, and delivering it for evaluation. The data warehousing process has the following essential stages: Modeling data for the data warehouse, extracting data from operational databases, cleansing extracted data, transforming data into the warehouse model, and finally, loading data into the data warehouse database.
MOD 6- What type of data is found in the general ledger master file?
"balances for each account in the chart of accounts." Balances for each account in the chart of accounts are found in the general ledger master file. The text describes the general ledger file as the information hub for the accounting system. Each record in the general ledger master file corresponds with one of the accounts in the chart of accounts. Each record is either a GL Master account (i.e., Sales) or a control account (i.e. Accounts Receivables control)
MOD 13- Operating system control objectives may not be achieved
"because of flaws in the operating system that are exploited either accidentally or intentionally." Operating system control objectives may not be achieved because of flaws in the operating system that are exploited either accidentally or intentionally. Accidental threats include hardware failures that cause the operating system to crash. Intentional threats to the operating system are most commonly attempts to illegally access data or violate user privacy for financial gain.
The purpose of the sales invoice is to
"bill the customer." The purpose of the sales invoice is to bill the customer. The sales invoice will be sent to the customer for payment. At the same time the invoice will also update inventory, send a journal to the general ledger, and record the sales journal.
The coding scheme most appropriate for a chart of accounts is
"block code." The most appropriate coding scheme for a chart of accounts is block code. As described in the text, the use of block codes allows accounts to be logically grouped in blocks. For example, 100 - 199 Current Assets, 200 - 299 Fixed Assets, and so on.
Documentation standards are set
"by the accountant on the project team." In the implementation phase, the accountant plays a role in specifying system documentation. Because financial systems must periodically be audited, they must be adequately documented. The accountant must actively encourage adherence to effective documentation standards.
MOD 2- Which system is part of the expenditure cycle?
"cash disbursements." Cash disbursements is part of the expenditure cycle. Cash disbursement is the way a firm pays vendors, creditors, and employees.
The systems steering committee
"oversees systems development and assigns priorities." The systems steering committee oversees systems development and assigns priorities. Most organizations have a C-level Steering Committee chaired by the Chief Information Officer that sets overall systems development priorities and strategies. They will also have a project level steering committee that will oversee the project and set priorities.
In a technology enabled payroll system, Personnel, Time Keeping, Payroll, and Accounts Payable connect to which department to pay employees?
"cash disbursements." In a technology-enabled payroll system, Personnel, Time Keeping, Payroll and Accounts Payable connect to cash disbursements to pay employees. Personnel inputs the basic employee information and rate of pay; Time Keeping collects hours worked and verifies time cards; Payroll inputs the hours worked into the payroll system which calculates gross and net pay, taxes, and other deductions; Accounts Payable approves the payment amount; and finally cash disbursements issues pay checks or direct deposit. The general ledger will be updated after the cash disbursement occurs.
Which report is an output of the financial reporting system (FRS)?
"comparative balance sheet." A comparative balance sheet is an output of the financial reporting system. The law requires that corporations generate a series of financial reports - Income Statement, Balance Sheet, Statement of Cash Flows, Tax Returns, and others. This requirement is met by the financial reporting system.
MOD 12- Tests of controls include
"completing questionnaires." Tests of controls include completing questionnaires. The Sarbanes-Oxley Act requires that management certify that the financial statements are correct. In order to ensure that the financial statements are, in fact correct, accounting processes and information systems will be built with checks, balances and controls. Auditors will use questionnaires to guide their approach to testing the controls in the system. Questions include topics such as "Is fraud awareness training carried out?" and "Do particularly critical or sensitive activities require two levels of authority?"
What factor conceptually distinguishes external auditing and internal auditing?
"constituencies." External auditing and internal auditing are distinguished by constituencies. Internal auditors focus on company management. External auditors perform services to assure external investors, tax and regulatory authorities that the financial statements are complete and accurate.
Testing the three-way match involves
"creating two master files." This test involves creating two test master files: a purchase order file and a receiving report file. The transaction in this case is the supplier's invoice. The test data should be designed to contain discrepancies that fall both within and outside of acceptable limits, based on company policy. When the invoice is entered, the AP system should match the three documents (create a digital AP packet) and reconcile the quantities ordered with those received, and the invoice amount with the expected price. The auditor will reconcile both rejected and accepted invoices to determine that the control is functioning in accordance with company policy.
MOD 7- Which of the following is a problem usually associated with the flat-file approach to data management?
"data redundancy." Data redundancy is a problem with the flat-file approach. Excel spreadsheets are an example of a flat file database. There is no simple way to determine if a particular data item is already in the spreadsheet, especially as the spreadsheet grows.
An important reconciliation in the payroll system is
"general ledger compares the labor distribution summary from cost accounting to the disbursement voucher from accounts payable." An important reconciliation in the payroll system is that the general ledger compares the labor distribution summary from cost accounting to the disbursement voucher from accounts payable. Cost accounting will be tracking the job tickets to properly account for work in process. Accounts payable will produce a disbursement voucher based on input from timecards. Job tickets and timecards should match when hours and hourly rates are extended.
A sequential file backup technique is called
"grandfather-father-son." A sequential file backup technique is called grandfather-father-son. One of the most common ways of controlling backups is to employ a three-copy system known as grandfather-father-son. When a new backup copy is made, it becomes the son, the son (now second most recent) becomes the father, the father (now the third most recent) becomes the grandfather and the grandfather (the oldest retained copy) will be returned to the data center for reuse.
An appraisal function housed within the organization that performs a wide range of services for management is
"internal auditing." An appraisal function housed within the organization that performs a wide range of services for management is internal auditing. Internal auditors verify the accuracy and security of the information systems and also work with various business segments to secure and optimize processes.
Parallel simulation
"is used to reprocess the same transactions that the production application previously processed." Parallel simulation involves creating a program that simulates key features or processes of the application under review. The simulated application is then used to reprocess the same transactions that the production application previously processed.
An example of a nonfinancial transaction is
"log of customer calls." The log of customer calls is a key source of information for customer service, marketing and the sales departments.
The deletion anomaly in unnormalized tables
"may result in the loss of important data." The deletion anomaly may result in the loss of important data. The deletion anomaly arises when data is inadvertently deleted from the table, resulting in the loss of important data.
The most important advantage of sequential coding is that
"missing or unrecorded documents can be identified." The most important advantage of sequential coding is that missing or unrecorded documents can be identified. For example, checks, invoices and orders are commonly coded in sequence to easily identify missing or unprocessed items.
The update anomaly in unnormalized tables
"occurs because of data redundancy." The update anomaly occurs because of data redundancy in unnormalized tables. Because data can appear multiple times in an unnormalized database, it is difficult to ensure that all occurrences get updated when a change occurs. This problem becomes much worse as the database grows in size.
Which symbol is used to represent a data source or destination of documents and reports in a system flowchart?
"oval." This symbol is used to represent a data source or destination of documents and reports.
Individuals who acquire some level of skill and knowledge in the field of computer ethics are involved in which level of computer ethics?
"para computer ethics." Individuals who acquire some level of skill in the field of computer ethics are involved in para computer ethics. A researcher has defined three levels of computer ethics: Para, pop, and theoretical para computer ethics involves taking a real interest in computer ethics cases and acquiring some level of skill and knowledge in the field. All systems professionals need to reach this level of competency so they can do their jobs effectively.
Both the revenue and the expenditure cycle can be viewed as having two key parts. These key parts are
"physical and financial." The two key parts of the revenue and expenditure cycle are physical and financial. The physical portion refers to the documents that support the necessary transactions; the financial portion refers to the effect that the appropriate transactions have on assets and equity.
In contrast to a batch processing system, in a real-time system
"processing takes place when the economic event occurs." In a real-time system processing takes place when the economic event occurs. For example, when an item is scanned at your local grocery store during checkout, the store inventory, daily sales, and cashier productivity systems are updated immediately.
MOD 11- Which ethical principle states that the benefit from a decision must outweigh the risks, and that there is no alternative decision that provides the same or greater benefit with less risk?
"proportionality." The ethical principle that states the benefit from a decision must outweigh the risks is proportionality. Proportionality in the business context is similar to the view first posited by the Utilitarians that an ethical act is one that brings the greatest benefit to the most people.
MOD 5- The fixed asset system records the
"purchase of a new plant." The fixed asset system records the purchase of a new plant. The fixed asset system records property, plant, and equipment used in the operation of the business. These represent the largest investments of the firm.
In a firm with proper segregation of duties, adequate supervision as a compensating control is still necessary in
"receiving." In a firm with proper segregation of duties, adequate supervision is most critical in receiving. Every day materials arrive on the receiving dock. Until those receipts are recorded in the system, they are invisible to anyone but the receivers and their supervisors. Supervision is a compensating control appropriate before more automated controls take effect. Scanning technology and automated three-way match are technological controls that reduce risk.
Authentication
"requires accountants to develop a new skill set in the electronic environment." Authentication requires accountants to develop a new skill set in the electronic environment. In traditional systems, the business paper on which it was written determines the authenticity of a sales order from a trading partner or customer.
Which accounting application is least suited to batch processing?
"sales order processing." Sales order processing is least suited to batch processing. The production process needs to know as soon as possible if customer orders are required. At the same time, it is important to know what the potential revenue is at any given time.
Which of the following is a part of the COSO framework?
"segregation of duties." Segregation of duties is a key part of the COSO framework. Segregation of duties can take many forms, depending on the specific duties to be controlled. Examples include: The authorization for a transaction is separate from the processing of the transaction; responsibility for the custody of assets should be separate from the record-keeping responsibility; and the organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities.
Segregation of duties in the computer-based information system includes
"separating the programmer from the computer operator." Segregation of duties in the computer-based information system includes separating the programmer from the computer operator. The segregation of systems development (both new systems development and maintenance) and operations activities is of great importance. The responsibilities of these groups should not be commingled. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud.
Closed Database architecture is
"similar in concept to the basic flat-file model." Closed database architecture is similar in concept to the basic flat-file model. Under this approach, a database management system is used to provide minimal technological advantage over flat-file systems. The database management system is little more than a private but powerful file system.
Which is the most critical segregation of duties in the centralized IT function?
"systems development from computer operations." The most critical segregation of duties in the centralized IT function is systems development and computer operations. Access to the data center must be very carefully controlled to comply with SOX. This includes both physical and electronic access. Once the system is turned over to operations, developers lose their access to the live system. Should an error occur, the developers will diagnose the error in their development copy or in a test system. When the error is corrected, the update will be turned over to operations for installation.
Special-purpose systems
"target selected segments of the economy." Special-purpose systems target selected segments of the economy. Some software vendors create special-purpose systems that target selected segments of the economy. For example, the medical field, the banking industry, and government agencies have unique accounting procedures, rules, and conventions that general- purpose accounting systems do not always accommodate.
Which of the following is an external end user?
"tax authorities." Tax authorities are external users who expect an accurate accounting of tax due. In addition, the non-discretionary reports from the accounting information system provide what is needed for tax authorities to evaluate tax liability.
The prime advantage of in-house development is
"the ability to produce applications to exact specifications." The prime advantage of in-house development is the ability to produce applications to exact specifications. This advantage also describes a disadvantage of commercial software. Sometimes, the user's needs are unique and complex, and commercially available software is either too general or too inflexible.
Statement on Auditing Standards No. 109 requires
"the accountant's involvement at both the detailed design and implementation phases." Statement on Auditing Standards No. 109 requires the accountant's involvement at both the detailed design and implementation phases. Controls may be programmed or manual procedures. Some controls are part of the daily operation of the system, while others are special actions that precede, follow, or oversee routine processing.
The transaction processing system includes which of the following?
"the conversion cycle." The conversion cycle is included within the transaction processing system because it records cost accounting and production activities.
Encryption is
"the conversion of data into a secret code for storage in databases and transmission over networks." Encryption is the conversion of data into a secret code for storage in databases and transmission over networks. The sender uses an encryption algorithm to convert the original message (called cleartext) into a coded equivalent (called ciphertext). At the receiving end, the ciphertext is decoded (decrypted) back into cleartext.
MOD 3- Which document triggers the revenue cycle?
"the customer purchase order." The customer purchase order triggers the revenue cycle. The receipt of the customer purchase order indicating the items and quantity required is the first step in the revenue cycle. Customer purchase orders can be received by phone, email, regular mail, or other means.
Which problem is characteristically associated with the flat-file approach to data management?
"the inability to determine what data is available." The inability to determine what data is available is a characteristic problem with flat-file data management. The only way to determine if data is available in the file is to sequentially read through the entire file from beginning to end, or until the desired data is encountered.
A description of the physical arrangement of records in the database is
"the internal view." The description of the physical arrangement of records is the internal view. The internal view shows the way that the data is organized in the database. This is also known as the hierarchical view.
When a cash disbursement in payment of an accounts payable is recorded
"the liability account is decreased." When a cash disbursement in payment of an accounts payable is recorded the liability account is decreased. On the Balance Sheet, accounts payable is a current liability. When a cash disbursement is recorded, the liability will be reduced.
Control risk is
"the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts." Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess the level of control risk by performing tests of internal controls. An auditor could create test transactions, including some with incorrect total values, which are processed by the application in a test run. The results of the test will indicate that price extension errors are not detected and are being incorrectly posted to the AR file.
An example of a financial transaction is
"the purchase of computer." The purchase of a computer adds an asset to the organization.
The systems development process constitutes a set of activities that are of interest to accountants and auditors because
"the quality of accounting information presented in an organization's financial statements is directly related to the quality of the accounting information systems that process and report it." A materially flawed financial application can corrupt financial data, which may then be incorrectly reported in the financial statements.
The most common method of password control is
"the reusable password." The most common method of password control is the reusable password. The user defines the password to the system once and then reuses it to gain future access. The quality of the security a reusable password provides depends on the quality of the password itself.
Commercial accounting systems have fully integrated modules. The word "integrated" means that
"the transfer of information among modules occurs automatically." The word "integrated" means that the transfer of information among modules occurs automatically. In a fully integrated system, the shipping advice will generate the request for invoice automatically. This eliminates the risk that the invoice request is not processed or is processed for a different amount.
The growth of commercial software development is driven in part by
"the trend toward downsizing organizational units and the move toward distributed data processing." Four factors have contributed to the growth of the commercial software market: (1) the relatively low cost of general commercial software as compared to customized software; (2) the emergence of industry-specific vendors who target their software to the needs of particular types of businesses; (3) a growing demand from businesses that are too small to afford in-house systems' development staff; and (4) the trend toward downsizing organizational units and the move toward distributed data processing has made the commercial software option appealing to larger organizations.
Which of the following may provide many distinct views of the database?
"the user view." The user view provides many distinct views of the database. The user view (subschema) shows the segment of the database that the user can access. This access will vary by user as their requirements vary by business function.
The system development process is important to accountants because
"they are as concerned about the integrity of this process as they are with any manufacturing process that has financial resource implications." The system development process is important to accountants because they are as concerned about the integrity of this process as they are with any manufacturing process that has financial resource implications. The quality of accounting information presented in an organization's financial statements is directly related to the quality of the accounting information systems that process and report it.
End users are
"those for whom the system is built." End users are those for whom the system is built. There are many users at all levels in an organization. These include managers, operations personnel from various functional areas including accountants. During systems development, systems professionals work with the primary users to obtain an understanding of the users' problems and a clear statement of their needs. For example, accountants must specify accounting techniques to be used for certain transactions, internal control requirements.
An accountant's responsibility in the systems development life cycle (SDLC) is
"to ensure that the system applies proper accounting conventions and rules and possesses adequate control." A primary role for accountants during the systems development lifecycle (SDLC) is to ensure that the system applies proper accounting conventions and rules and possesses adequate control. As with the design phase, accountants must ensure that both the system, and the development process, are applying proper accounting conventions and controls. Not only are proper accounting rules and processes being built into the system but is the system development subject to proper testing and documentation controls as required by SAS 109 and Sarbanes- Oxley.
The objective of an ERP is
"to integrate key processes of the organization, such as order entry, manufacturing, procurement and accounts payable, payroll, and human resources." The objective of an ERP is to integrate key processes of the organization, such as order entry, manufacturing, procurement and accounts payable, payroll, and human resources. By doing so, a single computer system can serve the unique needs of each functional area.
MOD 10- A primary role for accountants during the detailed design phase is
"to provide expertise." A primary role for accountants during the detailed design phase is to provide expertise in accounting functions, controls and processes.
An accountant's responsibility during the implementation of the system is
"to represent the interests of the accounting and finance department." A primary role for accountants during the implementation phase is to represent the interests of the accounting and finance department. The member of the project team representing accounting and finance will work with the other team members to ensure that the requirements agreed during the design and development phases are properly implemented. They will look at test results and documentation to ensure that results are correct and meet requirements.
A commercial software system that is finished, tested, and ready for implementation is called a
"turnkey system." A commercial system that is finished, tested and ready for implementation is called a turnkey system. Turnkey systems are generally sold with very limited capability for customization outside of some input, output and processing options chosen through menu selections. Examples of turnkey systems include general accounting systems, special purpose systems and office automation systems.
Big data analytics are characterized by
"volume, velocity, and variety of data." Big data analytics are characterized by volume, velocity, and variety of data. These are referred to as the three Vs: extreme volumes of data (megabytes, terabytes, petabytes, etc.), the rapid velocity at which the data must be processed (particularly in applications involving machine learning and artificial intelligence), and the wide variety of structured and unstructured data types that need to be integrated (audio, video, external web data, social media, the financial reporting system, the management reporting system).
8. Describe the steps of the human resources management (HRM)/payroll cycle.
*Step 1 - Updating the payroll master database* to reflect various types of internally initiated changes: new hires, terminations, changes in pay rates, or changes in discretionary withholdings ~ Segregation of duties prevents someone from distributing wages to fictitious employees. *Step 2 - Validate each employee's time and attendance data* ~ Segregation of duties requires the tracking and verification of each employee's job assignment *Step 3 - Preparing payroll* ~ Threats include errors, disclosure of confidential salary information, untimely payments ~ Batch totals. Hash totals of employee numbers, for example, are particularly useful. If the original and subsequent hash totals of employee numbers agree, it means that (1) all payroll records have been processed, (2) data input was accurate, and (3) no bogus time cards were entered during processing. *Step 4 - Actual disbursement of paychecks* to employees ~ To see why this segregation of duties is so important, assume that the person responsible for hiring and firing employees also distributes paychecks. This combination of duties could enable that person to conveniently forget to report an employee's termination and subsequently keep that employee's future paychecks. *Step 5 - Calculate and remit payroll taxes and employee benefits* to the appropriate government or other entity
1.1) Compare the strengths and limitations of PURCHASING.
*Strengths* ▪ Companies can rent software from application service providers (ASPs), who deliver software over the Internet. ▪ This provides scalability as the business grows and global access to information. ▪ It automates software upgrades, allows companies to focus on core financial competencies rather than information technology (IT) issues, and can reduce software costs and administrative overhead. ▪ Software can be test-driven *Limitations* ▪ A major problem with canned software is that it may not meet all of a company's information needs. This is overcome by modifying the software.
1.2) Compare the strengths and limitations of DEVELOPING IN-HOUSE.
*Strengths* ▪ User creation, control, an implementation ▪ Systems that meet user needs ▪ Timeliness ▪ Freeing up of systems resources ▪ Versatility and ease of use *Limitations* ▪ Logic and development errors ▪ Inadequately tested applications ▪ Inefficient systems ▪ Poorly controlled and documented systems ▪ System incompatibilities ▪ Duplication of systems and data; wasted resources ▪ Increased costs
6-8. when converting to a new system, which of the following conversion alternatives would be the most risky for a financial services firm?
*a. direct conversion b. modular conversion c. parallel conversion d. turnkey conversion
5-10. a decision table shows:
*a. the possible conditions and processing alternatives for a given situation b. who sat where at a board meeting c. the rules for drawing PDFs. d. the local outsourcing vendors in the area for documentation tasks
which component in this diagram is a data flow?
*image* (represented by arrow) Payroll Report
what do the inverted triangles represent in this document flowchart?
*image* (represented by inverted triangle) files stored and retrieved manually
which typ of component is 'customer' in this diagram?
*image* (represented by rectangle) a data destination
which process does this flowchart represent?
*image* an invoice is manually prepared and then sent electronically to a customer
a company has several machines that accumulate production data onto magnetic disks, the date from these magnetic disks are uploaded into a computer each day. the data are then processed, summarized, and printed in a daily production report. which documentation tool represents this process?
*image* don't be fooled by the magnetic disks. the data on the magnetic disks are uploaded onto a computer into *databases* each day, THEN, from the databases, they are collectively processed, summarized, and THEN, printed in a daily production report.
when individuals donate equipment to a youth soccer league, the donation is recorded in a database and a receipt is providedto the donor. which symbol should be used to represent a donor in a DFD of this process?
*images* (a donor is a data source/destination) represented by rectangle
Strengths of outsourcing an AIS
- An economic business solution that allows companies to focus on core competencies - Improved cash position from reducing expenses - Access to greater expertise and better technology - Less development time (and less systems development politics) - Elimination of peaks-and-valleys usage - Facilitation of downsizing
Detective Controls
- Log analysis - Intrusion detection systems - Penetration testing - Continuous monitoring
Limitations of Developing In-House AIS
- Logic and development errors - Inadequately tested applications - Inefficient systems = Poorly controlled and documented systems - System incompatibilities - Duplication of Systems and data; wasted resources - Increased costs
Collection of Audit Evidence
- Observations of activities; - review of documentation; - discussions with employees; - questionnaires; - physical examination of assets; - confirmation through third parties; - reperformance of procedures; - vouching of source documents; - analytical review; - audit sampling
Information needed to sell merchandise
- Pro forma income statement - Credit card costs - Customer credit status
Production Cycle Activites
- Product design - Planning and scheduling - Production operations - Cost Accounting
Revenue Cycle
- Receive and answer customer inquiries - Take customer orders and enter them into the AIS - Approve credit sales - Check inventory availability - Initiate back orders for goods out of stock - Pick and pack customer orders - Ship goods to customers or perform services - Bill customers for goods shipped or services performed - Update (increase) sales and accounts receivable - Receive customer payments and deposit them in the bank - Update (reduce) accounts receivable - Handle sales returns, discounts, allowances, and bad debts - Prepare management reports - Send appropriate information to the other cycles
Steps of Revenue Cycle
- Receive and answer customer inquiries - Take customer orders and enter them into the AIS - Approve credit sales - Check inventory availability - Initiate back orders for goods out of stock - Pick and pack customer orders - Ship goods to customers or perform services - Bill customers for goods shipped/services performed - Debit Accounts Receivable / Credit Sales - Receive customer payments and deposit them in the bank - Credit accounts receivable / Debit cash - Handle sales returns, discounts, allowances, and bad debts - Prepare management reports; send appropriate information to the other cycles
Human Resources/Payroll Cycle
- Recruit, hire, and train new employees - Evaluate employee performance and promote employees - Discharge employees - Update payroll records - Collect and validate time, attendance, and commission data - Prepare and disburse payroll - Calculate and disburse taxes and benefit payments - Prepare employee and management reports - Send appropriate information to the other cycles
Expenditure Cycle
- Request goods and services be purchased - Prepare, approve, and send purchase orders to vendors - Receive goods and services and complete a receiving report - Store goods - Receive vendor invoices - Update (increase) accounts payable - Approve vendor invoices for payment - Pay vendors for goods and services - Update (reduce) accounts payable - Handle purchase returns, discounts, and allowances - Prepare management reports - Send appropriate information to the other cycles
Major Transaction Cycles
- Revenue cycle - Expenditure cycle - Human resources/payroll cycle - Production cycle - Financing cycle
3 Additional Elements added by ERM
- Setting objectives - Identifying events that may affect the company - Developing a response to assessed risk
Documentation Tools
- narratives - flowcharts - diagrams - other written material (ex. questionnaires)
what are two objectives of cost accounting? choose 2 answers
- providing product data to be used for making pricing decisions - collecting information to calculate to COGS
What are two advantages of purchasing or renting an AIS? choose 2 answers
- software upgrades are automated - the company can test-drive the system
which two guidelines result in a better coding system for storing data in an AIS?
- the coding system should take into consideration expected company growth - the coding system should be consistent with the company's organizational structure
businesses must pay a variety of taxes. match each item of information to the type of tax that requires it. - total wage expense - total sales - point-of-purchase rate tables
- total wage expense = Paroll Tax - total sales = sales tax - point-of-purchase rate = sales tax
which two methods improve the accuracy and completeness of data that is entered in to an AIS?
- using point-of-sale scanners to capture machine-readable data - using pull-down menus on the data input screen
Support Activities of Value Chain
1 Firm Infrastructure 2 HR 3 Technology 4 Purchasing
AIS Threats
1 Natural and political disasters 2 Software and technology errors 3 Accidents or innocent errors and omissions (unintentional acts) 4 Computer crime, fraud, sabotage (intentional acts)
Internal controls perform three important functions:
1 Preventive controls deter problems before they arise 2 Detective controls discover problems that are not prevented 3 Corrective controls identify and correct problems as well as correct and recover from the resulting errors
Internal controls are the processes implemented to provide reasonable assurance about which control objectives are achieved?
1 Safeguard assets - prevent or detect their unauthorized acquisition, use, or disposition 2 Maintain records in sufficient detail to report company assets accurately and fairly 3 Provide accurate and reliable information 4 Prepare financial reports in accordance with established criteria 5 Promote and improve operational efficiency 6 Encourage adherence to prescribed managerial policies 7 Comply with applicable laws and regulations
Steps of the data input process
1) Capture the transaction data and enter them into the system. 2) Make sure captured data are accurate and complete. 3) Make sure company policies are followed, such as approving or verifying a transaction
Controls to Preserve Confidentiality
1) Identify and classify the information to be protected 2) Encrypt the information 3) Control access to the information 4) Train employees to properly handle the information
COBIT 5 Framework Key Principles
1) Meeting Stakeholder Needs 2) Covering the enterprise end-to-end 3) Applying a single integrated framework 4) Enabling a holistic approach. 5) Separating Governance from Management
HRM and Payroll Cycle Activities
1) Update master data 2) validate time and attendance 3) prepare payroll 4) distribute payroll 5) disburse taxes and miscellaneous deductions
What are internal controls?
1. Adequate documents and records 2. Solid personal policies and practices 3. Separation of duties 4. Physical protection of assets 5. Proper authorization for sales and payments 6. Reviews of controls (internal audit) 7. Timely performance reports
Importance of Documentation Tools
1. At a minimum, you must be able to read documentation to determine how a system works. 2. You may need to evaluate documentation to identify internal control strengths and weaknesses and recommend improvements as well as to determine if a proposed system meets the company's needs. 3. More skill is needed to prepare documentation that shows how an existing or proposed system operates.
What are the four basic functions of event processing in segregation of duties?
1. Authorizing Events 2. Executing Events 3. Recording Events 4. Safeguarding Resources Resulting from Consummating Events
Fraud Conditions
1. False representation 2. Material fact 3. Intent to deceive 4. Justifiable reliance 5. Injury or loss
What federal regulations impose specific requirements on organization's to protect the privacy of their customer's personal information?
1. Health Insurance Portability and Accountability Act (HIPAA) 2. Health Information Technology for Economic and Clinical Health Act (HITECH) 3. Financial Services Modernization Act (Gramm-Leach-Bliley Act)
What are ethical behaviors?
1. Honesty 2. protecting computer systems - don't hog the network 3. protecting confidential information 4. social responsibility - act responsibly 5. rights of privacy - organization's right to read private email? 6. Acceptable Use
What controls need to be implemented to protect privacy?
1. Identification of the information that needs to be protected 2. Encryption 3. Access Controls 4. Training
What four actions (four components of) must be taken in order to preserve the confidentiality of sensitive information?
1. Identify and classify the information to be protected 2. Encrypt the information 3. Control access to the information 4. Train employees to properly handle the information
Six components of AIS
1. People who use systems 2. Producers and instructions used to collect, process, and store data 3. Data about the organization and its business activities 4. Software used to process the data 5. Information technology infrastructure 6. Internal controls and security measures that safeguard AIS data
What are the General Controls for IT environments?
1. Personnel controls - segregation of duties, accounts, and knowledge 2. File Security controls - 3. Fault-tolerant systems, backup, and contingency planning 4. Computer facility controls 5. Access to computer files
Control Activities (Categories)
1. Proper authorization of transactions and activities 2. Segregation of duties 3. Project development and acquisition controls 4. Change management controls 5. Design and use of documents and records 6. Safeguarding assets, records, and data 7. Independent checks on performance
7 Characteristics of useful information
1. Relevant- 2. Reliable - no bias 3.Complete - not omit aspects + events of activites 4. Timely - in time to make decision 5. Understandable presented meaningfully 6. Verifiable - 2 ind. same conclusion 7. Accessible - Availability
5 basic transaction cycles
1.Revenue cycle: give goods / give service—get cash 2.Expenditure cycle: get goods / get service—give cash 3.Production cycle: give labor and give raw materials—get finished goods 4.Payroll cycle: give cash—get labor 5.Financing cycle: give cash—get cash
19. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. Which control would prevent this from happening? a. header label check b. expiration date check c. version check d. validity check
A
2. Which control is not associated with new systems development activities? a. reconciling program version numbers b. program testing c. user involvement d. internal audit participation
A
28. When the auditor reconciles the program version numbers, which audit objective is being tested? a. protect applications from unauthorized changes b. ensure applications are free from error c. protect production libraries from unauthorized access d. ensure incompatible functions have been identified and segregated
A
29. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing a. black box tests of program controls b. white box tests of program controls c. substantive testing d. intuitive testing
A
31. Which test is not an example of a white box test? a. determining the fair value of inventory b. ensuring that passwords are valid c. verifying that all pay rates are within a specified range d. reconciling control totals
A
32. When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing a. the test transactions b. error reports c. updated master files d. output reports
A
34. All of the following are disadvantages of the test data technique except a. the test data technique requires extensive computer expertise on the part of the auditor b. the auditor cannot be sure that the application being tested is a copy of the current application used by computer services personnel c. the auditor cannot be sure that the application being tested is the same application used throughout the entire year d. preparation of the test data is time-consuming
A
35. All of the following statements are true about the integrated test facility (ITF) except a. production reports are affected by ITF transactions b. ITF databases contain "dummy" records integrated with legitimate records c. ITF permits ongoing application auditing d. ITF does not disrupt operations or require the intervention of computer services personnel
A
Relational data model
A 2D table representing data- each row represents a unique entity (record) and each column is a field where record attributes are stored
Internal Control—Integrated Framework (IC)
A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.
Enterprise Risk Management - Integrated Framework (ERM)
A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control—Integrated.
Transaction Processing System
A central to the overall function of the information system. It converts economic events into financial transactions in the accounting records (journals and ledges), and distributes essential financial information to operations personnel to support their daily operations. Activity composed of three major subsystems - the revenue cycle, the expenditure cycle, and the conversion cycle.
D: Establish off-site mirrored Web server.
A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies? A: Back up the server database daily. B: Store records off-site. C: Purchase and implement RAID technology. D: Establish off-site mirrored Web server.
B: Errors in employees' overtime computation.
A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least? A: Fraudulent reporting of employees' own hours. B: Errors in employees' overtime computation. C: Inaccurate accounting of employees' hours. D: Recording of other employees' hours.
C: The financing cycle.
A company's trading activities may be of additional concern in relation to A: HR. B: Sales contracts. C: The financing cycle. D: The general ledger cycle.
Denial-of-Service (DoS) Attack
A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the internet service provider's e-mail server is overloaded and shuts down
header label check
A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. What control would prevent this from happening? A. header label check B. expiration date check C. version check D. validity check
check digit
A control designed to validate a transaction at the point of data entry is A. a check digit B. recalculate record count C. recalculate batch total D. checkpoints E. recalculation of a hash total
B: OLAP
A data analyst at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to analyze customer sales to determine the optimal opening and closing times for its retail stores. The analyst is most likely using the _________ component of the system. A: CRM B: OLAP C: OLTP D: Supply chain management
3. Interpret a data flow diagram and its components.
A data flow diagram (DFD) graphically describes the flow of data within an organization. It uses the first four symbols to represent four basic elements: ▪ data sources and destinations (send and receive data the system uses or produces) ▪ data flows (movement of data among processes, stores, sources, and destinations) ▪ transformation processes (action that transforms data into information for use) ▪ data stores (repository or medium where system data is stored)
What is a relational database?
A database used frequently today that allows all business streams to access data and information as required by the business. Example: Sheridan Student Services booking system.
Data Flow Diagram (DFD)
A graphical description of the flow of data within an organization, including data sources/destinations, data flows, transformation processes, and data storage. Logical and balanced DFD's.
What is a subsidiary ledger?
A group of similar accounts whose combined balances equal the balance in a specific general ledger account .
Digital Signature
A hash encrypted with the hash creator's private key
A: likelihood rating; impact ratings
A heat map used as a part of assessing risks plots the___________________ on the vertical axis against the___________________ on the horizontal axis. A: likelihood rating; impact ratings B: inherent risk; risk appetite C: target residual risk, actual residual risk D: internal control; inherent risk
Specialized Journal
A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements
Specialized Journal
A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements.
Specialized Journals
A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements.
General Journal
A journal used to record infrequent or non-routine transactions, such as loan payments and end-of-period adjusting and closing entries
General Journal
A journal used to record infrequent or nonroutine transactions, such as loan payments and end-of-period adjusting and closing entries.
Subsidiary Ledger
A ledger used to record detailed data for a general ledger account with many individual sub accounts, such as accounts receivable, inventory, and accounts payable.
Internal-level schema
A low-leveled view of the entire database describing how the data are actually stored and accessed
d. logic bomb.
A malicious program that attaches to another legitimate program but does NOT replicate itself is called a a. virus. b. worm. c. Trojan horse. d. logic bomb.
Packet Filtering
A process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet
zero-balance test
A processing control that verifies that the balance of a control account equals zero after all entries to it have been made.
D: Experience on a public company's compensation committee.
A public company audit committee's "financial expert" must have all of the following except: A: An understanding of GAAP and financial statements. B: Experience in preparing or auditing financial statements of comparable companies and application of such principles in connection with accounting for estimates, accruals, and reserves. C: Experience with internal auditing controls. D: Experience on a public company's compensation committee.
Expenditure Cycle
A recurring set of business activities and related data processing operations associated with the purchase and payment for goods and services In the expenditure cycle, the primary external exchange of information is with suppliers (vendors).
Accounts receivable aging report
A report listing customer accounts balances by length of time outstanding
Postimplementation Review Report
A report that analyzes a newly delivered system to determine if the system achieved its intended purpose and was completed within budget.
Query
A request for the data base to provide the information needed to deal with a problem or answer a question. The information is retrieved, displayed or printed, and/or analyzed as requested.
4. Explain the fundamental concepts of Schemas.
A schema is a description of the data elements in a database, the relationships among them, and the logical model used to organize and describe the data. There are three levels of schemas: a. The conceptual-level schema, a high-level, organization-wide view of the entire database, lists all data elements and the relationships among them. b. The external-level schema is an individual user's view of portions of a database, each of which is referred to as a subschema. c. The internal-level schema, a low-level view of the database, describes how the data are stored and accessed, including record layouts, definitions, addresses, and indexes.
Control Objective for Information and Related Technology (COBIT)
A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
Demilitarized Zone (DMZ)
A separate network located outside the organization's internal information system that permits controlled access from the Internet
Record
A set of fields whose data values describe specific attributes of an entity, such as all payroll data relating to a single employee. An example is a row in a spreadsheet.
Record
A set of fields whose data values describe specific attributes of an entity, such as all payroll data relating to a specific employee
Database
A set of interrelated, centrally controlled data files that are stored with as little data redundancy as possible. A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications
Database
A set of interrelated, centrally controlled data files that are stored with as little data redundancy as possible. A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications.
Databases
A set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible
File
A set of logically related records, such as the payroll records of all employees
b. worm
A software program that replicates itself in areas of idle memory until the system fails is called a a. Trojan horse b. worm c. logic bomb d. none of the above
Firewall
A special-purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks
Remote Authentication Dial-In User Service (RADIUS)
A standard method for verifying the identity of users attempting to connect via dial-in access
AIS
A system that collects, processes and stores accounting and other data to report information to assist users in decision-making.
Accounting Information System (AIS)
A system that collects, records, stores, and processes data to produce information for decision makers. It includes people, procedures and instructions, data, software, information technology infrastructure, and internal controls and security measures.
Corrective Internal Controls
Actions taken to reverse the effects of errors detected.
Production or conversion cycle
Activities associated with using labor, raw materials, and equipment to produce finished goods
Production or Conversion Cycle -
Activities associated with using labor, raw materials, and equipment to produce finished goods.
the test data technique requires extensive computer expertise on the part of the auditor
All of the following are disadvantages of the test data technique except a. the test data technique requires extensive computer expertise on the part of the auditor b. the auditor cannot be sure that the application being tested is a copy of the current application used by computer services personnel c. the auditor cannot be sure that the application being tested is the same application used throughout the entire year d. preparation of the test data is time-consuming
d. the recipient's application software can validate the password after the transaction has been processed
All of the following techniques are used to validate electronic data interchange transactions except a. value added networks can compare passwords to a valid customer file before message transmission b.prior to converting the message, the translation software of the receiving company can compare the password against a validation file in the firm's database c. the recipient's application software can validate the password prior to processing d. the recipient's application software can validate the password after the transaction has been processed
d. install public-domain software from reputable bulletin boards
All of the following will reduce the exposure to computer viruses except a. install antivirus software b. install factory-sealed application software c. assign and control user passwords d. install public-domain software from reputable bulletin boards
ways to address information overload
Allow more time to complete important tasks. Compress, aggregate, categorize, and structure information. Formalize the language used to describe information. Handle information as it comes to you don't put it off! Use graphs and other visual aids.
A: Sequential
An accountant at Henry Higgins Language Lessons must sort the master file before processing recent transactions to update the master file. Henry Higgins uses ______ file storage. A: Sequential B: RAID C: Optical disk D: Data mart
C: OLTP
An accountant at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to prepare a payroll tax return. The accountant is most likely using the _________ component of the system. A: CRM B: OLAP C: OLTP D: Supply chain management
Flowchart
An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an IS in a clear, concise, and logical manner.
Flowcharting
An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an information system in a clear, concise, and logical manner
B: Increased responsiveness and flexibility while aiding in the decision-making process.
An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? A: Modifications can be made to each module without affecting other modules. B: Increased responsiveness and flexibility while aiding in the decision-making process. C: Increased amount of data redundancy, since more than one module contains the same information. D: Reduction in costs for implementation and training.
A: What is the relationship between our strategy and objectives?
An entity reviews its ERM practices. Which question is the organization least likely to investigate as a part of this review? A: What is the relationship between our strategy and objectives? B: How did the entity perform? C: Are we taking sufficient risks to attain desired performance? D: Were risk estimates accurate?
sum of the social security numbers
An example of a hash total is A. total payroll checks B. total number of employees C. sum of the social security numbers D> none of the above
Supply chain
An extended system that includes an organization's value chain as well as its suppliers, distributors, and customers.
What is an attest function?
An independent review of an audit conducted by an accountant. Examines all the data used in the audit as well as the finished audit report. Conducted by a CPA, it is intended to express an opinion on the accuracy of a company's financial statements.
External-level schema
An individual user's view of portions of database
Range Check
An input control that catches input errors that are upper or lower than acceptable values.
a. operating system.
An integrated group of programs that supports the applications and facilitates their access to specified resources is called a(n) a. operating system. b. database management system. c. utility system. d. facility system. e. object system.
limit check
An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a. numeric/alphabetic data checks b. limit check c. range check d. reasonableness check
D: Review its ERM practices.
An organization launches a new product and finds the product is performing better than expected and that the volatility of sales is less than expected. Which of the following is the organization most likely to do? A: Review its internal control procedures. B: Investigate new technologies to improve product performance. C: Revise its tolerance and decrease its risk appetite D: Review its ERM practices.
Fraud
Any and all means a person uses to gain an unfair advantage over another person
Computer Fraud
Any type of fraud that requires computer technology to perpetrate
which of the following is often called compensating control? A. transaction authorization B. supervision C. accounting records D. segregation of duties
B
How does a direct access file processing system edit individual transactions? a. takes place in a separate computer run b. takes place in online mode as transactions are entered c. takes place during a backup procedure d. is not performed due to time constraints e. is not necessary
C
In a computer system, how are accounting records posted? a. master file is updated to a transaction file b. master file is updated to an index file c. transaction file is updated to a master file d. master file is updated to a year-to-date file e. current balance file is updated to an index file
C
The underlying assumption of reasonable assurance regarding implementation of internal control means that A. auditors are reasonably assured that fraud has not occurred in the period B. auditors are reasonably assured that employee carelessness can weaken an internal control structure C. implementation of the control procedure should not have a significant adverse effect on efficiency or profitability D. management assertions about control effectiveness should provide auditors wit reasonable assurance E. a control applies reasonably well to all forms of computer technology
C
Which of the following benefits is least likely to result from a system of internal controls? A. reduction of cost of an external audit B. prevention of employee collusion to commit fraud C. availability of reliable data for decision-making purposes D. some assurance of compliance with the Foreign Corrupt Practices Act of 1977 E. some assurance that important documents and records are protected
C
the fraud scheme that is similar to the concept of "borrowing from Peter to pay Paul" is A. expense account fraud B. bribery C. lapping D. transaction fraud
C
Data manipulation language (DML)
DBMS language that changes database content including data element creations updates, insertions, and deletions
Information
Data that have been organized and processed to provide meaning and improve the decision-making process
C: Determine responses to the risks.
Devon Company is using an enterprise risk management system. Management of the company has set the company's objectives, identified events, and assessed risks. What is the next step in the enterprise risk management process? A: Establish control activities to manage the risks. B: Monitor the risks. C: Determine responses to the risks. D: Identify opportunities.
1. Explain the purpose of documentation.
Documentation explains how a system works, including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls. This helps with training IT employee to use the system. a. At a minimum, you must be able to read documentation to determine how a system works. b. You may need to evaluate documentation to identify internal control strengths and weaknesses and recommend improvements as well as to determine if a proposed system meets the company's needs. c. More skill is needed to prepare documentation that shows how an existing or proposed system operates.
Complete information
Does not omit important aspects of the events or activities it measures.
Complete
Doesn't omit important aspects of the event/activities
12. Which statement is not true? A batch control record a. contains a transaction code b. records the record count c. contains a hash total d. control figures in the record may be adjusted during processing e. All the above are true
E
5 common activities of the expenditure cycle
Expenditure cycle: get goods / get service—give cash Send appropriate information to the other cycles Expenditure Request goods and services be purchased Prepare, approve, and send purchase orders to vendors Receive goods and services and complete a receiving report Store goods Receive vendor invoices Update (increase) accounts payable Approve vendor invoices for payment Pay vendors for goods and services Update (reduce) accounts payable Handle purchase returns, discounts, and allowances
A: It is vague and imprecise.
Farmers and Ranchers Credit Union has set the following statement of risk appetite: "Net credit losses will be really low." Which of the following claims regarding this statement are most accurate? A: It is vague and imprecise. B: It is excellent and appropriate. C: "Net credit losses" are not an appropriate metric for a statement of risk appetite. D: Statements of risk appetite must be stated in the active voice.
Information Output
Final step in data processing cycle. Displayed on monitor is called "soft copy," and displayed on paper is called "hard copy." Usually presented in a document, report, or query response.
5 production activities of the human financing cycle
Financing cycle: give cash—get cash Send appropriate information to the other cycles Financing Forecast cash needs Sell stock/securities to investors Borrow money from lenders Pay dividends to investors and interest to lenders Retire debt Prepare management reports Send appropriate information to the other cycles
Vulnerabilities
Flaws in programs that can be exploited to either crash the system or take control of it
c. all nodes are of equal status; responsibility for managing communication is distributed among the nodes
In a ring topology a. the network consists of a central computer which manages all communications between nodes b. has a host computer connected to several levels of subordinate computers c. all nodes are of equal status; responsibility for managing communication is distributed among the nodes d. information processing units rarely communicate with each other
D: The organizational culture is closely linked to the organization's strategy, objectives, and business context.
In a risk-aware organization, A: The organizational culture is independent of management. B: The organizational culture will be risk averse. C: Investments in unproven technologies will be minimized. D: The organizational culture is closely linked to the organization's strategy, objectives, and business context.
b. individual workstations can function locally but cannot communicate with other workstations
In a star topology, when the central site fails a. individual workstations can communicate with each other b. individual workstations can function locally but cannot communicate with other workstations c. individual workstations cannot function locally and cannot communicate with other workstations d. the functions of the central site are taken over by a designated workstation
hash total
In an automated cash disbursement system, a supervisor substituted a legitimate vendor invoice with a fictitious invoice, which was payable to himself under a false company name. The fictitious invoice was for the same dollar amount as the substituted invoice. The best control technique to detect this action would be a A. control total B. record count C. hash total D. sequence check E. Financial total
Online Real-Time Processing
Involves a continual input, process and output of data. e.g. Online reservation
2. Describe the objectives of an information system audit.
Information Systems (internal control) Audit - Examination of the general and application controls of an IS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets. a. Objective 1: *Overall Security* - Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. b. Objective 2: *Program Development and Acquisition* - Program development and acquisition are performed in accordance with management's general and specific authorization. c. Objective 3: *Program Modification* - Program modifications have management's authorization and approval. d. Objective 4: *Computer Processing* - Processing of transactions, files, reports, and other computer records is accurate and complete. e. Objective 5: *Source Data* - Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. f. Objective 6: *Data Files* - Computer data files are accurate, complete, and confidential.
5. Identify the types of information output produced by an AIS.
Information is usually presented in three forms: a. Document - records of transaction or other company data. Examples include checks, invoices, receiving reports, and purchase requisitions. b. Report - Meaningful system output used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities. c. Query - A request for the data base to provide the information needed to deal with a problem or answer a question quickly. The information is retrieved, displayed or printed, and/or analyzed as requested.
What is discretionary information?
Information that is not required by law. Think: secret
General ledger and reporting system
Information-processing operations involved in updating the general ledger and preparing reports for both management and external parties.
B: The automated system requires controls related to people, software, and hardware.
Jones and Willy recently implemented an automated accounting system to replace their manual accounting system. While setting up the system, they find that: A: They need to permanently run the manual and automated accounting systems as a control over processing. B: The automated system requires controls related to people, software, and hardware. C: Access controls are of less importance in the new system. D: The company's external auditors are best qualified to set up the new system.
General Ledger
Ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization
Subsidiary Ledger
Ledger used to record detailed data for a general ledger account with many individual sub-accounts such as accounts receivable, inventory and accounts payable
Sarbanes-Oxley Act (SOX)
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud
Foreign Corrupt Practices Act (FCPA)
Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintained a system of internal accounting controls
Mnemonic code
Letters and numbers that are interspersed to identify an item. The mnemonic code is derived from the description of the item and is usually easy to memorize. For example, Dry300W05 could represent a low end (300), white (W) dryer (Dry) made by Sears (05).
A: That functions that had previously been spread across multiple employees have been combined.
Morgan Property Management, Inc. recently switched from a manual accounting system to a computerized accounting system. The system supports online real-time processing in a networked environment, and six employees have been granted access to various parts of the system in order to perform their jobs. Relative to the manual system, Morgan can expect to see A: That functions that had previously been spread across multiple employees have been combined. B: An increase in the incidence of clerical errors. C: A decrease in the incidence of systemic errors. D: A decrease in the need for access controls to the accounting records.
AIS threats
Natural & political disasters Software errors & equipment malfunction Unintentional acts Intentional acts (computer crimes)
What do the three variables of the Time-Based Model of Security mean?
P = The time it takes an attacker to break through the organization's preventative controls D = The time it takes to detect that an attack is in progress C = The time it takes to respond to the attack and take corrective action
3 Internal Control Functions
Preventive Controls Detective Controls Corrective Controls
Technical controls
Primarily implemented and executed through mechanisms contained in computing related equipment.
Business Continuity Planning
Process that identifies events that may threaten an organization and provides a framework to ensure that the organization will continue to operate when the threatened event occurs or will resume operations with a minimum of disrption
Processor Fraud
Processor fraud includes unauthorized system use, including theft of computer time and services
Purchasing
Procure raw materials, supplies, machinery, and buildings used to carry out primary activities
4 Basic activities of the production Cycle
Product Design Planning & Scheduling Production Operations Cost Accounting
5. Identify the purpose and basic activities of the production cycle.
Production Cycle - The recurring set of business activities and related data processing operations associated with the manufacture of products. The objective is to create a product that meets customer requirements in terms of quality, durability, and functionality while simultaneously minimizing production costs. a. Product Design b. Planning and Scheduling c. Production Operations d. Cost Accounting
Edits
Programmed procedures that test transaction data to ensure they are free from errors before they are processed are called A. operating procedures B. integrated test facilities C. Compiler programs D. edits E. valuation tests
Operational control
Protecting a firm's premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party users.
Shell Company Fraud
Requires that the perpetrator establish a false supplier on the books of the victim company. The fraudster then manufactures false purchase orders, receiving reports and the invoices in the name of the vendor and submits them to the accounting system, which creates the illusion of a legitimate transaction. System will set up an accounts payable and ultimately issue a check to the false supplier.
1. Identify the purpose and basic activities of the revenue cycle.
Revenue Cycle - The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. The revenue cycle's primary objective is to provide the right product in the right place at the right time for the right price. a. Sales Order Entry b. Shipping c. Billing d. Cash Collections
What are the typical business cycle of AIS
Revenue cycle, Expenditure cycle, Hr/Payroll cycle, Production/Manufacture cycle, Financing cycle.
B: Drill down.
Robert the Grievous is reading an online summary production cost report and wants to know why the cost of sprockets, used in constructing orbital sanders, is so high. Robert most likely needs to: A: Data mine. B: Drill down. C: Slice and dice. D: Use the OLAP system.
Virtualization
Running multiple systems simultaneously on one physical computer. This takes advantage of the power and speed of modern computers to run multiple systems and cuts hardware costs.
Control Objectives
Safeguard assets Maintain records in sufficient detail to report company assets accurately and fairly Provide accurate and reliable information Prepare financial reports in accordance with established criteria Promote and improve operational efficiency Encourage adherence to prescribed managerial policies. Comply with applicable laws and regulations
What is used in a test of credit approvals?
Sales amount." Sales amount is used in a test of credit approvals.
b. used by network administrators to analyze network traffic.
Sniffer software is a. used by malicious Web sites to sniff date from cookies stored on the user's hard drive. b. used by network administrators to analyze network traffic. c. used by bus topology intranets to sniff for carriers before transmitting a message to avoid data collisions. d. an illegal program downloaded from the Web to sniff passwords from the encrypted data of Internet customers. e. illegal software for decoding encrypted messages transmitted over a shared intranet channel.
B: Selecting, developing, and deploying fraud controls
The Greensburg Agriculture Products employee survey related to fraud includes this statement: "We are discouraged from sharing our computer passwords with others." This statement best relates to which of the following fraud management principles and processes? A: Establishing a fraud risk management program B: Selecting, developing, and deploying fraud controls C: Selecting, developing, and deploying evaluation and monitoring processes D: Establishing a communication program to obtain information about potential frauds
Enterprise Risk Management Framework (ERM) vs. Internal Control Framework (IC)
The IC framework has been widely adopted as the way to evaluate internal controls, as required by SOX. The more comprehensive ERM framework takes a risk-based rather than a controls-based approach. ERM adds three additional elements to COSO's IC framework: setting objectives, identifying events that may affect the company, and developing a response to assessed risk. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred.
C: All personnel.
The IT department at Piggy Parts BBQ has recently learned of phishing attempts that rely on social engineering to break into its financial systems. Information about these attempts should be communicated to: A: Internal auditors. B: Other personnel. C: All personnel. D: Support functions.
B: Performance
The Resource Development Company mines for rare earth minerals in developing countries. The company is currently assessing aspects of risk to determine which risks are most and least important. This analysis most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting
System flowcharts do which one of the following?
The correct answer is "represent relationships between key elements of manual and computer systems." System flowcharts represent relationships between key elements of manual and computer systems. The system flowchart is a graphic representation of the process that is used by the programmer/analyst and systems auditors to understand the flow of data through the program or system and the files/functions that are involved from input to storage to output.
A: Effectiveness and efficiency of operations.
The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) in the professional standards includes the reliability of financial reporting, compliance with applicable laws and A: Effectiveness and efficiency of operations. B: Effectiveness of prevention of fraudulent occurrences. C: Incorporation of ethical business practice standards. D: Safeguarding of entity assets.
D: Both control baseline and change management
The materials manager of a warehouse is given a new product line to manage with new inventory control procedures. Which of the following sequences of the COSO internal control monitoring-for-change continuum is affected by the new product line? A: Control baseline but not change management B: Change management but not control baseline C: Neither control baseline nor change management D: Both control baseline and change management
Public Key Infrastructure (PKI)
The system for issuing pairs of public and private keys and corresponding digital certificates
Coding
The systematic assignment of numbers or letters to items to classify and organize them
Coding
The systematic assignment of numbers or letters to items to classify and organize them.
C: Code approved changes to a payroll program.
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities? A: Modify and adapt operating system software. B: Correct detected data entry errors for the cash disbursement system. C: Code approved changes to a payroll program. D: Maintain custody of the billing program code and its documentation.
Query
To retrieve stored data, users query databases. A significant advantage of database systems is the ability to create ad hoc queries to provide the information needed for decision making. No longer is financial information available only in predefined formats and at specified times. Instead, powerful and easy-to-use relational database query languages can find and prepare the information management needs whenever they want it.
Hashing
Transforming plaintext of any length into a short code called a hash.
c. denial of service attack.
Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is a a. request-response control. b. smurf attack. c. denial of service attack. d. call-back response control. e. none of the above.
True or False? Attendance question - choose True that you're here in class.
True
End User Computing
User creation, control and implementation
Advantages of Developing In-House
User creation, control, and implementation System that meets user needs Timeliness Freeing up of system resources Versatility and ease of use
Online analytical processing (OLAP)
Using queries to investigate hypothesized relationships among data
SMS Spoofing
Using short message service (SMS) to change the name or number a text message appears to come from
Data mining
Using sophisticated statistical analysis to "discover" un-hypothesized relationships in data
2.2 With respect to the data processing cycle, explain the phrase "garbage in, garbage out." How can you prevent this from happening
When garbage, defined as errors, is allowed into a system that error is processed and the resultant erroneous (garbage) data stored. The stored data at some point will become output. Thus, the phrase garbage in, garbage out. Data errors are even more problematic in ERP systems because the error can affect many more applications than an error in a non-integrated database. Companies go to great lengths to make sure that errors are not entered into a system. To prevent data input errors: • Data captured on source documents and keyed into the system are edited by the computer to detect and correct errors and critical data is sometimes double keyed. • Companies use turnaround documents to avoid the keying process. • Companies use source data automation devices to capture data electronically to avoid manual data entry with its attendant errors. • Well-designed documents and screens improve accuracy and completeness by providing instructions or prompts about what data to collect, grouping logically related pieces of info
Describe the Expenditure Cycle.
Where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash. actions include: ~ Request goods and services be purchased ~ Prepare, approve, send purchase orders to vendors ~ Receive G/S and complete a receiving report ~ Store goods ~ Receive vendor invoices ~ Update (increase) accounts payable ~ Approve vendor invoices for payment ~ Pay vendors for goods and services ~ Update (reduce) accounts payable ~ Handle purchase returns, discounts, and allowances ~ Prepare management reports ~ Send appropriate information to the other cycles
Describe the HRM/Payroll Cycle.
Where employees are hired, trained, compensated, evaluated, promoted, and terminated. actions include: ~ Recruit, hire, and train new employees ~ Evaluate employee performance and promote employees ~ Discharge employees ~ Update payroll records ~ Collect and validate time, attendance, and commission data ~ Prepare and disburse payroll ~ Calculate and disburse taxes and benefit payments ~ Prepare employee and management reports ~ Send appropriate information to the other cycles
Describe the Production/Conversion Cycle.
Where raw materials are transformed into finished goods. actions include ~ Design products ~ Forecast, plan, and schedule production ~ Request raw materials for production ~ Manufacture products ~ Store finished products ~ Accumulate costs for products manufactured ~ Prepare management reports ~ Send appropriate information to the other cycles
A: Inventory report
Which document lists the items in inventory? A: Inventory report B: Bill of materials C: Move ticket D: Operations list
D: Operations list
Which document lists the steps in making a product? A: Inventory report B: Bill of materials C: Move ticket D: Operations list
validity check
Which input validation check would detect a payroll check made to a nonexistent employee? A. missing data check B. numeric/alphabetic check C. range check D. Validity Check
Work performed by internal auditors who organizationally report to the controller
Which is NOT a source of evidence for an external auditor? A. Work performed by internal auditors who organizationally report to the controller B. Test of Controls C. Substantive Tests D. Work performed by internal auditors who report to the audit committee of the BOD
c. public key encryption
Which method will render useless data captured by unauthorized receivers? a. echo check b. parity bit c. public key encryption d. message sequencing
A: Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
Which of the following characteristics distinguishes computer processing from manual processing? A: Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. B: Errors or fraud in computer processing will be detected soon after their occurrences. C: The potential for systematic error is ordinarily greater in manual processing than in computerized processing. D: Most computer systems are designed so that transaction trails useful for audit purposes do not exist.
D: Machine operators are supervised by the programmer.
Which of the following constitutes a weakness in the internal control of a computer system? A: One generation of backup files is stored in an off-premises location. B: Machine operators distribute error messages to the control group. C: Machine operators do not have access to the complete systems manual. D: Machine operators are supervised by the programmer.
C: Periodically requiring purchasing agents to disclose their relationships to all vendors
Which of the following controls is mostly likely to prevent a kickback to a purchasing agent? A: Prenumbering of purchase order B: Matching packing lists to vendor invoices C: Periodically requiring purchasing agents to disclose their relationships to all vendors D: Requiring authorization to receive goods from vendors
C: Systems analyst.
Which of the following employees normally would be assigned the operating responsibility for designing a computer installation, including flowcharts of data processing routines? A: Computer programmer. B: Data processing manager. C: Systems analyst. D: Internal auditor
B: Types of decisions to be made
Which of the following factors has the greatest impact on the design of an effective management reporting system? A: Number of transactions to be processed B: Types of decisions to be made C: Number of authorized users D: Number of regulatory agencies to be satisfied
D: Information and communication.
Which of the following factors is not included in the control environment component of internal control? A: Commitment to competence. B: Organizational structure. C: Integrity and ethical values. D: Information and communication.
C: Data entry and application programming.
Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals? A: Network maintenance and wireless access. B: Data entry and antivirus management. C: Data entry and application programming. D: Data entry and quality assurance.
inference tests
Which of the following is NOT a common type of white-box test of controls? A. inference tests B. redundancy tests C. completeness tests D. Access tests
c. Maintaining the critical application list
Which of the following is NOT a data network control objective? a. Preventing illegal access b. Correcting message loss due to equipment failure c. Maintaining the critical application list d. Rendering useless any date that a perpetrator successfully captures e. All the above are network control objectives
Determining the degree of reliance on controls
Which of the following is NOT a task performed in the audit planning phase? A. Reviewing an organization's policies and practices B. Planning Substantive Testing Procedures C. Reviewing General Controls D. Determining the degree of reliance on controls
e. All of the above are operating system objectives.
Which of the following is NOT an operating system objective? a. The operating system mus protect itself from users. b. The operating system must protect users from themselves. c. The operating system must be protected from its environment. d. The operating system must be protected users from each other. e. All of the above are operating system objectives.
A: Pattern recognition.
Which of the following is a critical success factor in data mining a large data store? A: Pattern recognition. B: Effective search engines. C: Image processing systems. D: Accurate universal resource locator (URL).
transforming data into useful information
Which of the following is a function of an AIS? reducing the need to identify a strategy and strategic position, transforming data into useful information, allocating organizational resources, automating all decision making
credit check before approving sale on account
Which of the following is a preventive control? A. credit check before approving a sale on account B. bank reconciliation C. physical inventory count D. comparing the accounts receivable subsidiary ledger to the control account
numeric/alphabetic check
Which of the following is an example of a field interrogation? A. reasonableness check B. hash total check C. sequence check D. numeric/alphabetic check
all are examples of input error correction techniques
Which of the following is an example of an input error correction technique? a. immediate correction b. rejection of batch c. creation of error file d. all are examples of input error correction techniques
A: Enterprise resource planning.
Which of the following is an example of applications software that a large client is most likely to use? A: Enterprise resource planning. B: Operating system. C: Central processing unit. D: Value-added network.
Sequence check
Which of the following is an example of record interrogation? A. Range check B. Zero value check C. Limit Check D. sequence check
check digits are designed to detect transcription errors
Which of the following is correct? A. Check digits should be used for all data codes B. Check digits are always placed at the end of data codes C. Check digits do not affect processing efficiency D. Check digits are designed to detect transcription errors E. all of the above are incorrect
A: A distinct, easily followed audit trail
Which of the following is least likely to be an advantage of an automated accounting system? A: A distinct, easily followed audit trail B: Processing speed C: Fewer idiosyncratic errors D: Less likelihood of intrusion
C: Move ticket
Which of the following is most likely to be linked to a bar-coding or RFID system that scans parts? A: Parallel simulation B: Cost driver C: Move ticket D: Operations list
B: Minimizing the time required to move goods from raw materials to in-process inventory
Which of the following is not a goal of the HR/payroll cycle? A: Accurately computing taxes B: Minimizing the time required to move goods from raw materials to in-process inventory C: Securing information about an employee's drug addiction D: Complying with employment laws and regulations
B: External forces may attack the system.
Which of the following is not a limitation of internal control? A: Human judgment in decision making may be faulty. B: External forces may attack the system. C: Management may override internal control. D: Controls may be circumvented by collusion.
D: Assigning labor costs to jobs
Which of the following is not part of the HR and payroll cycle? A: Assessing employee performance B: Computing payroll taxes C: Maintaining controls over employee data D: Assigning labor costs to jobs
D: Purchase order
Which of the following is often a contract with a vendor for the purchase of goods? A: Remittance advice B: Vendor invoice C: Packing lists D: Purchase order
to prevent the record keeper from authorizing transactions
Which of the following is the best reason to separate duties in a manual system? A. to avoid collusion between the programmer and the computer operator B. to ensure that supervision is not required C. to prevent the record keeper from authorizing transactions D. to enable the firm to function more efficiently
C: The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems
Which of the following is the best risk statement in relation to executive management's role in a major IT project undertaken by a large telecommunications company? A: The risk that executive management disregards project communications and meetings B: The risk that executive management disregards project communications and meetings, resulting in inadequate oversight, because of management's inattention and lack of focus C: The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems D: The risk that executive management disregards project communications and meetings, despite frequent efforts by the project management team to inform executive management of the importance of their involvement and engagement
D: I, II, III, IV.
Which of the following procedures would enhance the control of a computer operations department? I. Periodic rotation of operators. II. Mandatory vacations. III. Controlled access to the facility. IV. Segregation of personnel who are responsible for controlling input and output. A: I, II. B: I, II, III. C: III, IV. D: I, II, III, IV.
C: Global visibility.
Which of the following risks increases the least with cloud-based computing compared with local server storage for an organization that implements cloud-based computing? A: Data loss. B: Vendor security failure. C: Global visibility. D: System hacks.
A: Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business.
Which of the following statements about risk appetite, tolerance, and risk indicators are true? A: Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business. B: Key risk indicators apply to the development of strategy, risk appetite applies in the implementation of strategy, and tolerance applies at any level of the business. C: Tolerance applies to the development of strategy, risk appetite applies in the implementation of strategy, and key risk indicators apply at any level of the business. D: Tolerance applies to the development of strategy, key risk indicators apply in the implementation of strategy, and risk appetite applies at any level of the business.
C: II only.
Which of the following statements is (are) true. I. A greater level of control is necessary in automated than manual systems. II. The uniformity of transaction processing is higher in automated than manual systems. A: Both I and II. B: I only. C: II only. D: Neither I or II.
A: A primary goal of IT governance is to balance risk versus return over IT and its processes.
Which of the following statements is correct regarding information technology (IT) governance? A: A primary goal of IT governance is to balance risk versus return over IT and its processes. B: IT governance is an appropriate issue for organizations at the level of the board of directors only. C: IT goals should be independent of strategic goals. D: IT governance requires that the Control Objectives for Information and related Technology (COBIT) framework be adopted and implemented.
D: Neither I or II.
Which of the following statements is correct? I.An important advantage of flat file systems is that they are program independent. II.Flat file systems contain little data redundancy. A: Both I and II. B: I only. C: II only. D: Neither I or II.
A: Emerging data analytic methods are unhelpful to risk assessment.
Which of the following statements is false (untrue) regarding data analytics, data mining, and risk assessment? A: Emerging data analytic methods are unhelpful to risk assessment. B: Emerging data mining methods can help detect previously hidden relationships. C: Data analytic methods can help evaluate assumptions found in an organization's strategy D: Key risk indicators can be used to identify risk changes.
B: A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.
Which of the following statements is true regarding internal control objectives of information systems? A: Primary responsibility of viable internal control rests with the internal audit division. B: A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies. C: Control objectives primarily emphasize output distribution issues. D: An entity's corporate culture is irrelevant to the objectives.
Any framework can be used that encompasses all of COSO's general themes
Which of the following statements is true? A. Both the SEC and the PCAOB require use of the COSO framework B. Any framework can be used that encompasses all of COSO"s general themes C. The SEC recommends COBIT, and the PCAOB recommends COSO. D. Both the SEC and the PCAOB require COBIT framework E. None of the above are true
D: Restricting access to the computer center by use of biometric devices.
Which of the following statements presents an example of a general control for a computerized system? A: Limiting entry of sales transactions to only valid credit customers. B: Creating hash totals from Social Security numbers for the weekly payroll. C: Restricting entry of accounts payable transactions to only authorized users. D: Restricting access to the computer center by use of biometric devices.
C: A transaction processing system (TPS).
Which of the following types of systems would you use to record the number of hours worked during the current pay period for each of your employees? A: An office automation system (OAS). B: A decision support system (DSS). C: A transaction processing system (TPS). D: A partitioned system (PS).
header labels are barcode numbers affixed to the outside of the tape or disk
Which statement is NOT correct? A. the purpose of file interrogation is to ensure that correct file is being processed by the system B. header labels are barcode numbers affixed to the outside of the tape or disk. C. File interrogation checks are particularly important for master files D. an expiration date check prevents a file from being deleted before it expires
transactions are processed more than once
Which statement is NOT correct?The goal of batch controls is to ensure that during processing A. transactions are not omitted B. transactions are not added C. transactions are processed more than once D. an audit trail is created
a transaction log is a temporary file
Which statement is not correct? A. only successful transactions are recorded on a transaction log? B. Unsuccessful transactions are recorded in an error file C. a transaction log is a temporary file D. a hard copy transaction listing is provided to users
IT auditing is independent of the general financial audit
Which statement is not true? A. Auditors must maintain independence. B. IT auditors attest to the integrity of the computer system. C. IT auditing is independent of the general financial audit. D. IT auditing can be performed by both external and internal auditors
control figures in the record should be the same during processing
Which statement is not true? A batch control record a. contains a transaction code b. records the record count c. contains a hash total d. control figures in the record should be the same during processing
C: portfolio, profile
While both views highlight risk severity, the _______ view of risk is from the entity-wide level while the _______ view of risk is from the perspective of units or levels with the entity. A: incident, root cause B: root cause, incident C: portfolio, profile D: profile, portfolio
A: Review W-2s.
Winifred, an internal auditor, wants to determine if payroll taxes have been properly withheld and paid. Her best strategy for accomplishing this goal is to A: Review W-2s. B: Review Form 941. C: Review W-4s. D: Review the cumulative earnings register.
the documentation skills that accountants require vary w/their job function. however, all accountants should at least be able to do which of the following? a) read documentation to determine how the systems work b) critique & correct documentation that others prepare c) prepare documentation for a newly developed info system d) teach others how to prepare documentation
a) read documentation to determine how the systems work
the constraint that all foreign keys must have either null values or the value of a primary key in another table is referred to as.. ? a) referential integrity rule b) entity integrity rule c) foreign key value rule d) null value rule
a) referential integrity rule
what type of software conceals processes, files, network connections, memory addresses, systems utility programs, & system data from the operating system and other programs? a) rootkit b) spyware c) malware d) adware
a) rootkit
A firm, its suppliers, and its customers collectively form which of the following? a. Supply chain b. Value chain c. ERP system d. AIS
a) supply chain
what is often the most significant prob a company encounters in designing, developing & implementing a system? a) human element b) technology c) legal challenges d) planning for the new system
a) the human element
Records of company data sent to an external party & then returned to the system as input are called a. Turnaround documents b. Source data automation documents c. Source documents d. External input documents
a) turnaround documents
2. Identify what information a business needs in order to acquire capital, sell merchandise, and pay taxes.
a. Acquire Capital ▪ Cash flow projections to determine how much. ▪ Pro forma financial statements to find investors or borrow funds. ▪ Loan amortization schedule to obtain the best terms for borrowing. b. Sell Merchandise ▪ Pro forma income statement to determine markup percentage. ▪ Credit card costs to offer in-house credit. ▪ Customer credit status to determine which credit cards to accept. c. Pay Taxes ▪ Government regulations to determine relevant payroll tax requirements. ▪ Total wage expense to determine sales tax requirements. ▪ Total sales.
Which of the following statements about test data techniques for testing application controls are NOT correct? a. Applications may be tested directly without being removed from service b. the test provides only a static picture of application integrity c. implementing the test is costly and labor-intensive d. the test provides explicit evidence of application functions e. all of the above are correct statements
a. Applications may be tested directly without being removed from service
4-9. which of these devices is capable of storing the most data?
a. CD-ROM disk b. DVD disk c. USB (flash memory) drive *d. magnetic (hard) disk
1. Describe the benefits of a database.
a. *Data integration*. Master files are combined into large "pools" of data that many application programs access. An example is an employee database that consolidates payroll, personnel, and job skills master files. b. *Data sharing.* Integrated data are more easily shared with authorized users. Databases are easily browsed to research a problem or obtain detailed information underlying a report. c. *Minimal data redundancy and data inconsistencies.* Because data items are usually stored only once, data redundancy and data inconsistencies are minimized. d. *Data independence.* Because data and the programs that use them are independent of each other, each can be changed without changing the other. This facilitates programming and simplifies data management. e. *Cross-functional analysis.* In a database system, relationships, such as the association between selling costs and promotional campaigns, can be explicitly defined and used in the preparation of management reports.
2. Describe the steps of the revenue cycle.
a. *Sales Order Entry* ▪ Step 1 - Taking the customer's order ▪ Step 2 - Checking and approving customer credit ▪ Step 3 - Checking inventory availability b. *Shipping* ▪ Step 4 - Picking and Packing the order ▪ Step 5 - Shipping the order c. Billing ▪ Step 6 - Invoicing accounts receivable ▪ Step 7 - Updating accounts receivable d. *Cash Collections* ▪ Step 8 - Collecting and processing payments from customers
2. Distinguish between primary keys and foreign keys in a database.
a. A primary key is the database attribute, or combination of attributes, that uniquely identifies a specific row in a table. Usually, the primary key is a single attribute. In some tables, two or more attributes are needed to identify uniquely a specific row in a table. b. A foreign key is an attribute in a table that is also a primary key in another table and is used to link the two tables.
Describe the functions of an AIS.
a. Collect and store data about organizational activities, resources, and personnel. Organizations have a number of business processes, such as making a sale or purchase raw materials, which are repeated frequently. b. Transform data into information so management can plan, execute, control, and evaluate activities, resources, and personnel. Decision making is discussed in detail later in this chapter. c. Provide adequate controls to safeguard the organization's assets and data. ...by providing tools to alert managers when an unauthorized user attempts to use assets. ... by requiring a correct password to be entered to access the company network
5. Identify security controls that CORRECT intrusions.
a. Computer incident response team (CIRT) Recognition Containment Recovery Follow-up b. Chief information security officer (CISO) In charge of designing and implanting the prevention of a penetrating attack c. Patch management Process of regularly applying patches and update to all software on a regular basis.
2. Explain the steps an attacker may take to penetrate an information system.
a. Conduct reconnaissance. The objective of this initial reconnaissance is to learn as much as possible about the target and to identify potential vulnerabilities. b. Attempt social engineering - Using deception to obtain unauthorized access to information resources. The attacker calls a newly hired administrative assistant and asks that person to help obtain the critical files. Another common ruse is for the attacker to pose as a clueless temporary worker who cannot log onto the system and calls the help desk for assistance. c. Scan and map the target. The attacker uses a variety of automated tools to identify computers that can be remotely accessed and the types of software they are running. d. Research. the next step is to conduct research to find known vulnerabilities for those programs and learn how to take advantage of those vulnerabilities. e. Execute the attack. The criminal takes advantage of a vulnerability to obtain unauthorized access to the target's information system. f. Cover tracks. After penetrating the victim's information system, most attackers attempt to cover their tracks and create "back doors" that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.
4. Compare the major frameworks designed to standardize and improve control processes.
a. Control Objectives for Information and Related Technology (COBIT) - A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that reliable and adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters. b. Committee of Sponsoring Organizations (COSO) - A private- sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Which of the following is NOT requirement of Section 302 of SOX? a. Corporate management (including the CEO) must certify monthly and annually their organization's internal controls over financial reporting b. Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit c. Auditors must determine whether changes in internal control have materially affected, or are likely to materially affect, internal control over financial reporting. d. Management must disclose any material changes in the company's internal controls that have occurred during the most recent fiscal quarter. e. All of the above are requirements
a. Corporate management (including the CEO) must certify monthly and annually their organization's internal controls over financial reporting
4. Describe AIS data processing activities.
a. Creating new data records, such as adding newly hired employee to the payroll database. b. Reading, retrieving, or viewing existing data. c. Updating previously stored data. Online, real-time processing updates each transaction as it occurs to stay current, thereby increasing its decision-making usefulness. Errors can be corrected in real time or refused. File update process: o Verify data accuracy o Match primary key (account number) o Add transaction amount to current balance o Compare new balance to credit limit o Repeat for all transactions o Print summary reports d. Deleting data, such as purging the vendor master file of all vendors the company no longer does business with.
2. Identify the tools used to complete documentation.
a. Data flow diagram (DFD), a graphical description of data sources, data flows, transformation processes, data storage, and data destinations b. Flowchart, which is a graphical description of a system. There are several types of flow charts, including: ▪ Document flowchart, which shows the flow of documents and information between departments or areas of responsibility ▪ System flowchart, which shows the relationship among the input, processing, and ouput in an information system ▪ Program flowchart, which shows the sequence of logical operations a computer performs as it executes a program. c. Business Process diagrams, which is a graphical description of the business processes used by a company
1. Identify the steps in the data processing cycle.
a. Date Input To capture transaction data and enter them into the system. Data collected includes each activity of interest, resources affected by each activity, and people participating in each activity. Turnaround Documents - records of company data sent to an external party and then returned to the system as input. b. Data Storage To understand how data are organized and stored in an AIS and how they can be accessed. In essence, how to manage data for maximum corporate use; via coding and Audit trails. c. Data Processing To maintain a current database by creating, reading, updating, and deleting data. d. Information Output To present output data in the form of a document, a report, or a query response.
7. Identify the appropriate documentation tool for a given scenario.
a. Documentation explains how a system works, including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls.we explain three common systems documentation tools: 1. data flow diagrams, 2. flowcharts, and 3. business process diagrams.
2-8. which of these identifies a private, point-to-point network?
a. EDI b. DES c. IP *d. VAN
9-3. a form control that does not change from record to record is probably:
a. a design-time control b. a bound control c. an unbound control * d. a mistake
Which of the following statements about the GAS techniques for substantive testing is NOT correct? a. GAS captures data during processing without removing the application from service b. GAS languages are easy to use and require little IT background c. GAS techniques are limited to use with flat files and relational database tables d. Complex file structures need to be flattened before they can be read by GAS e. All of the above are correct statements
a. GAS captures data during processing without removing the application from service
6. Identify the IT controls that are used to preserve confidentiality.
a. Identify and classify the information to be protected b. Encrypt the information c. Control access to the information Information Rights Management (IRM) - Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. d. Train employees to properly handle the information.
5. Explain how an accounting information system (AIS) can add value to an organization.
a. Improving the quality and reducing the costs of products or services. This helps maintain product quality, reduces waste, and lowers costs. b. Improving efficiency. For example, timely information makes a just-in-time manufacturing approach possible, as it requires constant, accurate, up-to-date information about raw materials inventories and their locations. c. Sharing knowledge. Sharing knowledge and expertise can improve operations and provide a competitive advantage. Employees can search the corporate database to identify experts to provide assistance for a particular client; thus, a CPA firm's international expertise can be made available to any local client. d. Improving the efficiency and effectiveness of its supply chain. For example, allowing customers to directly access inventory and sales order entry systems can reduce sales and marketing costs, thereby increasing customer retention rates. e. Improving the internal control structure. An AIS with the proper internal control structure can help protect systems from fraud, errors, system failures, and disasters. f. Improving decision making. Improved decision making is vitally important.
1. Describe common reasons for information system failure.
a. Information is available to an unprecedented number of workers. b. Information on distributed computer networks is hard to control. c. Customers and suppliers have access to each other's systems and data. imageine the confidentiality problems as thesse vendors form alliances with competitors.
Which of the following is associated with the unique characteristics of an industry? a. Inherent risk b. Detection risk c. Control risk d. None of the above
a. Inherent risk
9. Identify the IT Controls used to safeguard processing integrity.
a. Input Stage ▪ Forms design • Sequentially prenumbering source documents • Turnaround documents ▪ Cancellation and storage of documents ▪ Authorization and segregation of duties controls ▪ Visual scanning ▪ Data entry controls b. Processing Stage ▪ Data matching ▪ File labels, ▪ batch totals, ▪ cross-footing and xero-balance tests, ▪ write-protection mechanisms, ▪ database processing integrity controls c. Output Stage ▪ Reviews and reconciliations, ▪ encryption and access controls, ▪ parity checks, ▪ message acknowledgement techniques
4. Identify security controls that DETECT intrusions.
a. Log Analysis b. Intrusion Detection System c. Penetration Testing (AKA Security Testing to find system vulnerabilities) d. Continuous Monitoring
5. Describe the components of an internal environment.
a. Management's philosophy, operating style, and risk appetite b. Commitment to integrity, ethical values, and competence c. Internal control oversight by the board of directors d. Organizational structure e. Methods of assigning authority and responsibility f. Human resource standards that attract, develop, and retain competent individuals g. External influences
3. Identify security controls that help PREVENT threats from occurring.
a. People ▪ Creation of a "security-aware" culture ▪ Training b. Processes: User access controls (authentication and authorization) c. IT solutions ▪ Anti-malware ▪ Network access controls (firewalls, intrusion prevention systems, etc.) ▪ Device and software hardening (configuration controls) ▪ Encryption d. Physical security: access controls (locks, guards, etc. to Prevent installation of hardware-based keystroke logging device on a computer) e. Change controls and change management
3. Describe key functions of internal controls.
a. Preventive controls deter problems before they arise. b. Detective controls discover problems that are not prevented. c. Corrective controls identify and correct problems as well as correct and recover from the resulting errors.
6. Explain how an AIS may be used for a given primary or support activity in the value chain.
a. Primary Activities ▪ Inbound logistics consists of receiving, storing, and distributing the materials an organization uses to create the services and products it sells. For example, an automobile manufacturer receives, handles, and stores steel, glass, and rubber. ▪ Operations activities transform inputs into final products or services. For example, assembly line activities convert raw materials into a finished car. ▪ Outbound logistics activities distribute finished products or services to customers. An example is shipping automobiles to car dealers. ▪ Marketing and sales activities help customers buy the organization's products or services. Advertising is an example of a marketing and sales activity. ▪ Service activities provide post-sale support to customers. Examples include repair and maintenance services. b. Support Activities ▪ Firm infrastructure is the accounting, finance, legal, and general administration activities that allow an organization to function. The AIS is part of the firm infrastructure. ▪ Human resources activities include recruiting, hiring, training, and compensating employees. ▪ Technology activities improve a product or service. Examples include research and development, investments in IT, and product design. ▪ Purchasing activities procure raw materials, supplies, machineries, and the buildings used to carry out the primary activities.
1. Describe the different categories of control activities.
a. Proper authorization of transactions and activities b. Segregation of duties c. Project development and acquisition controls Steering Committee Strategic master Plan Project Development Plan Data processing Schedule System Performance Measurements Postimplementation Review d. Change management controls e. Design and use of documents and records f. Safeguarding assets, records, and data g. Independent checks on performance
6. Describe approaches to assessing and managing risk within an organization.
a. Reduce. Reduce the likelihood and impact of risk by implementing an effective system of internal controls. b. Accept. Accept the likelihood and impact of the risk. c. Share. Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions. d. Avoid. Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.
Identify the traits of useful information
a. Relevant ▪ Reduces uncertainty, improves decision-making, or confirms/corrects prior expectations b. Reliable ▪ Free from error or bias, accurately represents organization events or activities c. Complete ▪ Does not omit important aspects of the events or activities it measures d. Timely ▪ provided in time for decision makers to make decisions e. Understandable ▪ Presented in a useful and intelligible format f. Verifiable ▪ Two independent, knowledgeable people produce the same information g. Accessible ▪ Available to users when they need it and a format they can use
7-3. Which of these would NOT be a good primary key for a file of employee records?
a. SSN b. last name* c. company employee number d. all of these would make equally good primary keys
2. Describe common reasons why data is not protected wisely.
a. Some companies view the loss of crucial information as a distant, unlikely threat. b. The control implications of moving from centralized computer systems to Internet-based systems are not fully understood. c. Many companies do not realize that information is a strategic resource and that protecting it must be a strategic requirement. d. Productivity and cost pressures motivate management to forgo time-consuming control measures.
6. Describe the steps of the production cycle.
a. Step 1 - *Product design* to create the product that meets customer requirements in terms of quality, durability, and functionality while simultaneously minimizing production costs ▪ Loss or destruction of data b. Step 2 - *Planning and Scheduling* to develop a production plan efficient enough to meet existing orders and anticipated short-term demand while minimizing inventories of both raw materials and finished goods ▪ over- and under-production c. Step 3 - *Production Operations* To actually manufacture the product ▪ Theft of inventory ▪ Theft of fixed assets ▪ Poor performance ▪ Suboptimal investment in fixed assets ▪ Loss of inventory or fixed assets due to fire or other disasters ▪ Disruption of operations d. Step 4 - *Cost Accounting* (1) to provide information for planning, controlling, and evaluating the performance of production operations (2) to provide accurate cost data about products for use in pricing and product mix decisions (3) to collect and process the information used to calculate the inventory and cost of goods sold values that appear in the company's financial statements. ▪ Inaccurate cost data ▪ Inappropriate allocation of overhead costs ▪ Misleading reports
2. Describe each step in the data input process.
a. Step 1 - Capture transaction data and enter them into the system. b. Step 2 - make sure captured data are accurate and complete. Source Data Automation - The collection of transaction data in machine-readable form at the time and place of origin (point-of-sale terminals and ATMs). Well-designed documents and screens improve accuracy and completeness by providing instructions or prompts about what data to collect, grouping logically related pieces of information, using checkoff boxes or pull-down menus to present the available options, and using shading and borders to clearly separate data items. Data input screens usually list all the data the user needs to enter. Sometimes these screens resemble source documents, and users fill out the screen similar to a paper source document. Users can improve control either by using prenumbered source documents or by having the system automatically assign a sequential number to each new transaction. This simplifies verification of documents, resulting in system accuracy. c. Step 3 - make sure company policies are followed, such as approving and verifying a transaction.
4. Describe the steps of the expenditure cycle.
a. Step 1 - The need to purchase has been identified (Identify What, When. And How Much?) b. Step 2 - The next step is to select a supplier c. Step 3 - Receipt of ordered items d. Step 4 - Storage of ordered items e. Step 5 - Supplier invoice is received and verifies the receiving of the order f. Step 6 - invoice is approved g. Step 7 - Paying suppliers
3. Describe the steps to implement an AIS.
a. Systems Analysis *Step 1: Determine User Needs* b. Conceptual Design *Step 2: create and Document a development Plan* A well-designed Computer Input Screen will ... - Organize the screen so data can be entered quickly, accurately, and completely. - Enter data in the same order as displayed on paper forms that capture the data. - Group logically related data together. - Design the screen so users can jump from one data entry location to another or use a single key to go directly to screen locations. - Make it easy to correct mistakes. Therefore, reducing data entry errors and omissions. - Restrict the data or the number of menu options on a screen to avoid clutter. c. Physical Design *Step 3: Write Program Instructions (computer code)* *Step 4: Test the Program. Debugging.* *Step 5: Document the Program* *Step 6: Train Program Users* - Employees must be trained on the hardware, software, and any new policies and procedures. Training options may include experimenting with the system under the guidance of experienced users. d. Systems Implementation and Conversion *Step 7: Install the System* - Implementation Planning - Prepare Site; Install and Test Hardware AND/OR Select and Train Personnel - Complete Documentation AND/OR Test System o Complete documentation includes: Development Documentation, Operations Documentation, and User Documentation - Conversion o Common forms of testing include: Walk-throughs, Processing test data, and Acceptance tests o Conversion approaches include: Direct conversion, Parallel conversion, Phase-in conversion, and Pilot conversion e. Operation and Maintenance *Step 8: Use and Modify the System* - User acceptance and Postimplementation Review Report
Which of the following is NOT a test for identifying application control errors? a. User acceptance tests b. Field tests c. All of these d. Range tests e. Access tests
a. User acceptance tests
13-9. separation of duties is an important control activity. if possible, managers should assign which of the following three functions to different employees?
a. analysis authorizing transactions b. custody monitoring, detecting c. recording authorizing custody * d. analysis recording transactions
8-6. to identify all those employees receiving payroll checks but who have no matching record in a payroll master file, you should use a(n):
a. auditor b. find unmatched records query * c. cross-tabs query d. update query
12-4. mid-level accounting software:
a. can only be deployed through a server networked with desktop computers b. may be purchased in modules that match various business processes * c. will not be appropriate for a multinational company because these programs cannot handle foreign currencies d. will not be appropriate for a multinational company operating in a specialized industry, such as retail or not-for-profit.
11-9. automated POS tech offers many advantages to retailers as well as customers. Which of the following is the most commonly used POS tech?
a. cell phones b. bar code scanners * c. RFID d. none of these
11-10. the concept of lean production manufacturing includes all of the following, except:
a. commitment to eliminate "waste" throughout the manufacturing process b. eliminate or reduce non-value-added waste c. improve overall customer value and the profitability of products or services d. there are 12 categories of waste that companies hope to reduce or eliminate
8. Define encryption, hashing, and virtual private networks (VPNs).
a. encryption - The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. b. Hashing -Transforming plaintext of any length into a short code called a hash. c. Virtual Private Network (VPN) - Using encryption and authentication to securely transfer information over the Internet, thereby creating a "virtual" private network.
3-5. which of these is not helpful in attempting to thwart computer crime and abuse?
a. enlist the support of top management *b. keep employees in the dark so that they cannot perpetrate them c. use strong passwords d. design and test disaster recovery programs
3-1. which of the following is NOTan example of computer fraud?
a. entering invoices in an AIS for services that were not provided and depositing the check in a private bank account. *b. sending an email to everyone in your address book asking for a $1 donation. c. programming a change to decrease the dividend payment to stockholders of a firm and issuing a check to your friend for the total change d. using a university computer to set up a c realistic looking virtual "store front" to sell toys, although you don't have any ...
11-3. which of the following outputs (reports) is common to all of the processes described in this chapter?
a. financial statement information * b. deduction reports c. supplier invoices d. budget reports
4-8. Video output can also be called:
a. hard copy output *b. soft copy output c. image output d. pixelated output
15-8. continuous auditing:
a. has been talked about for years will never catch on b. will become more necessary as investors demand more real-time information * c. does not include techniques such as embedded audit modules d. will never allow IT auditors to provide some types of assurance on a real-time basis
3-7. most computer criminals
a. have nontechnical backgrounds b. have noncriminal backgrounds c. have little college education d. are young and bright e. have probably not been caught, so we don't really know much about them*
14-4. A __________ site is a disaster recovery site that includes a computer system like the one the company regularly uses, software, and up=to=date data so the company can resume full data processing operations within seconds or minutes
a. hot b. cold c. flying start * d. backup
Which of the following is NOT a common type of through-the-computer tests of controls? a. inference tests b. redundancy tests c. completeness tests d. validity tests e. all of the above are through-the-computer tests
a. inference tests
2-2. Which of the following enables users to view data with a web browser?
a. intranet b. extranet c. internet *d. all of the above
6-9. which one of the four stages in the systems development life cycle is likely to be the most costly for a new system?
a. planning and investigation b. analysis c. design d. implementation, follow-up and maintenance *
12-1. low-end accounting software is increasingly complex and sophisticated. However, software costing only a few hundred dollars is not likely to:
a. provide information to multiple stores where a company operates more than one b. include a chart of accounts that users may customize to suit their industry c. provide all the information needed to optimize customer and supplier relationships * d. provide information for budgeting decisions
13-12. when management of the sales department has the opportunity to override the system of internal controls of the accounting department, a weakness exists in:
a. risk management b. information and communication c. monitoring d. the control environment *
1-2. Which of the following is likely to be information rather than data?
a. sales price b. customer number *c. net profit d. employee name
10-1. which of the following provides the organizational structure for the general ledger? `
a. special journals b. a source document c. general journals d. the chart of accounts *
computer fraud
any fraud that requires computer technology to perpetrate it -unauthorized use, access, modification, copying, destruction of software, hardware or date -theft of assests -obtaining info / IP
threat/event
any potential adverse occurrence/unwanted event that could injure the AIS or the organization
which is the long-range planning document that specifies what the system will consist of, how it will be developed, who will develop it, how needed resources will be acquired, and its overall vision? a) steering committee agenda b) master plan c) systems development life cycle d) project development plan
b) master plan
Recording & processing information about a transaction at the time it takes place is referred to as: a. Batch processing b. Online, real-time processing c. Captured transaction processing d. Chart of accounts processing
b) online, real-time processing
determining whether the organization has access to people who can design, implement, & operate the proposed system is referred to as.. ? a) technical feasibility b) operational feasibility c) legal feasibility d) scheduling feasibility d) economic feasibility
b) operational feasibility
a perpetrator attacks phone systems to obtain free phone line access or use telephone lines to transmit viruses & to access, steal, and destroy data. what is this compute fraud technique called? a) phishing b) phreaking c) pharming d) vishing
b) phreaking
All of the information (name, GPA, major, etc.) about a particular student is stored in the same X a. File (*designed to include info about many students) b. Record c. Attribute d. Field
b) record (*about a particular entity—specific student) *Note: file --designed to include info about many students
which is FALSE? a) the psychological profiles of white-collar criminals differ form those of violent criminals b) the psychological profiles of white-collar criminals are significantly different from those of the general public c) there is little difference between computer fraud perpetrators and other types of white-collar criminals d) some computer fraud perpetrators do not view themselves as criminals
b) the psychological profiles of white-collar criminals are significantly different from those of the general public
which type of computer attack takes place between the time a software vulnerability is discovered & the time software developers release a software patch that fixes the problem? a) posing b) zero-day attack c) evil twin d) software piracy
b) zero-day attack
Which of the following statements is true? a. Both the SEC and the PCAOB require the use of the COSO framework b. Any framework can be used that encompasses all of COCO's general themes. c. The SEC recommends COBIT and the PCAOB recommends COSO d. Both the SEC and the PCAOB require the COBIT framwork e. None of the above are true
b. Any framework can be used that encompasses all of COCO's general themes.
Which of the following is NOT a common type of through-the-computer test of controls? a. Validity tests b. Inference tests c. All of these d. Redundancy tests e. Completeness tests
b. Inference tests
Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is a. a DES message b. a denial of service attack c. the request-response technique d. a call-back device e. none of the above
b. a denial of service attack
batch VS online real processing
batch processing - Accumulat- ing transaction records into groups or batches for process- ing at a regular interval such as daily or weekly. the records are usually sorted into some sequence (such as numeri- cally or alphabetically) before processing. online, real-time processing - the computer system processes data immediately after capture and provides updated informa- tion to users on a timely basis.
Planning Phase of SDLC
begins with a business need for a new or better information system. This phase involves summarizing the business needs with a high-level view of the intended project. A feasibility study is often used to evaluate economic, operational and technical practicability
Which IS a following primary activity in the value chain? a. Purchasing b. Accounting c. Post-sales service d. HR management
c) Post-sales service
fraud perpetrators threaten to harm a company if it does not pay a specified amount of money. what is this computer fraud technique called? a) cyber-terrorism b) blackmailing c) cyber-extortion d) scareware
c) cyber-extortion
which is NOT an example of computer fraud? a) theft of money by altering computer records b) obtaining info illegally using a computer c) failure to perform preventive maintenance on a computer d) unauthorized modification of a software program
c) failure to perform preventive maintenance on a computer
All of the following are guidelines that should be following in naming DFD data elements EXCEPT a) process names should include action verbs such as update, edit, prepare, and record b) make sure the names describe all the data or the entire process c) name only the most impt DFD elements d) choose active & descriptive names
c) name only the most impt DFD elements (all data elements should be named, w/the exception of data flows into data stores, when the inflows and outflows make naming the data store redundant)
Which is LEAST likely to be a specialized journal? a. Sales journal b. Cash receipts journal c. Prepaid insurance journal d. Cash disbursements journal
c) ppd insurance journal
Which is most likely to be used in the expenditure cycle? a. Sales order b. Credit memo c. Receiving report d. Job time ticket
c) receiving report
which computer fraud technique involves a set of instructions hidden inside a calendar utility that copies itself each time the utility is enables until memory is filled & the system crashes? a) logic bomb b) trap door c) virus d) Trojan horse
c) virus
Which of the following is NOT a requirement in management's report on the effectiveness of internal controls over financial reporting? a. Describe the flow of transactions in sufficient detail to points at which misstatement could arise b. An evaluation of entity-wide controls that correspond to the COSO framework c. A statement that the organization's internal auditors have issued an attestation report on management's assessment of the company's internal controls d. An explicit written conclusion as the effectiveness of internal control over financial reporting e. All of the above are requirements
c. A statement that the organization's internal auditors have issued an attestation report on management's assessment of the company's internal controls
Which of the following is NOT a potential threat to computer hardware and peripherals? a. Low humidity b. High humidity c. Carbon dioxide fire extinguishers d. Water sprinkler fire extinguishers
c. Carbon dioxide fire extinguishers
Which of the following statements is NOT correct? a. EAMs have the potential to corrupt corporate databases b. EAMs support continuous monitoring of control c. EAMs capture transactions during processing without removing the application service d. EAMs decrease operational performance e. All f the above are correct statements
c. EAMs capture transactions during processing without removing the application service
Which is NOT a characteristic that makes info useful? a. It is reliable b. It is timely c. It is inexpensive d. It is relevant
c. It is inexpensive
Which of the following is NOT a network control objective? a. Preventing illegal access b. Correcting message loss due to equipment failure c. Maintaining the critical application list d. Rendering useless any data that a perpetrator successfully captures e. All the above are network control objectives
c. Maintaining the critical application list
Which of the following is not true about the SSAE 16 report? a. It is a third-party attestation report b. It replaced Statement on Auditing Standards No. (SAS 70) c. The service provider prepares a separate SSAE 16 report tailored to the needs of each of its client firms, which the client auditors rely upon d. When using the carve-out method, service provider management would exclude the sub-service organization's relevant controls e. All of the above are true
c. The service provider prepares a separate SSAE 16 report tailored to the needs of each of its client firms, which the client auditors rely upon
A program that attaches to another legitmate program but does NOT replicate itself is called a a. virus b. worm c. Trojan horse d. logic bomb e. none of the above
c. Trojan horse
Tracing is a technique that: a. reviews interest calculations to identify a salami fraud b. allows test data to be merged with production data and traces the effects in the database c. performs an electronic walk-through of computed logic d. none of the above
c. performs an electronic walk through of computed logic
which action is an example of a social engineering technique?
calling a newly hired assistant and pretending to be an employee who needs help obtaining files
a set of instructions to increase a programmer's pay rate by 10% is hidden inside an authorized program. it changes & updates the payroll file. what is this computer fraud technique called? a) virus b) worm c) trap door d) Trojan horse
d) Trojan horse
which is FALSE? a) a flow chart is an analytical technique used to describe some aspect of an info system in a clear, concise, and logical manner b) flowcharts use a standard set of symbols to describe pictorially the flow of documents and data thru a system c) flowcharts are easy to prepare & revise when the designer utilizes a flowcharting software package d) a system flowchart is a narrative representation of an info system
d) a system flowchart is a narrative representation of an info system
which is NOT one of the responsibilities of auditors in detecting fraud according to SAS No. 99? a) evaluating results of their audit tests b) incorporating a technology focus c) discussing risks of material fraudulent misstatements d) catching perpetrators in the act of committing the fraud
d) catching perpetrators in the act of committing the fraud
which of the following flowcharts illustrates the flow of data among areas of responsibility in an organization? a) program flowchart b) computer configuration chart c) system flowchart d) document flowchart
d) document flowchart
which is the correct order of the steps in systems analysis? a) initial investigation, determination of info needs & system requirements, feasibility study, system survey b) determination of info needs & system requirements, system survey, feasibility study, initial investigation c) system survey, initial investigation, determination of info needs & system requirements, feasibility study d) initial investigation, system survey, feasibility study, determination of info needs & system requirements
d) initial investigation, system survey, feasibility study, determination of info needs & system requirements
How does the chart of accounts list GL accounts? a. Alphabetical order b. Chronological order c. Size order d. Order in which they appear on the FS
d) order in which they appear on the FS
which of the following control procedures is most likely to deter lapping? a) encryption b) continual update of the access control matrix c) background check on employees d) periodic rotation of duties
d) periodic rotation of duties
purchasing dept is designing a new AIS. who is best able to determine departmental info requirements? a) steering committee b) controller c) top management d) purchasing department
d) purchasing department
what is each row in a relational database table called? a) relation b) attribute c) anomaly d) tuple
d) tuple
Which of the following is NOT a task performed in the audit planning phase? a. Reviewing an organization's policies and practices b. Planning substantive testing procedures c. Reviewing general controls d. Determining the degree of reliance on controls
d. Determining the degree of reliance on controls
Which of the following is the best example of an application control objective? a. Ensure that the computer operating system functions efficiently b. Provide backup facilities in the event of a disaster c. Prevent unauthorized access to corporate databases d. Ensure the validity, completeness, and accuracy of sales transactions
d. Ensure the validity, completeness, and accuracy of sales transactions
Which of the following is NOT an SDLC controllable activity? a. User test and acceptance procedures b. Systems authorization c. All are SDLC controls d. External audit participation e. User specification
d. External audit participation
Reviewing database authority tables is an example of a(n) a. Operating resource controls b. Organizational structure control c. Data resource control d. None of the above
d. None of the above
The database attributes that individual users have permission to access are defined in the a. Operating system b. User manual c. Database schema d. User view e. Application listing
d. User view
Which of the following statements is NOT correct? a. executing a production application requires that the source code be compiled and linked to a load module b. as a practical matter, programs in their compiled state are secure and free from the threat of unauthorized modification c. application logic changes may be made directly to the load module d. once the application is compiled, the source code is not needed to run the application e. all of the above are correct statements
d. once the application is compiled, the source code is not needed to run the application ?
information is data organized to provide meaning
data differ from information in what way?
advantages of databases
data integration data sharing minimal data redundancy/inconsistencies data independence cross-functional analysis
Business Continuity
refers to the activities required to keep a firm running during a period of interruption of normal operations DRP is key component Corrective control
