D217 AIS SET1

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

What is a reason for sales returns?

" Buyer refusing due to late arrival." Late deliveries can affect sales returns.

Which journals record the results of transaction cycles?

" Special journals and subsidiary accounts of the general ledger." Transaction cycles are part of the accounting information system and record individual events in the special journals and subsidiary accounts of the general ledger.

What is an example of a password standard?

"Expiration interval." Password expiration interval is an example of a password standard.

After completing the annual audit for a publicly traded company, an external auditor issues a qualified opinion about the effectiveness of internal controls. What is the implication of this finding?

"The auditor identified at least one material weakness in internal controls." The standard for the audit opinion on internal controls is high. The auditor cannot issue an unqualified opinion if one material weakness in internal control is detected.

Which procedure should be followed when receiving goods?

"The clerk must count and inspect all deliveries to ensure receipt of the right product." All incoming and outgoing items should be physically counted to ensure accuracy.

In which two ways does an AIS safeguard assets?

-by providing tools to alerts managers when an unauthorized user attempts to use assets - by requiring a correct password to be entered to access the company network

match each function of an AIS with the type of improvement it provides. -a function that checks payroll entries for mistakes that would casue over payment or underpayment of employees -a function that provides up-to-the-minute information about inventory items that are a low in stock - a function that informs a supervisor when manufacturing production performance falls below standards

-a function that checks payroll entries for mistakes that would casue over payment or underpayment of employees = improves the internal control structure -a function that provides up-to-the-minute information about inventory items that are a low in stock = improves the effectiveness of the supply chain - a function that informs a supervisor when manufacturing production performance falls below standards = improves the quality and reduces the costs of products or services

What organizations help companies comply with myriad requirements of government regulations?

1. American Institute of Certified Public Accountants (AICPA) 2. Canadian Institute of Chartered Accountants (CICA) 3. Generally Accepted Privacy Principles (GAPP)

What are examples of detective controls?

1. Log analysis 2. Intrusion detection systems 3. Penetration testing 4. Continuous monitoring

Computer Incident Response Team (CIRT)

A team that is responsible for dealing with major security incidents. The CIRT team should include not only technical specialists but also senior operations management.

Border Router

A device that connects an organization's information system to the internet

Monthly statement

A document listing all transactions that occurred during the past month and informing customers about their current account balance

Remittance list

A document listing names and amounts of all customers payments received in the mail

Packing slip

A document listing the quantity and description of each item included in a shipment

Transaction File

A file that contains the individual business transactions that occur during a specific fiscal period. A transaction file is conceptually similar to a journal in a manual AIS.

Accounting information system

A system that collects, records, stores, and processes data to produce information for decision makers

Financing Cycle

Activities associated with raising money by selling shares in the company to investors and borrowing money as well as paying dividends and interest.

Revenue Cycle

Activities associated with selling goods and services in exchange for cash or a future promise to receive cash

What is processing?

Activities at the transaction level - CRUD (Create new records, Read existing records, Update existing records, Delete records or data).

Outbound logistics

Activities distribute finished products or services to customers

Which of the following is NOT an element of the fraud triangle? A. ethics B. justifiable reliance C. situational pressure D. opportunity E. All of the above are elements

B

Disadvantages of Purchasing

Costly Lack of Flexibility Might not cover all needs

Data V. Information

Data-collected, recorded, and stored in the system Information- organize the data within a context of a sales invoice (in which it is meaningful)

13. Which of the following is not an example of a processing control? a. hash total. b. record count. c. batch total. d. check digit

D

14. Which of the following is an example of input control test? a. sequence check b. zero value check c. spooling check d. range check

D

15. Which input control check would detect a payment made to a nonexistent vendor? a. missing data check b. numeric/alphabetic check c. range check d. validity check

D

3. Routine maintenance activities require all of the following controls except a. documentation updates b. testing c. formal authorization d. internal audit approval

D

30. All of the following concepts are associated with the black box approach to auditing computer applications except a. the application need not be removed from service and tested directly b. auditors do not rely on a detailed knowledge of the application's internal logic c. the auditor reconciles previously produced output results with production input transactions d. this approach is used for complex transactions that receive input from many sources

D

36. Which statement is not true? Embedded audit modules a. can be turned on and off by the auditor. b. reduce operating efficiency. c. may lose their viability in an environment where programs are modified frequently. d. identify transactions to be analyzed using white box tests.

D

Which of the following is not an example of preventative control? A. separation of responsibilities for the recording custodial, and authorization functions B. sound personnel practices C. documentation of policies and procedures D. password authentication software and hardware E. source documents for capturing sales data

D

Financial Statement Pressure Triangle

Financial, management characteristics and industry conditions

COSO's Internal Control Model consists of...

Five components and 17 Principles

CATTs

Imperative tools for auditor to conduct an audit in accordance with hightened auditing standards.

C: Delivery and Support.

Internal auditors at Henry Flower's Flower shop are undertaking a comprehensive review of outsourcing contracts and policies as part of improving service quality. In the COBIT model, this is best classified as an example of A: Planning and Organization. B: Acquisition and Implementation. C: Delivery and Support. D: Monitoring

Sequence codes

Items are numbered consecutively so that gaps in the sequence code indicate missing items that should be investigated. Examples include prenumbered checks, invoices, and purchase orders.

D: Support functions

Jiffy Grill has an ERP system. It has assigned responsibility for determining who has what access rights within the ERP system. Based on this, to whom is it most likely that Jiffy Grill has assigned this responsibility? A: Internal auditors. B: Other personnel. C: Management D: Support functions

Caller ID Spoofing

Displaying an incorrect number on the recipients caller ID display to hide the caller's identity

What is e-commerce? (compared to EDI)

E-Commerce is more generic term for all buying and selling transactions completed electronically

Support Activities in the Value Chain

Enable primary activities to be performed efficiently and effectively: 1. Firm infrastructure 2. Human resources 3. Technology 4. Purchasing

Which process are planning, authorizing, scheduling, accounting for, and controlling necessary parts of?

" Systems development process." A manufacturing process produces a complex product through a series of stages.

What represents an equipment failure risk in a communication system?

"A loss of databases stored on network servers." Equipment failures can result in the loss of databases and programs stored on network servers.

Why is a management reporting system a control?

"A management reporting system contains data that can be used to monitor the company." Management reporting systems are implemented at the discretion of organization management based on internal user needs to manage and control business activities.

In a system flowchart, how would a clerk's tasks of entering sales orders be depicted?

"Bucket-shaped symbol." The bucket-shaped symbol represents a manual process.

Which items reflect fixed assets?

"Buildings." Buildings can sold and converted to cash.

Which system should be selected if a firm needs to implement software immediately?

"Commercial system." Commercial systems can be implemented immediately.

Which three types of data management problems are a result of data redundancy?

"Data storage, data updating, and currency of information." Data storage, data updating, and currency of information problems are caused by data redundancy.

An organization uses a flat-file data management system. Which problem is caused when customers change their address?

"Data updating." When customers change their address, the address needs to be updated in every file where it appears. The address may be stored across different departments, and it would need to be updated with each one of them.

A disgruntled employee places a logic bomb to erase an organization's supplier list. Which type of fraud does this scenario reflect?

"Database management fraud." Database management fraud involves altering, deleting, corrupting, destroying, or stealing an organization's data.

Why would an organization decide to develop its own custom information system?

"It has unique information needs." An organization would develop its own custom information system when there is no readily available solution for its information needs.

What is a drawback of a backbone system such as an enterprise resource planning (ERP) system?

"Large cost." Customizing a commercial system can be expensive and time consuming.

While in-house, custom-designed systems dealt efficiently with their designated tasks, they did not provide strategic decision support at the enterprise level. What is the reason that they lacked support?

"They lacked the integration needed for information transfer across organizational boundaries." Customization made systems very organization specific. This specificity made combining with systems outside of the organization extremely difficult.

What is the importance of supervisory control?

"To review and examine content reported." This is the compensating control function that allows a manager to review all content of sales for accuracy.

Which standard does the Safe Harbor Agreement establish for information?

"Transmittal." The two-way agreement between the United States and the European Union establishes standards for information transmittal.

What is a risk associated with one clerk receiving inventory?

"Unauthorized purchases." Unauthorized purchases can cause excessive inventory and tie up funds.

Which function reflects the expenditure cycle?

"Updating inventory." Inventory is a part of the expenditure cycle because the quantities and condition are updated.

Which information technology (IT) test category verifies that credit checks and accounts payable (AP) three-way matches are performed by an application?

"Validity test." A validity test verifies that credit checks and AP three-way matches are properly performed by the application.

General accounting systems

"are designed to serve a wide variety of user needs." General accounting systems are designed to serve a wide variety of user needs. By mass-producing a standard system, the vendor is able to reduce the unit cost of these systems to a fraction of in-house development costs.

A digital signature is

"derived from the digest of a document that has been encrypted with the sender's private key." A digital signature is derived from the digest of a document that has been encrypted with the sender's private key. A digital signature is an electronic authentication technique that ensures the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied.

Which type of control is considered a compensating control for customer payments?

"supervision." Supervision is a compensating control for customer payments. Compensating controls are put in place when more effective controls are deemed too difficult or costly to implement. Supervision is the simplest and most common form of compensating control.

database

-A set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible. -A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications.

What are the phases of customer behavior online?

1. Discover 2. Research 3. Compare 4. Purchase

In managing endpoint security, what three areas deserve special attention:

1. Endpoint configuration 2. User account management 3. Software Design

What is the 80/20 rule?

80% of time designing the form so you only spend 20% of your time keeping it up (correcting the data)

MAC Address

A Media Access Control address is a hardware address that uniquely identifies each node on a network

Foreign key

A attribute in a table that is also a primary key in another table - used to link the two tables

What is a ledger?

A book or other collection of financial accounts of a particular type.

Cash flow budget

A budget that show projected cash inflows for a specified period

Data warehouse

A collection of information gathered from an assortment of external and operational databases to facilitate reporting for decision making and business analysis

Relational database

A database built using relational data model

Zombie

A hijacked computer, typically part of a botnet, that is used to launch a variety of internet attacks

Universal payment identification code (UPIC)

A number that enables customers to remit payments via an ACH credit requiring the seller to divulge detailed information about its bank account

Entity

A person, place or thing, something an organisation wishes to store data about

Committee of Sponsoring Organizations (COSO)

A private- sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.

Committee of Sponsoring Organizations (COSO)

A private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute

Cookie

A text file created by a Web site and stored on a visitor's hard drive. Cookies store information about who the user is and what the user has done on the site.

what are two traits of useful information? choose 2 answers

Accessibility Reiability

C: Risk assessment.

According to the 17 COSO control principles, organizational objectives primarily relate to which fundamental component of internal control: A: Control activities. B: Control environment. C: Risk assessment. D: Monitoring.

What are adjusting entries?

Accounting journal entries that convert a company's accounting records to be the accrual basis of accounting.

What is an audit trail?

Accounting records that trace transactions from their source documents to the financial statements

Firm infrastructure

Accounting, finance, legal, and general administration activities

this approach is used for complex transactions that receive input from many sources

All of the following concepts are associated with the black box approach to auditing computer applications except a. the application need not be removed from service and tested directly b. auditors do not rely on a detailed knowledge of the application's internal logic c. the auditor reconciles previously produced output results with production input transactions d. this approach is used for complex transactions that receive input from many sources

Spoofing

Altering some part of an electronic communication in order to gain the trust of the recipient

Data model

An abstract representation of database contents

Primary Key

An attribute or combination of attributes that can be used uniquely to identify a specific row in a table

Digital Certificate

An electronic document that certifies the identity of the owner of a particular public key and contains that party's public key

Sabotage

An intentional act where the intent is to destroy a system or some of its components

Business Intelligence

Analyzing large amounts of data for strategic decision making

Business intelligence

Analyzing large amounts of data for strategic decision making

Routers

Are special-purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the next packet

Understand the normal balance of an account.

Asset - Debit Liability - Credit Equity - Credit Expense - Debit Revenue - Credit

Identity Theft

Assuming someone's identity, usually for economic gain (unauthorized use of someone's personal information for the perpetrator's benefit)

Identity Theft

Assuming someone's identity, usually for economic gain.

Internal Auditing

Assurance and consulting activity designed to add value, improve organizational effectiveness and efficiency, and accomplish organization objectives

Generalized audit software (GAS)

Audit software that uses auditor-supplied specifications to generate a program that performs audit functions

Which scenario accurately represents the general approach used to test application controls for a batch processing application?

Auditor-created data are submitted in a transaction file." Auditor-created data are submitted in a transaction file.

Functions of Separation of Duties

Authorisation, Recording and Custody

Vulnerability Scanners

Automated tools designed to identify whether a given system possess any unused and unnecessary programs that represent potential security threats

Accessible

Available to users when they need it and in a format they can use

Accessible information

Available to users when they need it and in a format they can use.

Timely

Provide in time for decision makers to make decisions

Timely

Provided in time for decision makers to make decisions

Subschema

Subset of the schema- the way that a user defines the data and the data relationship

Information Overload

The point at which information incorporated into a decision begins to decline Information supplied exceeds human processing capacity

Attributes

The properties, identifying numbers, and characteristics of interest of an entity that is stored in a database. Examples are employee number, pay rate, name, and address.

Residual Risk

The risk that remains after management implements internal controls or some other response to risk.

What is the difference between batch and real time?

Batch systems assemble transactions into groups for processing. Real-time systems process transactions individually at the moment the economic event occurs.

Four levels of control to help management reconcile the conflict between one activity and control

Belief system, boundary system, diagnostic control system, and interactive control system

D: Lower fraud risk

Billy Bob's BarBQ has a small accounting staff and outsources payroll to a payroll service bureau. Which of the following is the most important advantage of outsourcing payroll? A: Improved batch control totals B: More accurate time recording by employees C: Hiring more qualified employees D: Lower fraud risk

Block Code

Blocks of numbers that are reserved for specific categories of data, thereby helping to organize the data (chart of accounts)

Public Company Accounting Oversight Board (PCAOB)

Board created by SOX that regulates the auditing profession

An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted the purchase order number. The best systems control to detect this error would be a a. batch total. b. completeness test. c. sequence check. d. reasonableness test. e. compatibility test.

C

New speciality for CPA's - CITP

CITP (Certified Information Technology Professional) designation reflects the AICPA's recognition of the importance of IT and its interrelationship with accounting. A CITP possesses a broad range of business, managerial, and technological knowledge, making it possible for the CITP to understand how organizations use IT to achieve their business objectives Topics include: information system management, business intelligence, fraud, risk assessment, internal control concepts, and how to test and evaluate an information system.

control frameworks

COBIT, COSO, COSO-ERM

Missing Data Check

Checks for incomplete or blank input fields.

Digital Watermark

Code embedded in documents that enables an organization to identify confidential information that has been disclosed

Patch

Code released by software developers that fixes a particular software vulnerability

What are block codes?

Coding scheme that assigns ranges of values to specific attributes such as account classifications.

coding systems

Common coding systems include sequential, block, hierarchical, mnemonic codes. These are four different types of codes; only one posting for each of the four codes

Computer Instructions Fraud

Computer instructions fraud includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity

Auditing

Conduct an official financial inspection of a business

on-page connector

Connects the processing flow on the same page; its usage avoids lines crisscrossing a page

Inbound logistics

Consists of receiving, storing, and distributing the materials

Transaction File

Contains records of a specific business for a period of time

COBIT

Control Objectives for Information and related Technology by ISACF generally applicable to IT systems security and controls practices to be placed by Board of Directors 1. Management to benchmark security/control practices of IT environments 2. User of IT services to be assured adequate security/control exist 3. Auditors to substantiate opinions on internal control + advise on IT sec/control

general controls, application controls, physical controls

Control activities under SAS 109/COSO include A. IT Controls, preventative controls, and Corrective controls B. physical controls, preventative controls, and corrective controls. C. general controls, application controls, and physical controls. D. transaction authorizations, segregation of duties, and risk assessment

Application controls

Controls that prevent, detect, and correct transaction errors and fraud in application programs

Public Company Accounting Oversight Board (PCAOB)

Created by SOX to control the auditing profession by setting and enforcing auditing, quality control, ethics, independence, and other auditing standards. It consists of 5 people who are appointed by the SEC.

What are the 4 different types of data processing activities?

Creating Reading Updating Deleting

IP Address Spoofing

Creating Internet Protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system

37. Generalized audit software packages perform all of the following tasks except a. recalculate data fields b. compare files and identify differences c. stratify statistical samples d. analyze results and form opinions

D

9. Which of the following is correct? a. check digits should be used for all data codes b. check digits are always placed at the end of a data code c. check digits do not affect processing efficiency d. check digits are designed to detect transcription and transposition errors

D

Providing timely information about transactions in sufficient detail to permit proper classification and financial reporting is an example of a. the control environment b. risk assessment c. information and communication d. monitoring

D

SOX legislation calls for sound internal control practices over financial reporting and requires SEC-registered corporations to maintain systems of internal control that meet SOX standards. An integral part of internal control is the appropriate use of preventive controls. Which of the following is not an essential element of preventive control? a. separation of responsibilities for the recording, custodial, and authorization functions b. sound personnel practices c. documentation of policies and procedures d. implementation of state-of-the-art software and hardware e. physical protection of assets

D

database system

DBMS and application programs that access the data

Data definition language (DDL)

DBMS language that builds the data dictionary, creates the database, describes logical views, and specifies record or field security constraints

What is the first step in the data processing cycle?

Data input

Information

Data that have been organized and processed to provide meaning and improve decision-making.

System flowchart

Depicts the relationship among system input, processing, storage, and output

System Flowchart

Depicts the relationships among system input, processing, storage, and output. System flowcharts are used to describe data flows and procedures within an AIS.

What two types of functions do internal controls provide?

Detective corrective

Preventive controls

Deter problems before they arise

Authorization

Determines what a person can access

Trust Services Framework

Developed jointly by the AICPA and CICA to provide guidance for assessing the reliability of information systems

Detective Internal Controls

Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls.

e. none of the above.

Disguising message packets to look as if they came from an authorized user of the host's network is a technique called a. smurfing b. IP spooling. c. denial of service attack. d. screening. e. none of the above.

Corruption

Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards (bribery and bid rigging)

What are the 3 types of information output produced by an AIS?

Document Reports Query

which tool is useful when analyzing internal control procedures?

Document flowchart

Picking ticket

Document that lists the items and quantities ordered and authorized the inventory control function to release that merchandise to the shipping department

What is a source document?

Documents that capture and formalize transaction data needed for processing by their respective transaction cycles.

What is EDI? (compared to e-commerce)

EDI is a transaction between two specific computers

What is Online or real-time processing? (OLRT)

Each journal entry is posted directly to the general ledger. Usually used with Point of Sale (POS) systems

Feasibility Study

Economic, Technical, Legal, Scheduling and Operational

The key criteria of business requirements for information:

Effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability.

asymmetric key encryption

Encryption system in which two keys are used: a public key used only to encrypt data, and a private key used only to decrypt it. SOTA code

Design Phase (SDLC)

Establishes descriptions of the desired features and operations of the system including screen layouts, business rules, process diagrams, pseudo code, and other documentation

Compliance Audit

Examination of organizational compliance with applicable laws, regulations, policies, and procedures

Documentation

Explains how a system works. (Including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls.)

Supply chain

Extended system that includes value chain as well as suppliers, distributers, and customers

XML

Extensible Markup Language, a standard language to communicate among businesses and users across the internet

Data

Facts that are collected, recorded, stored and processes

Data

Facts that are collected, recorded, stored, and processed by an information system

B: Revenue cycle.

Fictitious customers are an important risk of the A: General ledger cycle. B: Revenue cycle. C: Financing cycle. D: Expenditure cycle.

Data Entry Controls

Field Check, Sign Check, Limit Check, Range Check, Size Check

Information Output

Final stage in data processing cycle (soft copy or hard copy)

steps for better thinking

Foundation - knowing 1. identifying 2. exploring 3. prioritizing 4. envisioning

GAAS

Generally accepted auditing standards

Goal conflict V. Goal congruence

Goal conflict-When a subsystem's goals are inconsistent with the goals of another subsystem or the system as a whole. goal congruence - When a sub- system achieves its goals while contributing to the organiza- tion's overall goal.

Phase-In Conversion

Gradually replaces elements of old AIS with new one

What is a GUI? (what does it stand for)

Graphical User Interface

DFD

Graphical representation of a process using four symbols for the process, external entity (outside the boundary of an information system), data store, and data flow

B: Determine reporting procedures for vendor anomalies.

Griswold Corp. is planning a data analytics program to manage the risk of vendor fraud in purchasing. Which of the following activities would occur last in this process? A: Determine the risk of management override of controls over purchases. B: Determine reporting procedures for vendor anomalies. C: Screen data to remove html tags from harvested vendor data. D: Validate scraped data to match to existing vendor files.

Records

Group of related attributes about an entity

File

Group of related records

A: Bill of materials.

Hamish works in a factory that builds tractors in Des Moines, Iowa. He can't remember whether the B352 or the C917 sprocket is needed in building a X793 tractor. The document, form, or screen that would help him decide is: A: Bill of materials. B: Materials requisition. C: Move ticket. D: Picking ticket.

B: Materials requisition.

Hamish works in a factory that builds tractors in Des Moines, Iowa. He wants to get a B352 sprocket that is needed in building a X793 tractor. The document, form, or screen that would authorize this action is: A: Bill of materials. B: Materials requisition. C: Move ticket. D: Picking ticket.

Scheduled Reports

Have pre-specified content and format and are prepared on a regular basis

Interactive control system

Helps managers to focus subordinates attention key strategies issues and to be more involved in their decisions

What are two different types of databases?

Hierarchical and relational.

Context Diagram

Highest level DFD; a summary-level view of a system, showing the data processing system, its inputs and outputs, and their sources and destinations

Context Diagram

Highest-level DFD; a summary-level view of a system, showing the data processing system, its inputs and outputs, and their sources and destinations.

What is data visualization?

How you present your data (graphs, spreadsheets, etc.)

event ID

ID events which affect strategy implementation & achievement

How does AIS add value? (5)

IMPROVES: 1. quality and reducing the costs of products or services 2.efficiency 3.Sharing knowledge 4 efficiency and effectiveness of its supply chain 5.Internal control structure 6 decision making

Corrective Controls

Identify and correct problems as well as correct and recover from the resulting errors

Data Fraud

Illegally using, copying, browsing, searching or harming company data constitutes data fraud. The biggest cause of data breach is employee negligence.

Document Flowcharts

Illustrates the flow of documents and data among areas of responsibility within an organization

Document flowchart

Illustrates the flow of documents and data among areas of responsibility within an organization

Document Flow Chart

Illustrates the flow of documents through an organisation

Insert anomaly

Improper database organization that results in the inability to add records to a database

Update anomaly

Improper database organization where a non-primary key item is stored multiple times

C: Master file.

In a computer-based system, the equivalent of a subsidiary ledger is a A: Transaction file. B: Archive file. C: Master file. D: Reference file.

C: Transfer balances in temporary accounts to retained earnings.

In the accounting cycle, closing journal entries: A: Identify and record all liabilities, revenues, and expenses at the end of the fiscal year. B: Ensure the matching of revenue and expenses by period. C: Transfer balances in temporary accounts to retained earnings. D: Lessen the likelihood of deceptive manual journal entries.

revenue cycle

In which cycle does a company ship goods to customers?

technical controls

Include data encryption, access control software and passwords, transaction logging reports, range and reasonableness checks on transaction amounts, control totals

ISASs

Information systems auditing standards provides guidelines for conducting an IS/IT audit (issued by ISACA)

Systems Analysis

Initial investigation, systems survey, feasibility survey, information needs and requirements, systems analysis report

What aspects does a simple information system have?

Input, processing, storage, and output.

Enterprise Systems

Integrate business processes

What did COSO issue in 1992?

Internal Control-Integrated Framework (IC) which is widely accepted as the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities

D: Monitoring.

Internal auditors at Henry Flower's Flower Shop are undertaking a comprehensive review to determine if the company has complied with privacy regulations regarding customer data. In the COBIT model, this is best classified as an example of A: Planning and Organization. B: Acquisition and Implementation. C: Delivery and Support. D: Monitoring.

implementation phase of SDLC

Involves placing the system into production so users can begin to perform actual business operations with it

The Revenue Cycle

Involves processing cash sales, credit sales, and the receipt of cash following a credit sale. Have a physical and a financial component, which are processed separately. Sales Order Processing and Cash Receipts.

Security controls in wireless networks

It includes but not limited to: assigning roles and responsibilities, creating policies and procedures, conducting risk assessment on a regular basis.

Corporate Governance

It is a set of processes and policies in managing and organization with sound ethics to safeguard the interest of its stakeholders. It promotes accountability, fairness, and transparency in the organization's relationship with it's stakeholders.

C: Predictive and usually quantitative.

Key risk indicators are A: Indicators of internal control quality. B: Substantively equivalent to KPIs. C: Predictive and usually quantitative. D: Used primarily by risk-aware, risk-averse entities.

Value chain

Linking together of all of the primary and support activities in a business

Value Chain

Linking together of all the primary and support activities in a business. Value is added as a product passes through the chain.

Advantages of Outsourcing

Lower Costs Less Development Time Elimination of peaks-and-valleys usage Facilitation downsizing Asset Utilization A business solution

c. parity checks

Many techniques exist to reduce the likelihood and effects of data communication hardware failure. Ine of these is a. hardware access procedures b. antivirus software c. parity checks d. data encryption

What is a centralized data processing model?

Model under which all data processing is performed by one or more large computers, housed at a central site, that serve users throughout the organization.

Documentation

Narratives, flowcharts, diagrams, and other written materials that explain how a system works

Plaintext

Normal text that has not been encrypted

original equipment manufacturers

OEM

procure to payment

P2P

Lockbox

Postal address to which customers send their remittances

Cycle billing

Producing monthly statements for subsets of customers at different times

quote to cash

Q2C

B: Receivables billing.

RFID tagging is most helpful to A: Cash collections. B: Receivables billing. C: Shipping. D: Bank reconciliations.

What is the supply chain?

Refers to the flow of materials, information, payments, and services from suppliers through to the customer.

Traits of Useful Information

Relevant Reliable Complete Timely Understandable Verifiable Accessible

War Dialing

Searching for an idle modem (rogue) by programming a computer to dial thousands of phone lines

Symmetric Key Encryption

Sender and receiver use single, shared key

Segregation of Duties

Separation of employee duties to minimize incompatible functions. Example: separating transaction authorization and processing, separating asset custody and record keeping.

Database

Set of interrelated files

GAANT Chart

Shows an entire schedule for a complex project

DFD Diagram

Shows inputs and outputs into a system

PERT Chart

Shows project activities that require expenditure of time

Spamming

Simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something

What is the fraud triangle?

Situational pressure, opportunity, and ethics.

DNS Spoofing

Sniffing the ID of Domain Name System request and replying before the real DNS server

Intrusion Prevention Systems (IPS)

Software or hardware that monitors patterns in the traffic flow to identify and automatically blocks attacks

Canned Software

Software readily available from a store

Customer relationship management (CRM) systems

Software that organizes information about customers in a manner that facilitates efficient and personalized service

Splog

Spam blogs created to increase a website's Google PageRank, which is how often a webpage is referenced by other webpages

Four categories of objective settings for internal controls are:

Strategic, operations, reporting, compliance

Report

System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a companies business activities

Report

System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities.

How does carter classify computer crimes?

Taxonomy Fits at least one of four categories, may fit more Target, instrumentality, incidental, associated

Direct Conversion

Terminates old AIS when new one is introduced

What is the most significant contributing factor in most appropriations?

The absence of internal controls and/or the failure to enforce existing controls

Rationalization

The excuse that fraud perpetrators use to justify their illegal behavior

D: Funds, raw materials

The financing cycle contributes ___________ to the expenditure cycle, which contributes _____________ to the production cycle. A: Revenue, expenditures B: Raw materials, finished products C: Labor, raw materials D: Funds, raw materials

Change Controls and Control Management

The formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability

management are required to certify their internal control system

The importance to the accounting profession of the Sarbanes-Oxley Act is that A. bribery will be eliminated B. management will not override the company's internal controls C. management are required to certify their internal control system D. firms will not be exposed to lawsuits

Black box

The information contained on the outside (imput, output )

Business process or transaction cycles

The major give-get exchanges that occur frequently in most companies

Credit limit

The maximum allowable credit account balance for each customer, based on past credit history and ability to pay

B: Sales invoice.

The most important document in the billing process is the A: Picking ticket. B: Sales invoice. C: Packing slip. D: Bill of lading.

Data Flow

The movement of data among processes, stores, sources, and destinations

Conceptual-level schema

The organization-wide view of the entire database that lists all data elements and the relationship between them

C: Data control clerk.

The position responsible for managing the flow of documents and reports in and out of the computer operations department is the A: Data entry clerk. B: Computer operator. C: Data control clerk. D: File librarian.

What is a value chain?

The primary activities (Inbound > Operations > Outbound > Marketing > Service)

A: Internal auditors; external auditors

The primary target audience of COBIT includes ___________ while the primary target audience of COSO includes __________________. A: Internal auditors; external auditors B: Board of directors; management C: Board of directors; external auditors D: Management; internal auditors

Log Analysis

The process of examining logs to identify evidence of possible attacks

Internal controls

The processes implemented to provide reasonable assurance for control objectives

Residual Risk

The risk that remains after management implements internal controls or some other response to risk

Input Fraud

The simplest and most common way to commit a computer fraud is to alter or falsify computer input

Inherent Risk

The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control

Inherent Risk

The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control A risk that exists before internal controls are instated

Fraud Triangle

The three conditions that exist for the occurrence of a fraud--1) incentive or the reason to commit fraud, 2) opportunity for the fraud to be perpetrated, 3) rationalize or the attitude that enables the individuals committing the fraud to rationalize it

Electronic funds transfer (EFT)

The transfer of funds through use of online banking software

A: Unauthorized payment of invoices.

The use of a voucher systems helps control A: Unauthorized payment of invoices. B: Unauthorized orders of goods C: The use of unauthorized vendors D: Underpayments to supplier

Predictive analysis

The use of data warehouses and complex algorithms to forecast future events, based on historical trends and calculated probabilities

Components of internal controls

There are 8 components of internal control are: Internal Environment, event identification, risk assessment, risk response, control activities, information and communication, monitoring.

Segregation of accounting duties

This process effectively segregates the Authorization function from, Custody and Recording.

Controls for Processing Integrity - Output

Threats/Risks - Use of inaccurate or incomplete reports - Unauthorized disclosure of sensitive information - Loss, alteration, or disclosure of information in transit Controls - Reviews and reconciliations, encryption and access controls, parity checks, message acknowledgement techniques

Controls for Processing Integrity - Input

Threats/Risks - Data that is: - Invalid - Unauthorized - Incomplete - Inaccurate Controls - Forms design, cancellation and storage of documents, authorization and segregation of duties controls, visual scanning, data entry controls

What is a characteristic of the flat-file approach to data management?

Users own the data files." Exclusive data ownership is a characteristic of the flat-file system.

Virtual Private Network (VPN)

Using encryption and authentication to securely transfer information over the Internet, thereby creating a "virtual" private network.

Virtual Private Networks (VPNs)

Using encryption and authentication to securely transfer information over the Internet, thereby creating a "virtual" private network.

Primary activities

Value chain activities that produce, market, and deliver products and services to customers and provide post-delivery service and support

Authentication

Verifying the identity of the person or device attempting to access the system

Data warehouse

Very large database containing detailed and summarized data for a number of years that are used for analysis rather than transaction processing

Three V's of Big Data

Volume, Variety, Velocity

specific types of big data

Web and social media Machine-to-machine Big transaction Biometric Human-generated

Goal congruence

When a subsystem achieves its goals while contributing to the organization's overall goals

the test transactions

When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing a. the test transactions b. error reports c. updated master files d. output reports

Buffer Overflow Attack

When the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system.

B: Hypocrisy (i.e., when management says one thing and does another)

Which of the following is an important threat to accountability in an organization's ERM practices? A: Excessive communication B: Hypocrisy (i.e., when management says one thing and does another) C: Escalation D: Deviations

What is a WAN?

Wide area network - covers a large geographic region, such as Eastern Seaboard

Narrative Description

Written, step-by-step explanation of system components and how they interact

field

a customer name would be a: database, file, field, record

decision

a decision-making step

which type of AIS output is a gross margin analysis by product line?

a report

what is inherent risk?

a risk that exists before internal controls are instated

Database

a set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible.

sign check

a specific inventory record indicates that there are twelve items on hand and a customer purchased two of them. when recording the order,the data entry clerk mistakenly entered twenty items sold. Which check would detect this order? A. numeric/alphabetic data check B. sign check C. sequence check D. range check

which two tools are project development and acquisition controls?

a strategic master plan system performance measurements

Implementation Plan

a written plan showing how the new system will be implemented; specifies when the project should be complete and the IS operational, including a completion timetable, cost estimates, task milestones, and who is responsible for each activity

7-11. a database is in third normal form (3NF) if it is second normal form and

a. all the data attributes in a record are well defined b. all the data attributes in a record depend upon a record key c. the data contain to transitive dependencies* d. the data can be storied in two or more separate tables

12-8. In selecting a new AIS, a company's management should:

a. always hire a consultant b. always consult with your accountant during the decision process * c. never rely on your accountant for help in this decision d. always use an Internet software service to make the decision

4-2. Data transcription is best described as:

a. an efficient process b. always necessary in AISs *c. Labor intensive and time consuming d. an important way to limit fraud and embezlement

8-3. An example of a validation rule is:

a. an input value must be an integer b. an input value must also have a default value c. an input value must be between 0 and 40 * d. you cannot delete parent records that have child records associated with them

14-8. A __________ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand held devices.

a. data encryption b. WAN c. checkpoint d. VPN *

The purpose of a checkpoint procedure is to facilitate restarting after a. data processing errors b. data input errors c. the failure to have all input data ready on time d. computer operator intervention e. none of the above

a. data processing errors

What is clean data?

accurate, uniform data in a software system

database management system (DBMS)

achieves data independence by interposing between the database and the users of the data acts as interface between database and various application programs "data warehouses"

Outbound Logistics

activities distribute finished products or services to customers

marketing and sales

activities help customers buy the organization's products or services

human resources

activities include recruiting, hiring, training, and compensating employees

efficient, data integrity (errors can be avoided), integrated, independent

advantages to using databases

What is text mining?

algorithms used to search non-numeric data

macro

are data flow diagrams more on the macro or micro level?

data flows

arrows e.g. deposit slips; remittance advice; checks

segregation of duties

authorization recording custody

Block Code

blocks of numbers are reserved for specific categories of data.

What is B2B?

business sells to business

What is B2C?

business sells to customer

databases are formed

by a set of interrelated files forms

how does an audit trail work in an AIS?

by capturing a transaction's path through the data processing system

a patio furniiture store uses its AIS to allow salespeople to check the inventory level of an item at the main warehouse. how does this functionality add value to the patio furniture store?

by improving knowledge sharing

which is the most important, basic, and effective control to deter fraud? a) enforced vacations b) logical access control c) segregation of duties d) virus protection controls

c) segregation of duties

techniques used to obtain confidential info, often by tricking people, are referred to as what? a) pretexting b) posing c) social engineering d) identity theft

c) social engineering

what type of software secretly collects personal info about users & sends it to someone else w/o the user's permission? a) rootkit b) torpedo software c) spyware d) malware

c) spyware

What is a file or table?

collection of records that relate to each other

Carter's Taxonomy - instrumentality

computer furthers a criminal end

corrective controls

controls that ID and correct problems as well as correct and recover from the resulting errors

Information

data that has been organized and processed to provide meaning and improve decision making process

Primary Key

database attribute, or combination of attributes, that uniquely identifies each row in a table (in attached table - combination of sales invoice # and Item #)

What is a DBMS?

database management system

Taxonomy

defines and describes each key data element (total assets, accounts, payable, net income) a way to organize knowledge; set of tags

DBMS languages

definition manipulation query

delete anomaly

deleting one transaction may remove information about a customer

system flowchart

depicts the relationships among system input, processing, storage, and output

Internal controls related to XBRL - risk of hardware and software failure

disaster recovery plan physical security uninterruptible/back-up power supplies

which threat applies to the HRM/Payroll cycle?

disclosing confidential salary information

Detective Controls

discover problems that haven't been prevented

data stores

double lines e.g. files

which is NOT one of the tangible or intangible benefits a company might obtain from a new system? a) cost savings b) improved customer service & productivity c) improved decision making d) improved data processing e) all are benefits of a new system

e) all are benefits of a new system

300

equity

Data

facts that are collected, recorded, stored, and processed by an information system

Data

facts that are collected, recorded, stored, and processed by an information system.

What is the Extranet?

gives access to company's network to suppliers, customers, etc. (target example)

data flow diagram

graphical description of data sources, flows, transformation process, storage, destination data flow in system; difference in timing

the percentage of gross profit

gross margin

What is a Mnemonic codes?

helps the user remember what they represent (like S, M, L, and XL on clothing)

physical view

how and where the data is physically arranged and stored in the computer system

risk assessment

how to manage? effect on achieving objectives?

logical view

how user/programmer conceptually organizes/understands the data

information & communitication

identified, captured, and communicated so employees can fulfill their responsibilities

what does an attacker do when scanning and mapping a target IS?

identifies computers that can be accessed remotely

What is data analysis?

identify relationships between data pieces

Extensible

if a particular concept does not already exist in a public taxonomy there is the ability to add to or change the elements to meet the company's needs; called extending the taxonomy. allows users to create new tags as the need arises; never finished

sabotage

intent to destroy a system or some of its components

fraudulent financial statement reporting

intentional/reckless conduct, whether by act/omission results in materially misstated financial statements

Internal controls related to XBRL - risk of inappropriate/missing authorizations

internal audit review of selected transactions periodic user training up-to-date procedures manuals

Analysis Phase of SDLC

involves a complete, detailed analysis of the systems needs of the end user. The analysis phase further refines the goals of the project into carefully specified functions and operations of the intended system

firm infrastructure

is the accounting, finance, legal, and general administration activities that allow an organization to function

200

liabilities

what is the value chain?

links together the different activities within an organization that provide value to the customer.

Physical Internal Controls

locks, security guards, badges, alarms

which two security controls detect intrusions?

log analysis security testing

schema

logical structure of the database conceptual external internal

Digital Signature

message digest of a document that is encrypted using the document creator's private key ensure data integrity

objective setting

mgt process to formulate strategic, operations, reporting, and compliance objectives to support mission & tolerance for risk

types of fraud

misappropriation of assets fraudulent financial reporting

conceptual-level schema

organization-wide view of entire database

FC storage symbols

parallelogram = general ledger cylinder = customer inventory filed by: date, number, logic (upside down triangle)

a company has a procedure that installs updates to all of its security programs and operating systems on a monthly basis. which type of corrective control does this scenriao describe?

patch management

Internal controls related to XBRL - risk of inappropriate taxonomies

periodic review and approval centralized approval process authorizations for tagging and taxonomy selection

easy to visualize and understand, reveal control weakness

positives of flowcharts:

quick to complete, give details and clarification

positives of narratives:

exposure/impact

potential dollar loss should a particular event become a reality

internal controls

processes/procedures implemented to provide reasonable assurance that control objectives are met prevent, detect, correct

Internal controls provide ____ assurance.

reasonable; because complete assurance is expensive and difficult to achieve

QuickBooks internal controls

reconciliation data validation validity check reports (e.g. audit trail) user accounts predetermined numbers (e.g. checks) matching (PO to bill)

What is a purchases journal?

records of credit purchase transactions

What is a sales journal?

records of credit sale transactions

What is a cash disbursements journal?

records of transactions in which cash is paid

disadvantages of one uniform table

redundancy insert, update, delete anomaly

What is a record?

relates fields of information

data independence

separation of data from the program applications that access and process data

What are block codes?

sequential codes in which blocks of numbers are reserved for a certain purpose

What are Sequence codes?

sequential set of numbers used to identify customer accounts, payroll checks, sales invoices, etc.

output

stolen, copied misused

What is data storage?

stores pieces of data collected in an organized fashion

contextual diagram

summary-level view of the system

web crawler

systematically browsing the world wide web to collect information

which task do IS auditors perform when they audit transaction processing?

testing the accuracy of data edit routines

cookies

text file created by web site and stored on visitor's hard drive to store information about who the user is and what the user has done

What is data extraction and transfer?

the ability to find the data needed and prepare it for analysis

Entity

the item about which information is stored in a record. Examples: employee, inventory item, a customer

Systems Implementation

the process of installing hardware and software and getting the IS up and running

Human Resources Management (HRM)/ Payroll Cycle

the recurring set of business activities and data processing operations associated with effectively managing the employee workforce.

Specification

the relationship between XBRL and XML. XBRL is one specific item in a family of languages called XML

why is sytem documentation created?

to help during transitiosn of IT employees

What is the purpose of a coding system?

to identify individual accounts and transactions as well as to classify account types

what is one purpose of the COBIT framework?

to provide assurance that data produced by an IS is reliable

Outsourcing

transferring portions of work to outside suppliers

relational data model

two dimensional table representation of data; each row represents a unique entity (record) & columns are field attributes carnality!

verifiable

two independent, knowledgeable people produce the same information

data flow diagrams, business process diagrams, flowcharts

types of diagramming:

processor

unauthorized systems 1) using, copying, browsing, search, harming 2) changing, damaging destroying, defacing

what is indentity theft?

unauthorized use of someone's personal information for the perpetrator's benefit

7. Define spam.

unsolicited e-mail that contains either advertising or offensive content

Spam

unsolicited e-mail that contains either advertising or offensive content

FC processing symbols

upside down trapezoid = manual process square = computer label with capital letters & list at bottom

DQL

used to interrogate; retrieves, sorts, orders, presents subsets in response to user queries

Data Warehouse

very large databases containing detailed and summarized data for a number of years that are used for analysis rather than transaction processing.

which threat to the payroll process applies to the disbursement of payroll?

wages being issued to a ficticiuos employee

expenditure cycle (procedure cycle)

what cycle is P2P in?

revenue cycle

what cycle is Q2C in?

Group Codes

which are two or more subgroups of digits used to code items, are often used in conjuction with block codes.

Flowchart

which is a graphical description of a system. There are several types of flow charts

purchasing

which of the following is a support activity in the value chain: purchasing, manufacturing, post-sales service, receiving materials

What is a UPS?

Uninterruptible Power Supply

System output ontrols

User Reviews, Reconciliation, Data transmission controls, check sums, parity checking

Virtual Private Network (VPN)

Using encryption and authentication to securely transfer information over the internet, thereby creating a "virtual" private network

Semantic data modeling

Using knowledge of business processes and information needs to create a diagram that shows what to include in a fully normalized database

Supervision

Which of the following is often called a compensating control? A. Transaction B. Supervision C. Accounting Records D. Segregation of Duties

10-6. which of the following source documents is common to both the sales and the purchasing processes?

a. cash receipts forecast and cash requirements forecasts b. financial statement information * c. discrepancy reports and bad debt reports d. none of the above

all inventory records

which of the following would be identified as a file: a customer's name, data about one customer, all inventory records, data about one inventory item

Authorization controls are often implemented by creating an...

access control matrix

Marketing and Sales

activities help customers buy the organization's products or services

purchasing

activities procure raw materials, supplies, machinery, and the buildings used to carry out the primary activities

which would most likely be a PRIMARY key? a) supplier name b) suppliers number c) supplier zip code d) supplier acct balance

b) supplier number

kiting

creating cash using lag between time check is deposited and time it clears the bank alteration or issuance of check with insufficient funds (money is used to approve loans)

What is an access point?

device that connects wireless communication devices together to form a network

Defense-in-Depth

employing multiple layers of controls to avoid a single point-of-failure

Technical Internal Controls

firewalls, intrusion detection, access controls, cryptography, anti-virus software

reliable

free from error or bias; accurately represents organization events or activities

AIS

set of interrelated activities, documents, and technologies designed to collect data (input), process it, and report information (output). Also, systems include storage and internal controls

file

set of logically related records

Specialized journal v general journal

specialized journals - A jour- nal used to record a large number of repetitive transac- tions such as credit sales, cash receipts, purchases, and cash disbursements. general journal - A journal used to record infrequent or nonrou- tine transactions, such as loan payments and end-of-period adjusting and closing entries.

What is an algorithm?

step-by-step process for solving a problem

Accounting Information Systems (AIS)

system collects, records, stores, and processes data to produce info for decision makers. (transforms data into information to provide adequate controls) Consists of.... People (who use the system) Processes Technology Controls to safeguard information .

which events are part of the revenue cycle?

taking orders from customers, shipping FG, and depositing payments in the bank

white-collar criminals

usually biz people resort to trickery/cunning to violate trust/confidence

when you want to buy something

when do you send out a purchase order?

Expenditure Cycle

where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash

expenditure cycle

where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash

Expenditure Cycle

where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or for a future promise to pay cash.

What is the outcome of a formal and well-controlled systems development process?

"Accounting information systems applications that are free from internal control weaknesses." A materially flawed financial application can corrupt financial data, which may then be incorrectly reported in financial statements.

The major difference between the financial reporting system (FRS) and the management reporting system (MRS) is the

"FRS provides information to external users; the MRS provides information to internal users." The FRS produces the financial statements as required by law. The MRS provides information to management for decision making such as budgets, forecasts, customer orders.

Five Components of Internal Control Model

- Control environment - Risk assessment - Control activities - Information and communication - Monitoring

Legally, for an act to be fraudulent, there must be:

1 A false statement, representation or disclosure 2 A material fact 3 An intent to deceive 4 A justifiable reliance 5 An injury or loss

What are the five components of the COSO Internal Control Model?

1 Control Environment 2 Risk Assessment 3 Control Activities 4 Information and Communication 5 Monitoring

Four operations of Data Processing Cycle

1 Data Input 2 Data Storage 3 Data Processing 4 Information Output *Users are also involved in entire process

The Treadway Commission recommended what four actions to reduce fraudulent financial reporting:

1 Establish an organizational environment that contributes to the integrity of the financial reporting process 2 Identify and understand the factors that lead to fraudulent financial reporting 3 Assess the risk of fraudulent financial reporting within the company 4 Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting

Characteristics of Useful Information

1 Relevant 2 Reliable 3 Complete 4 Timely 5 Understandable 6 Verifiable 7 Accessible

What are the five major transaction cycles?

1. Revenue Cycle 2. Ependiture Cycle 3. Production/Conversion Cycle 4. HRM/Payroll Cycle 5. Financing Cycle

Internal Controls

1. Segregation of Duties 2. Transaction Authorization 3. Accounting Process 4. Access Controls 5. Independent Verification 6. Supervision

Support activities of the value chain? (4)

1. firm infrastructure (accounting, finance, legal and general administration actives) 2. Human Resources 3. Technology 4. Purchasing

Expenditure Cycle

A recurring set of business activities and related data processing operations associated with the purchase of and payment for goods and services.

Query

A request for the data base to provide the information needed to deal with a problem or answer to a question. The information is retrieved, displayed or printed, and/or analyzed as requested

Batch Processing

Accumulating transaction records into groups or batches for processing at a regular interval such as daily or weekly. The records are usually sorted into some sequence (such as numerically or alphabetically) before processing.

Batch Processing

Accumulating transaction records into groups or batches for processing at regular interval sch as daily or weekly

Financing cycle

Activities associated with raising money by selling shares in the company to investors and borrowing money as well as paying dividends and interest

Operations

Activities transform inputs into final products/services

Certificate Authority

An organization that issues public and private keys and records the public key in a digital certificate

Operating systems

Application, disk drive, mouse, printer, keyboard, monitor.

4. Which statement is correct? a. compiled programs are very susceptible to unauthorized modification b. the source program library stores application programs in source code form c. modifications are made to programs in machine code language d. the source program library management system increases operating efficiency

B

who inspects fraud?

Certified Fraud Examiners (from ACFA)

C: Public Company Accounting Oversight Board (PCAOB)

Copyright © 2017 by the American Institute of Certified Public Accountants, Inc., is reprinted and/or adapted with permission. Which of the following organizations was established by the Sarbanes-Oxley Act of 2002 to control the auditing profession? A: Information Systems Audit and Control Foundation (ISACF) B: IT Governance Institute (ITGI) C: Public Company Accounting Oversight Board (PCAOB) D: Committee of Sponsoring Organizations (COSO)

A: Governance and Culture

BigWig Costume Rentals recently implemented an initiative to attract and retain web programmers and systems analysts as a part of its expanded web development to support online sales. This initiative most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting

10. Which statement is not correct? The goal of batch controls is to ensure that during processing a. transactions are not omitted b. transactions are not added c. transactions are free from clerical errors d. an audit trail is created

C

18. Which check is not an input control? a. reasonableness check b. validity check. c. spooling check d. missing data check

C

What are order entry, manufacturing, procurement, accounts payable, payroll, and human resources examples of?

"Key processes of an organization." Key processes of the organization include order entry, manufacturing, procurement, accounts payable, payroll, and human resources.

Which type of system would an organization purchase if it is looking for a commercial system that is developed and maintained by a provider?

"Vendor-supported system." A vendor-supported system is a system that a vendor develops and maintains for a client organization.

Schema

A description of the data elements in a database, the relationships among them, and the logical model used to organize and describe the data

b. derived from the digest of a document that has been encrypted with the sender's private key

A digital signature is a. the encrypted mathematical value of the message sender's name b. derived from the digest of a document that has been encrypted with the sender's private key c. the computed digest of the sender's digital certificate d. allows digital messages to be sent over analog telephone lines

Back order

A document authorizing the purchase or production of items that is created when there is insufficient inventory to meet customer orders

Sales invoice

A document notifying customers of the amount of a sale and where to send payment

Credit memo

A document, approved by the credit manager, authorizing the billing department to credit a customer's account

What is a flat-file structure?

A file structure that does not support the integration of data. Describes an environment in which individual data files are not related to other files.

General Ledger

A ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization.

Chart of Accounts

A listing of all the numbers assigned to balance sheet and income statement accounts. The account numbers allow transaction data to be coded, classified, and entered into the proper accounts. They also facilitate financial statement and report preparation.

A: Preventive.

An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls? A: Preventive. B: Detective. C: Corrective. D: Compliance.

A: Data definition language.

An overall description of a database, including the names of data elements, their characteristics, and their relationship to one another, would be defined by using a A: Data definition language. B: Data control language. C: Data manipulation language. D: Data command interpreter language.

System

A set of two or more interrelated components that interact to achieve a goal

Encryption

A standard method for encoding data. preventative control providing confidentiality and privacy for data transmission and storage

Intrusion Detection Systems (IDC)

A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions

Control Activities (Def)

Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.

Cardinalities

Describe the nature of relationships between entities

General ledger and reporting system

Information-processing operations involved in updating the general ledger and preparing reports for both management and external parties

IIA

Institute of internal auditor. .. based on audit tools and other data analysis techniques when conducting internal audits.

4 Basic Expenditure Cycle Activities

Ordering materials, supplies, and services Receiving materials, supplies, and services Approving supplier invoices Cash Disbursements

Performing a comprehensive fraud risk assessment

Overland Stage and Transport uses a fraud risk assessment heat map that charts the significance (on the vertical axis) and the likelihood (on the horizontal axis) of frauds as a part of its fraud risk management program. The company's use of a fraud risk heat map best relates to which of the following activities? A: Establishing a fraud risk management program B: Selecting, developing, and deploying fraud controls C: Selecting, developing, and deploying evaluation and monitoring processes D: Performing a comprehensive fraud risk assessment

Inherent Risk

The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal controls. It is a risk that exists before internal controls are instated.

Encryption is a preventive control that can be used to protect both _____ & _____

confidentiality, privacy

What is Intranet?

connects separate LANS within a company, often using the internet

What is a field?

one piece of information

D: Cost effective.

Today organizations are using microcomputers for data presentation because microcomputer use, compared to mainframe use, is more A: Controllable. B: Conducive to data integrity. C: Reliable. D: Cost effective.

True or False? The task of creating meaningful test data is time-consuming.

True

Internal Control Flowchart

Used to describe, analyze, evaluate internal controls, including identifying system strengths, weaknesses, and inefficiencies.

What is shadow data?

Data tracked outside the official accounting system (IE vacation days)

Primary Activities in the Value Chain

Value chain activities that produce, market, and deliver products and services to customers and provide post-delivery service and support 1. Inbound logistics 2. Operations 3. Outbound logistics 4. Marketing and sales 5. Service

electronic data entry

Electronic data entry device such as a computer, terminal, tablet, or phone

B: Self.

Jim is responsible for setting system access parameters in Kentucky Fried Opossums' ERP system. Each month, he reviews any issues related to setting access parameters and writes a report about them. This type of monitoring is: A: Continuous. B: Self. C: Oversight. D: Supervisory.

What are the components of accounting information system.

People, procedures and instructions, data, software, information technology infrastructure and internal controls.

General controls

Make sure an organization's information system and control environment is stable and well managed

E-Mail Spoofing

Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source

Compatibility Test

Matching the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource

Which list shows the details of vendor shipments and expected receipts of products and components needed for an order?

Materials requirements list." The materials requirements list shows the details of vendor shipments and expected receipts of products and components needed for the order.

Security Controls that prevent threats from occuring

People Creating of a "security-aware" culture Training Processes: User access controls (authentication and authorization) IT Solutions Anti-malware Network access controls (firewalls, intrusion prevention systems, etc.) Device and software hardening (configuration controls) Encryption Physical security: access controls (locks, guards, etc.) Change controls and change management

Understandable

Presented in a useful and intelligible format

The Fraud Triangle

Pressure, Opportunity and Rationalization (POR)

inbound logistics, operations, outbound logistics, marketing and sales, service

Primary activities of the value chain

Information

Processed data used in decision making

Which test is used to determine that an application creates an adequate audit trail?

Recording all transactions." Audit trail tests include obtaining evidence that the application records all transactions.

turn around documents

Records of company data sent to an external party and then returned to the system as in- put are called For example, a utility bill is sent to a customer, who then returns the bill with payment

Turnaround document

Records of company data sent to an external party and then returned to the system as input. Turnaround documents are in machine-readable form to facilitate their subsequent processing as input records. An example is a utility bill.

Relevant

Reduces uncertainty, improves decision making, or confirms or corrects prior expectations

Relevant

Reduces uncertainty, improves decision making, or confirms/corrects prior expectations

True or False? Rounding errors are an opportunity for fraud.

True

Verifiable Information

Two independent, knowledgeable people produce the same information.

Group Code

Two or more subgroups of digits that are used to code an item. A group code is often used in conjunction with a block code.

Spam

Unsolicited e-mail that contains either advertising or offensive content

Transaction found under the Revenue cycle

Update credit rating, sales, ship inventory, invoice customer.

Transaction found under Hr/Payroll

Update employee master data, employee time tracking, create tax slips, government reporting, calculate employee payroll.

What is lapping?

Use of customer checks, received in payment of their accounts, to conceal cash previously stolen by an employee.

Dictionary Attack

Using special software to guess company e-mail addresses and send them blank e-mail messages. Un-returned messages are usually valid e-mail addresses that can be added to spammer e-mail lists

C: Skills inventory report.

What document is useful in determining which employee should be assigned a new job duty? A: U.S. form 941. B: Workforce inventory. C: Skills inventory report. D: Cumulative earnings register.

TRUE or FALSE - A DFD consists of the following 4 basic elements: data sources & destination, data flows, transformation processes, & data stores. Each is represented on a DFD by a different symbol

TRUE

Log Analysis

The process of examining logs to identify the evidence of possible attacks

Patch Management

The process of regularly applying patches and updates to software

Address Resolution Protocol (ARP) Spoofing

Sending fake ARP messages to an Ethernet LAN. ARP is a computer networking protocol for determining a network host's hardware address when only its IP or network address is known

Information Rights Management (IRM)

Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.

Data Loss Prevention (DLP)

Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect

Control Account

Title given to a general ledger account that summarizes the total amounts recorded in a subsidiary ledger

expenditure cycle

Which transaction cycle includes interactions between an organization and its suppliers: Revenue cycle, expenditure cycle, human resources/payroll cycle, General ledger and report system?

C: Revenue, financing

Which two cycles receive (get) cash? A: Expenditure, production B: Production, HR C: Revenue, financing D: Revenue, expenditure

how are data sources & destinations represented in a data flow diagram? a) square b) curved arrow c) circle d) 2 parallel lines e) none of the above

a) square

What is an example of a payroll system information technology (IT) control?

"Direct deposit." Direct deposit is an example of an IT control.

How an AIS can add value to an organization

1) improving the quality and reducing the costs of products or services 2) improving efficiency 3) sharing knowledge 4) improving the efficiency and effectiveness of its supply chain 5) improving the internal control structure 6) improving decision making

Six Components of an AIS

1) the people who use the system 2) the procedures and instructions used to collect, process, and store data 3) the data about the organization and its business activities 4) the software used to process the data 5) the information technology infrastructure, including the computers, peripheral devices, and network communications devices used in the AIS 6) the internal controls and security measures that safeguard AIS data

Enterprise Risk Management - Integrated Framework (ERM)

A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control-Integrated

Enterprise Risk Management—Integrated Framework (ERM)

A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control—Integrated.

What are check digits?

A control digit (or digits) that is added to the data code when it is originally assigned. This allows the integrity of the code to be established during subsequent processing.

Remittance advice

A copy of sales invoice returned with a customers payment that indicates the invoices, statements, or other items being paid

post-sales service

Which of the following is a primary activity in the value chain: Purchasing, Accounting, Post-sales service, human resource management?

Deep Packet Inspection

A process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers

What is a balance sheet and what is the proper dating?

A statement of the assets, liabilities, and capital of a business or other organization at a particular point in time. The proper dating contains a specific date, rather than for a reporting range.

Prevention of employee collusion to commit fraud

Which of the following benefits is least likely to result form a system of internal controls? A. Reduction of cost of an external unit B. Prevention of employee collusion to commit fraud C. Availability of reliable data for decision making purposes D. Some assurance of compliance with the foreign corrupt practices act of 1977 E. some assurance that important documents and records are protected

9-9. which of these is not a typical part of a printed report using access

a. report header b. report footer c. navigation bar * d. detail line

which is an individual user's view of the database? a) conceptual-level schema b) external-level schema c) internal-level schema d) logical-level schema

b) external-level schema

6-2. The feasibility evaluation:

a. is completed prior to detailed systems design b. includes economic, schedule, technical, legal, legal and operational feasibility *c. both a & b are true d. neither a nor b is true

13-13. segregation of duties is a fundamental concept in an effective system of internal control. But, the internal auditor must be aware that this safeguard can be compromised through:

a. lack of training of employees b. collusion among employees * c. irregular employee reviews d. absence of internal auditing

12-5. which of the following is a distinguishing characteristic of an enterprise-wide (ERP) system?

a. must be a hosted solution b. multiple databases c. integration of business functions * d. low cost

8-9. the difference between (1) using an update query and (2) updating a single record is:

a. nothing - same thing b. the first updates all selected records, the second only affects one record * c. the first updates more than one table, the second updates only one record d. none of these is correct

9-7. which of these best identifies the underlying data source for an Access report?

a. only tables b. only queries c. both tables and queries * d. tables, queries, and forms

An integrated group of programs that supports the applications and facilitates their access to specified resources is called a(n) a. operating system b. database management system c. utility system d. facility system e. none of the above

a. operating system

10-3. AIS reports should be consistent in at least three ways. Which of the following is NOT one of those ways?

a. over time b. across firms * c. across departmental or divisional levels d. with general accounting practice

Which of the following disaster recovery techniques may be least optimal in the case of a wide spread natural disaster? a. Empty shell b. Internally provided backup c. ROC d. They are all equally beneficial

c. ROC

5-4. document flowcharts would not be able to represent:

a. the flow of information when ordering office supplies b. the flow of information when hiring new employees c. the flow of info when creating orders for new magazine subs. *d. the logic in performing payroll processing

monitoring

ongoing basis for modification

the internal-level schema provides a high-level view of the database

which of the following statements is false: the data dictionary contains information about the structure of the database, the internal-level schema provides a high-level view of the database, the DDL is used to build the data dictionary, the conceptual-level schema is the organization-wide view of the entire database

Document Flowchart

which shows the flow of documents and information between departments or areas of responsibility

narrative description

written, step-by-step explanation of system components and how they interact

interest calculations are truncated at 2 decimal places, and the excess decimals are put into an account that the perpetrator controls. what is this fraud called? a) typosquatting b) URL hijacking c) chipping d) round-down fraud

d) round-down fraud

Which is NOT an advantage of an ERP system? a. Better access control b. Standardization of procedures & reports c. Improved monitoring capabilities d. Simplicity & reduced costs

d) simplicity & reduced costs

referential integrity rule

ensures consistency of the database if two tables are related, there will be a FK

Biometric Identifier

A physical or behavioral characteristic that is used as an authentication credential

Zero-Day Attack

An attack between the time a new software vulnerability is discovered and "released it into the wild" and the time a software developer releases a patch to fix the problem

section 404 report

Management AND independent auditors review and comment on the internal control system using an established framework

C: review its strategy and business objectives.

McDowell's fast food (motto: our hamburger buns got no sticky, icky sesame seeds!) determines that its financial performance for the recently ended year evidences a different risk profile than that which was expected. In response to this finding, the company should: A: expand its risk tolerance. B: revise its mission, vision, and core values. C: review its strategy and business objectives. D: reassess the costs and benefits of risk analysis.

SDLC

Methodology for designing, implementing, and maintaining an information system. Steps include: 1 Initiation/planning; 2. Requirements analysis; 3. Design; 4. Build; 5. Test; 6. Implementation; 7. Operations and maintenance

A: Desktop client, application, and database.

Most client/server applications operate on a three-tiered architecture consisting of which of the following layers? A: Desktop client, application, and database. B: Desktop client, software, and hardware. C: Desktop server, application, and database. D: Desktop server, software, and hardware.

coso internal control integrated framework

Most commonly used framework used by management and independent auditors to evaluate internal control and risk management. Includes five components: control environment, risk assessment, control activities, information and communication, monitoring.

Private Key

One of the keys used in asymmetric encryption systems. It is kept secret and known only to the owner of that pair of public and private keys

Public Key

One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.

Hash

Plaintext that has been transformed into short code

Human resources

Recruiting, hiring, training, and compensating

Expected Loss

The mathematical product of the potential dollar loss that would occur should a threat become a reality (impact or exposure) and the risk or probability that the threat will occur (likelihood). Expected loss = Impact × Likelihood

Data Store

The place or medium the data is stored

B: Bill of materials

Which document lists the components needed in making a product? A: Inventory report B: Bill of materials C: Move ticket D: Operations list

B: Both

Which of the following statements of risk appetite related to factory floor accidents is acceptable? · "Low" · " < 3 per year" A: Neither B: Both C: "Low" but not " < 3 per year." D: " < 3 per year" but not "Low."

D: Review the cumulative earnings register.

Winifred, an internal auditor, wants to determine if employee pay rates are accurate. Her best strategy for accomplishing this goal is to A: Review W-2s. B: Review Form 941. C: Review W-3s. D: Review the cumulative earnings register.

which is a type of fraud in which later payments on acct are used to pay off earlier payments that were stolen? a) lapping b) kiting c) Ponzi scheme d) salami technique

a) lapping

Data differ from info in which way? a. Data are output and info is input b. Info is output and data are input c. Data are meaningful bits of info d. No difference

b. Info is output and data are input

balancing creativity and control

belief system boundary system diagnostic control system interactive control system

someone redirects a website's traffic to a bogus website, usually to gain access to personal & confidential info. what is this computer fraud technique called? a) vishing b) phising c) pharming d) phreaking

c) pharming

transformation process

circle

Which of the following is NOT an SDLC control issue during an audit? a. user and computer services management properly authorized the project b. a preliminary feasibility study showed that the project had merit c. a cost-benefit analysis was conducted using reasonably accurate values d. the detail deign was an appropriate and accurate solution to the user's problem e. all of the above are specific points for review

e. all of the above are specific points for review

What is XBRL?

eXtensible Business Reporting Language (XBRL) - Built on XML - computer readable format for financial statements

3NF

each field is dependent on PK; relation FK if necessary

What are digital certificates?

electronic documents digitally signed by a trusted party certifying identity of owners

400

expenses

which task is part of the selecting and training personnel step of implementing an AIS?

experimenting with the new system in a controlled environment

Documentation

explains how a system works, including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls. Popular means of documenting a system include diagrams, flowcharts, tables, and other graphical representations of data and information.

What is an access log?

file with information about each access to a file or website

insert anomaly

no way to store information about prospective customers until they actually make a purchase

What is WiFi?

wireless form of ethernet

Who oversees systems development?

"An internal steering committee." The internal steering committee oversees systems development.

A firewall is

"a system used to insulate an organization's intranet from the Internet." A firewall is a system used to insulate an organization's intranet from the Internet. It can be used to authenticate an outside user of the network, verify his or her level of access authority, and then direct the user to the program, data, or service requested. In addition to insulating the organization's network from external networks, firewalls can also be used to protect LANs from unauthorized internal access

The operating system is

"the computer's control program." The operating system is the computer's control program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers.

The goal of data processing is

"the production of useful information." Data is not information. Data is data. Data needs to be consolidated, processed, summarized and converted into information for management decision-making.

MOD 4- A copy of the purchase order (PO) is sent to the

"vendor." A copy of the purchase order (PO) is sent to the vendor. The purchase order is the formal document that tells the vendor what material is needed, at what price, in what quantity and on what date.

a check is prepared using data saved on a magnetic tape. which documentation tool represents this process?

*image* (represented by magnetic tape symbol, rectamgular process symbol, and document symbol) the magnetic tape storage symbol looks like this...

this is an example of a simple program flowchart. which step is the decision point in the program?

*image* (represented by rhombus) 2

which MANUAL function does the MANAGEMENT dept (Susan) perform according to this flowchart?

*image* (represented by trapezoid) approve and sign checks

which query will list the city and zipcode, sorted in ASCENDING order by CITY, for all customers in MINNESOTA who purchased BLUE PENS?

*image* Criteria should include "MN" for state :Minnesota, and "blue pens" for item description :blue pen. Sort should include 'Ascending' for the order of the list of cities Show should include marked checkboxes for customer name, city, and Zipcode

Process for determining if the new AIS meets post-implementation objectives

- Does system meets goals and objectives? - Are users satisfied? - How have users benefited? - Is cost in line with expectation? - Is system reliable? - Does system produce accurate/complete data? - Is information timely? - Is system compatible with existing systems? - Does system have proper controls and security? - Are there proper error-handling procedures? - Has there been proper training? - Communications? - Are organizational changes beneficial or harmful? - Is system documentation complete and accurate?

Audit Planning

- Establish scope & objectives - Organize the audit team - Develop knowledge of business operations - Review prior audit results - identify risk factors - prepare an audit program.

Communication of Audit Results

- Formulate audit conclusions; - develop recommendations for management; - - prepare audit report; - present audit results to management.

Auditing Process

- Planning - Collecting evidence - Evaluating evidence - Communicating audit results

Strengths of Developing In-House AIS

- User creation, control, and implementation - Systems that meet user needs - Timeless - Freeing up of systems resources - Versatility and ease of use

which two steps are part of the HRM/Payroll cyce? choose 2 answers

- adding new employees to the master database - recording rate changes for employees who have received raises

Evaluation of Audit Evidence

- assess quality of internal controls; - assess reliability of information; - consider need for additional evidence; - consider risk factors; - consider materiality factors; - document audit findings.

which two tasks are part of the process of auditing computer-based IS? choose 2 answers

- evaluating evidence in a systematic manner - providing recommendations for improvement

which two recommendations are included in a post-implementation review report? choose 2 answers

- improvements to the new system - improvements to the development process

which three actions are part of the revenue cycle? choose 3 answers

-initiating back orders for FG that are out of stock -approving credit sales of FG -receiving and answering customer inquires

which two issues do IS auditors look for when they audit security provisions? choose 2 answers

-proper procedures for assigning user IDs -effective use of data encryption

Two steps in Data Input

1 Capture transaction data (each activity, resource affected, and people participating) 2 Verify captured data are accurate and complete

ERM is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risks, and provide reasonable assurance that the company achieves its objectives and goals. What are the basic principles behind ERM?

1 Companies are formed to create value for their owners 2 Management must decide how much uncertainty it will accept as it creates value 3 Uncertainty results in risk 4 Uncertainty results in opportunity 5 The ERM framwork can manage uncertainty as well as create and preserve value

Data Processing Model

1 Input Fraud 2 Processor Fraud 3 Computer Instructions Fraud 4 Data Fraud 5 Output Fraud

The Trust Services Framework organizes IT-related controls into five principles that jointly contribute to systems reliability:

1 Security 2 Confidentiality 3 Privacy 4 Processing Integrity 5 Availability

What are two fundamental information security concepts?

1 Security is a management issue, not just a technology issue 2 Defense-in-depth and the time-based model of information security

Statement on Auditing Standards (SAS) No. 99 (effective December 2002), requires auditors to:

1 Understand fraud 2 Discuss the risks of material fraudulent misstatements 3 Obtain information 4 Identify, assess, and respond to risks 5 Evaluate the results of their audit tests 6 Document and communicate findings 7 Incorporate a technology focus

What are the 10 internationally recognized best practices for protecting the privacy of customers' personal information set forth by GAPP?

1. Management 2. Notice 3. Choice and consent 4. Collection 5. Use and retention 6. Access 7. Disclosure to third parties 8. Security 9. Quality 10. Monitoring and enforcement

environment

1. Management's philosophy, operating style, and risk appetite 2. The board of directors 3. Commitment to integrity, ethical values, and competence 4. Organizational structure 5. Methods of assigning authority and responsibility 6. Human resource standards 7. External influences

What are advantages of shadow data?

1. convenience 2. ease of use 3. analytical tools available

What are disadvantages of a database management system?

1. cost 2. training 3. chance of breakdowns 4. audit trail may be obscured 5. specialized backup and recovery procedures

What are costs invoiced when choosing new software?

1. cost of software 2. cost of hardware 3. cost of consultants (training staff) 4. maintenance/support 5. data translation

Steps in Expenditure Cycle

= Request goods and services be purchased - Prepare, approve, send purchase orders to vendors - Receive goods/services and complete a receiving report - Store goods - Receive vendor invoices - Credit accounts payable / debit expense or inventory = Approve vendor invoices for payment - Pay vendors for goods and services - Debit accounts payable / credit cash - Handle purchase returns, discounts, and allowances - Prepare management reports - Send appropriate information to the other cycles

1. Which statement is not correct? The audit trail in a computerized environment a. consists of records that are stored sequentially in an audit file b. traces transactions from their source to their final disposition c. is a function of the quality and integrity of the application programs d. may take the form of pointers, indexes, and embedded keys

A

20. Run-to-run control totals can be used for all of the following except a. to ensure that all data input is validated b. to ensure that only transactions of a similar type are being processed c. to ensure the records are in sequence and are not missing d. to ensure that no transaction is omitted

A

27. Which statement is not true? a. An audit objective for systems maintenance is to detect unauthorized access to application databases. b. An audit objective for systems maintenance is to ensure that applications are free from errors. c. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to program version numbers. d. An audit objective for systems maintenance is to ensure that the production libraries are protected from unauthorized access.

A

Application controls are classified as A. input, processing, output B. input, processing, output, storage C. input, processing, output, control D. input, processing, output, storage, control E. collecting, sorting, summarizing, reporting

A

Audit Trail

A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin. It is used to check the accuracy and validity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.

a. a smurf attack.

A ping signal is used to initiate a. a smurf attack. b. Internet protocol spoofing. c. digital signature forging d. URL masquerading e. a SYN-ACK packet.

File

A set of logically related records, such as the payroll records of all employees.

Corporate governance

A set of processes and policy in managing an organization with ethics to safeguard the interest of its stakeholders.

Business process

A set of related, coordinate, and structured activities and tasks, performed by a person, computer, or machine that help accomplish a specific organizational goal

A: Competence and objectivity.

According to the COSO framework, evaluators who monitor controls within an organization should have which of the following sets of characteristics? A: Competence and objectivity. B: Respect and judgment. C: Judgment and objectivity. D: Authority and responsibility.

Human resource/payroll cycle

Activities associated with hiring, training, compensating, evaluating, promoting, and terminating employees

Marketing and Sales

Activities help customers buy the organization's products or services

Technology

Activities improve a product/service

Service

Activities provide post-sale support to customers

A: Governance and Culture

Adventureland, a start-up Pittsburgh theme park, has a series of meetings with its investors, management, and employees to help identify its risk culture. This initiative most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting

the test data is easily compiled

All of the following are advantages of the test data technique except a. auditors need minimal computer expertise to use this method b. this method causes minimal disruption to the firm's operations c. the test data is easily compiled d. the auditor obtains explicit evidence concerning application functions

What is phishing?

An attempt to trick someone into revealing his/her user name and password or confidential information

B: 1. risk range, 2. risk ceiling, 3. risk floor

An international manufacturing company has the following three statements in its enterprise risk management documents. Please identify the concepts in the COSO ERM framework that these statements best represent. 1. The annual acceptable number of factory accidents will be between zero and four. 2. We will not invest in cybercurrencies, e.g., bitcoin. 3. We commit to investing at least 15% of the capital budget in emerging artificial intelligence projects. A: 1. risk floor, 2. risk ceiling, 3. risk range B: 1. risk range, 2. risk ceiling, 3. risk floor C: 1. target risk, 2. risk ceiling, 3. risk range D: 1. risk floor, 2. risk ceiling, 3. target risk

SAS No. 99

Auditor responsibility: RISK understand the fraud discuss risks of material misstatement obtain information ID, access, respond to risks evaluate results of audit tests document/communicate findings incorporate tech focus

7. Program testing a. involves individual modules only, not the full system b. requires creation of meaningful test data c. need not be repeated once the system is implemented d. is primarily concerned with usability

B

Computer applications use routines for checking the validity and accuracy of transaction data called a. operating systems. b. edit programs. c. compiler programs. d. integrated test facilities. e. compatibility tests.

B

How are transactions in real time processing systems edited? A. in a separate computer run B. in online mode as transactions are entered C. during a backup procedure D. not edited due to time constraints E. editing transactions in real time is not necessary

B

11. An example of a hash total is a. total payroll checks-$12,315 b. total number of employees-10 c. sum of the social security numbers-12,555,437,251 d. none of the above

C

16. The employee entered "40" in the "hours worked per day" field. Which check would detect this unintentional error? a. numeric/alphabetic data check b. sign check c. limit check d. missing data check

C

21. Methods used to maintain an audit trail in a computerized environment include all of the following except a. transaction logs b. Transaction Listings. c. data encryption d. log of automatic transactions

C

23. Which statement is not correct? a. only successful transactions are recorded on a transaction log b. unsuccessful transactions are recorded in an error file c. a transaction log is a temporary file d. a hardcopy transaction listing is provided to users

C

24. Input controls include all of the following except a. check digits b. Limit check. c. spooling check d. missing data check

C

26. Which test of controls will provide evidence that the system as originally implemented was free from material errors and free from fraud? Review of the documentation indicates that a. a cost-benefit analysis was conducted b. the detailed design was an appropriate solution to the user's problem c. tests were conducted at the individual module and total system levels prior to implementation d. problems detected during the conversion period were corrected in the maintenance phase

C

33. All of the following are advantages of the test data technique except a. auditors need minimal computer expertise to use this method b. this method causes minimal disruption to the firm's operations c. the test data is easily compiled d. the auditor obtains explicit evidence concerning application functions

C

5. Which control is not a part of the source program library management system? a. using passwords to limit access to application programs b. assigning a test name to all programs undergoing maintenance c. combining access to the development and maintenance test libraries d. assigning version numbers to programs to record program modifications

C

6. Which control ensures that production files cannot be accessed without specific permission? a. Database Management System b. Recovery Operations Function c. Source Program Library Management System d. Computer Services Function

C

8. The correct purchase order number, 123456, was incorrectly recorded as shown in the solutions. All of the following are transcription errors except a. 1234567 b. 12345 c. 124356 d. 123454

C

A control designed to validate a transaction at the point of data entry is a. recalculation of a batch total. b. a record count. c. a check digit. d. checkpoints. e. recalculation of hash total

C

An electronic walk-through of the application's internal logic is called a. a salami logic test. b. an integrated test. c. tracing. d. a logic bomb test.

C

An example of a control designed to validate a transaction at the point of data entry A. recalculation of a batch total B. a record digit C. a check digit D. checkpoints E. recalculation of hash total

C

Ensuring that all material transactions processed by the information system are valid and in accordance with management's objectives is an example of A. transaction authorization B. supervision C. accounting records D. independent verification

C

What is the process for posting to accounting records in a computer system? A. master file is updated to a transaction file B. master file is updated to an index file C. transaction file is updated to a master file D. master file is updated to a year-to-date file E. current balance file is updated to an index file

C

Which of the following is NOT a common type of white box test of controls? a. completeness tests b. redundancy tests c. inference tests d. authenticity tests

C

D: Engage the owner in direct participation in the activities, including financial record-keeping, of the business.

Checkpoint auto leasing is a small company with six employees. The best action that it can take to increase its internal control effectiveness is A: Hire temporary employees to aid in the segregation of duties. B: Hire a bookkeeper to perform monthly "write up" work. C: Clearly delegate responsibilities to each employee for the functions that they are assigned. D: Engage the owner in direct participation in the activities, including financial record-keeping, of the business.

3. Describe software that may be used for auditing.

Computer-Assisted Audit Techniques (CAATs) refer to audit software, often called Generalized Audit Software (GAS), that uses auditor-supplied specifications to generate a program that performs audit functions, thereby automating or simplifying the audit process. Two of the most popular software packages are: a. Audit Control Language (ACL) and b. Interactive Data Extraction and Analysis (IDEA). CAATs is ideally suited for examining large data files to identify records needing further audit scrutiny.

D: processes and controls; data management architecture

Consider the following two descriptions: 1. They help an entity create and maintain reliable data. 2. They include models, policies, rules, or standards that determine which data is collected and how it is stored, arranged, integrated, and used in systems and in the organization. In relation to COSO's ERM framework related to leveraging information systems, statement 1 relates to ______________ while statement 2 relates to ____________________. A: data and information governance; processes and controls B: data and information governance; data management architecture C: processes and controls; data and information governance D: processes and controls; data management architecture

Report writer

DBMS language that simplifies report creation

What are secondary storage devices?

DVD, flash drives, etc

Asymmetric Encryption Systems

Encryption systems that use two keys (one public, the other private); either key can encrypt, but only the other matching key can decrypt

Mnemonic Code

Letters and numbers that are interspersed to identify an item. The mnemonic code is derived from the description of the item and is usually easy to memorize

What are examples of preventative controls?

People: creating a "security aware" culture and training Processes: user access controls IT Solutions: anti-malware, network access controls(firewalls, intrusion prevention systems, etc), device and software hardening(configuration controls), encryption Physical Security: access controls (locks, guards, etc) Change controls and change management

Information overload causes

Personal factors Information characteristics Task and process parameters Organizational design Information technology

What is a database?

Physical repository for financial data

B: Reducing the likelihood of the theft of payroll payments.

Requiring direct deposits instead of paying employees by checks improves accounting controls by: A: Separating duties in cash receipts. B: Reducing the likelihood of the theft of payroll payments. C: Facilitating advanced analytics of payroll data. D: Reducing the risk of violations of employment law.

Financial electronic data interchange (FEDI)

The combination of EFT and EDI that enables both remittance data and funds transfer instructions to be included in one electronic package

Data Store

The place or medium where system data is stored

Field

The portion of a data record where the data value for a particular attribute is stored

Verifiable

Two independent, knowledgable people produce same information

Verifiable

Two independent, knowledgeable people produce the same information

sequence check

Which check is NOT a file interrogation? A. header label B. expiration date check C. sequence check D. version check

Data Flow Diagram (DFD)

a graphical description of the flow of data within an organization, including data sources/destinations, data flows, transformation processes, and data storage

11-7. which of the following automated systems help minimize inventory costs?

a. JIT systems * b. ABC systems c. job order costing systems d. process costing systems

9-1. in access, you can use a form to perform all the following tasks except:

a. create a new record in a specific table b. change the information in an existing record of a table c. view the information from many different records sequentially d. all of these are tasks that can be performed with an access form*

7-1. which of these does not characterize a typical database?

a. large number of records b. irreplaceable data c. high need for accuracy d. simple systems *

14-9. Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed.

a. specific b. general c. application * d. input

Computer fraud can be categorized using the...

data processing model

Internal controls related to XBRL - Risk of tagging errors

electronic review independent review after tagging periodic user training

2.5 question (F-G) Which of the following actions update a master file and which would be stored as a record in a transaction file?

f. Record production variances g. Record sales commissions a. Update customer address change b. Update unit pricing information CHAPtEr 2 ovERvIEw oF tRAnSACtIon PRoCESSIng AnD ERP SyStEmS 43 Find more at http://www.downloadslide.com c. Record daily sales d. Record payroll checks e. Change employee pay rates f. Record production variances g. Record sales commissions h. Change employee office location i. Update accounts payable balance j. Change customer credit limit k. Change vendor payment discount terms l. Record purchases

Access Control Matrix

is a table used to implement authorization controls

What is bluetooth?

networking standard for small personal area networks

database

set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible

Carter's Taxonomy- Target

targets the system or its data

Digital Envelope

this method blends both symmetric and asymmetric

which action improves data accuracy during the data input process?

using prenumbered source data

What is the purpose of authorized vendors?

" To reduce fraud." The purpose of authorized vendors is to reduce vendor fraud schemes.

What are sources for researching software?

1. internet 2. recommendations form similar businesses 3. trade journals 4. trade shows 5. auditors/CPA firm

Big Data

a collection of data from traditional and digital sources inside and outside your company that represents a source for ongoing discovery and analysis

which tool shows the flow of bills of lading and packing slips between the shipping department and the A/R department?

a document flowchart

Foreign key

an attribute in a table that is also a primary key in another table; used to link the two tables (Customer # in attached table is the primary key in the customer table and a foreign key in the sales table)

document

an electronic or paper document or report

Preventive Controls

deter problems before they arrise

Which condition of the Safe Harbor Agreement addresses the privacy concern related to the purposes for which an organization collects and uses information?

" Notice." An organization must provide individuals with clear notice of "the purposes for which it collects and uses information about them and the types of third parties to which it discloses the information."

If a firm purchases an accounts payable module, which type of system is it purchasing?

" General accounting system." Accounts payable is an example of a general accounting system module.

Chart of Accounts

A listing of all the numbers assigned to the balance sheet and income statement accounts

System Flowchart

A logical representation of system inputs, processes and outputs

Tuple

A row in a table that contains data about a specific item in a database table

17. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a. numeric/alphabetic data checks b. limit check c. range check d. reasonableness check

B

entity integrity rule

every row in every relation must represent data about some specific object in the real world PK cannot be null and each table must have a PK

Financial Audit

examination of the reliability and integrity of financial transactions, accounting records, and financial statements

Control Activities

policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.

recording

preparing source documents; entering data into online systems; maintaining journals, ledgers, files, or databases; preparing reconciliations; and preparing performance reports

preventing/detecting fraud

make fraud less likely to occur (culture) increase difficulty of committing fraud (controls) improve detection methods (auditors) reduce fraud losses (insurance)

Limitations of purchasing/renting an AIS

- Canned software may not meet all of a company's information needs

Information needed to acquire capital

- Cash flow projections - Pro Forma financial statements - Loan amortization schedule

Strengths of purchasing/renting an AIS

- Companies can rent software from application service providers (ASPs), who deliver software over the Internet. - This provides scalability as the business grows and global access to information - Automates software upgrades; reducing software costs and administrative overhead - Software can be test driven - Some physical design, implementation, and conversion steps can be omitted.

Corrective Controls

- Computer incident response teams (CIRT) - Chief information security officer (CISO) - Patch management

Auditing Software

- Computer-Assisted audit techniques (CAATs) or generalized audit software (GAS)

Production Cycle Steps

- Design products - Forecast, plan, and schedule production - Request raw materials for production - Manufacture products - Store finished products - Accumulate costs for products manufactured - Prepare management reports - Send appropriate information to the other cycles

Financing Cycle

- Forecast cash needs - Sell stock/securities to investors - Borrow money from lenders - Pay dividends to investors and interest to lenders - Retire debt - Prepare management reports - Send appropriate information to the other cycles

Steps to Implement an AIS

- Implementation Planning - Select and Train Personnel - Prepare Site; Install and Test Hardware - Complete Documentation - Test System - Conversion

Challenges of outsourcing an AIS

- Inflexibility on contract terms - Loss of control - Reduced competitive advantage - Locked-in system - Unfulfilled goals - Poor service - Increased risk

What is the SDLC (System development life cycle)?

A DITTO - System Analysis - Design - Implementation and Conversion - Training - Testing - Operations and maintenance

Transaction File

A file that contains the individual business transactions that occur during a specific fiscal period

Cross-footing balance test

A processing control which verifies accuracy by comparing two alternative ways of calculating the same total.

manual operation

A processing operation performed manually

Exploit

A program designed to take advantage of a known vulnerability

Data Masking

A program that protects privacy by replacing personal information with fake values

UNIT 5 FORM B - A type of backbone, enterprise resource planning (ERP), offers a vast array of modules for dealing with almost every conceivable business process. What is a major drawback of a system with such extensive customization?

" A drawback of extensive customization is expense." Customizing a commercial system can be expensive.

How do inventory control functions adjust inventory at the time of a return?

"A credit memo issues automatically." An approved credit memo triggers the system to adjust the inventory when items are returned.

Primary key

Database attribute, or combination of attributes, that uniquely identifies each row in a table

Primary Key

Database attribute, or combination of attributes, that uniquely identifies each row in a table Usually, the primary key is a single attribute. In some tables, two or more attributes are needed to identify uniquely a specific row in a table. Can't be null

Data Coding Schemes

Involves creating simple numeric or alphabetic codes to represent complex economic phenomena that facilitate efficient data processing.

Which is NOT a means by which info improves decision making? a. Increases info overload b. Reduces uncertainty c. Provides feedback about the effectiveness of prior decisions d. Identifies situations requiring management action

a) Increases info overload

increased error rates, disruptions, and sabotage are examples of which of the following? a) aggression b) avoidance c) projection d) payback

a) aggression

which causes the majority of computer security problems? a) human errors b) software errors c) natural disasters d) power outages

a) human errors

once fraud has occurred, which of the following will reduce fraud losses? SELECT ALL THAT APPLY a) insurance b) regular backup of data & programs c) contingency plan d) segregation of duties

a) insurance, b) regular backup, c) contingency plan

which of the following conditions is/are usually necessary for a fraud to occur? SELECT ALL THAT APPLY a) pressure b) opportunity c) explanation d) rationalization

a) pressure, b) opportunity, d) rationalization

5-5. which of the following is NOT true about system-flowcharts?

a. they can depict the flow of information in computerized AISs b. they use standardized symbols *c. they cannot show how documents flow in an AIS d. they often document an audit trail

3-3. what is it called when someone intentionally changes data before, during, or after they are entered into a computer (with the intent to illegally obtain information or assets)?

a. trojan horse b. logic bomb *c. data diddling d. a cookie

13-7. COSO recommends that firms _____________ to determine whether they should implement a specific control.

a. use cost-benefit analysis * b. conduct a risk assessment c. consult with the internal auditors d. identify objectives

5-7. the sandwich rule states that:

a. you should only create logic diagrams that have some "meat" in them b. every diagram should have a cover page and a summary page *c. a processing symbol should be between an input and an output symbol d. avoid showing error routines or similar exception tasks

Which of the following is NOT a test for identifying application control errors? a. access tests b. user acceptance tests c. field tests d. range tests e. all of the above

b. user acceptance tests

Administrative Internal Controls

badges, security policy, training, reviews, supervision, procedures manuals, password strength, rotation policies

What is a denial-of-service attack?

one computer (or group) bombards another computer with a flood of network traffic, causing it to eventually be overwhelmed and crash

General Ledger/Financial Reporting System

System that produces traditional financial statements, such as income statements, balance sheets, statements of cash flows, tax returns, and other reports required by law. This type of reporting is called non discretionary reporting because the organization has few or no choices in the information it provides.

Production Cycle

The recurring set of business activities and related data processing operations associated with the manufacture of products.

B: Analyze transactions.

Which of the following steps in the accounting cycle comes before posting entries to accounts? A: Journalize closing entries. B: Analyze transactions. C: Prepare reports. D: Prepare post-closing trial balance.

C: File.

Which of the following structures refers to the collection of data for all vendors in a relational data base? A: Record. B: Field. C: File. D: Byte.

C: Online.

Which of the following transaction processing modes provides the most accurate and complete information for decision making? A: Batch. B: Distributed. C: Online. D: Application.

Batch Processing

Processing transactions in a group without user interaction, e.g. Payroll Check

What is a CPU?

Central Processing Unit

Basic Activities of Revenue Cycle

1. sales order entry 2. shipping 3. billing 4. cash collections

Understandable

Presented in a useful and intelligent format

Decryption

Transforming ciphertext back into plaintext

100

assets

input

directions of computer instructions transferring data that should not be there

What is transmission media?

physical path between nodes on a network

What are output devices?

printer, speaker, computer screen/monitor

gross profit

sales - returns/discounts

What does the letter N in an inverted triangle mean in a system flowchart?

"It is a temporary file using a numeric filing system." The inverted triangle means that it is a temporary file and the N means that it uses a numeric filing system.

UNIT 3 FORM A - Which item reflects vital information such as quantities and unit prices?

"Sales order." The sales order contains vital information such as unit prices and quantities.

What exemplifies the use of continuous auditing?

"Searching electronic transactions for anomalies." An intelligent control agent searches electronic transactions for anomalies.

The systems development process constitutes

"a set of activities by which organizations obtain IT-based information systems." The systems development process constitutes a set of activities by which organizations obtain IT-based information systems. Systems development is like any manufacturing process that produces a complex product through a series of stages.

In contrast to a real-time system, in a batch processing system

"there is a lag between the time when the economic event occurs, and the financial records are updated." Batch systems group transactions and they process when it is most efficient, often on an hourly, daily, or weekly basis. Batch systems process transactions in bulk when required or when convenient. These systems are appropriate when there is no urgency to the information.

Control Objectives for Information and Related Technology (COBIT)

(COBIT) - A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that reliable and adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters. ▪ Meeting stakeholder needs. COBIT helps users customize business processes and procedures to create an information system that adds value to its stakeholders. It also allows the company to create the proper balance between risk and reward. ▪ Covering the enterprise end-to-end. COBIT does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes. ▪ Applying a single, integrated framework. COBIT can be aligned at a high level with other standards and frameworks so that an overarching framework for IT governance and management is created. ▪ Enabling a holistic approach. COBIT provides a holistic approach that results in effective governance and management of all IT functions in the company. ▪ Separating governance from management. COBIT distinguishes between governance and management.

6. Discuss how organizations use enterprise resource planning (ERP) systems to process transactions and provide information.

(ERP) - A system that integrates all aspects of an organization's activities along with a traditional AIS into one system.

Committee of Sponsoring Organizations (COSO)

(COSO) - A private- sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. ▪ Control environment (AKA internal Control COSO contains only 5 compenents) This is the foundation for all other components of internal control. The core of any business is its people—their individual attributes, including integrity, discipline, ethical values, and competence—and the environment in which they operate. They are the engine that drives the organization and the foundation on which everything rests. 1) Commitment to integrity and ethics 2) Internal control oversight by the board of directors, independent of management 3) Structures, reporting lines, and appropriate responsibilities in the pursuit of objectives established by management and overseen by the board 4) A commitment to attract, develop, and retain competent individuals in alignment with objectives 5) Holding individuals accountable for their internal control responsibilities in pursuit of objectives ▪ Risk assessment The organization must identify, analyze, and manage its risks. Managing risk is a dynamic process. Management must consider changes in the external environment and within the business that may be obstacles to its objectives. 6) Specifying objectives clearly enough for risks to be identified and assessed 7) Identifying and analyzing risks to determine how they should be managed 8) Considering the potential of fraud 9) Identifying and assessing changes that could significantly impact the system of internal control ▪ Control activities Control policies and procedures help ensure that the actions identified by management to address risks and achieve the organization's objectives are effectively carried out. Control activities are performed at all levels and at various stages within the business process and over technology. 10) Selecting and developing controls that might help mitigate risks to an acceptable level 11) Selecting and developing general control activities over technology 12) Deploying control activities as specified in policies and relevant procedures ▪ Information and communication Information and communication systems capture and exchange the information needed to conduct, manage, and control the organization's operations. Communication must occur internally and externally to provide information needed to carry out day-to-day internal control activities. All personnel must understand their responsibilities. 13) Obtaining or generating relevant, high-quality information to support internal control 14) Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control 15) Communicating relevant internal control matters to external parties ▪ Monitoring The entire process must be monitored, and modifications made as necessary so the system can change as conditions warrant. Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board. 16) Selecting, developing, and performing ongoing or separate evaluations of the components of internal control 17) Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors, where appropriate

Production Cycle

- Design products - Forecast, plan, and schedule production - Request raw materials for production - Manufacture products - Store finished products - Accumulate costs for products manufactured - Prepare management reports - Send appropriate information to the other cycles

Information needed to pay taxes

- Government regulations - Total wage expense - Total sales

relationships

1-1 [art gallery] 1-many (FK) [prof-courses] many-many [students-courses]

What are the two primary techniques used to identify undesirable traffic patterns?

1. Simplest approach is to compare traffic patterns to a database of signatures of known attacks 2. More complicated approach is involves developing a profile of "normal" traffic and using statistical analysis to identify packets that do not fit that profile

COSO Internal Control Framework

1. The Control Environment 2. Risk Assessment 3. Information and Communication 4. Monitoring 5. Control Activities

What are advantages of online (or real-time) processing?

1. up-to-the-minute information 2. simple (fewer steps)

What are advantages of decentralized processing?

1. usually cheaper 2. easier to add processing power 3. faster processing time when under heavy use 4. problems at one location don't shut down the entire system

6 components of AIS

1.people 2procedures and instructions 3data + organizations, 4 software, 5 information technology infrastructure 6 internal controls + security measures

The controls in a computerized system are classified as a. input, processing, and output. b. input, processing, output, and storage. c. input, processing, output, and control. d. input, processing, output, storage, and control. e. collecting, sorting, summarizing, and reporting.

A

Which of the following is an example of an input control ? A. making sure that reports are distributed to the proper people B. monitoring the work of data entry clerks C. collecting accurate statistics of historical transactions while gathering data D. performing a check-digit test on a customer account number E. having another person review the design business form

A

Internal Control - Integrated Framework (IC)

A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.

ERP systems

A modular, relational database designed to include all business process and provide comprehensive information for decisions. Modules include customer relationship management, financial management, human resource management, and supply chain management

Botnet

A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware

Entity integrity rule

A non-null primary key ensures that every row in a table represents something and that can be identified

Turnaround Documents

A paper-based document sent from an organisation to a customer and then returned.

Master File

A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records within a master file are updated to keep them current

Control Objectives for Information and Related Technology (COBIT)

A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.

Access Control List (ACL)

A set of IF-THEN rules used to determine what to do with arriving packets

B: Ledger accounts.

After journal entries are recorded, they are posted to: A: General journals. B: Ledger accounts. C: Income statement. D: Expense reports.

Transaction

Agreement between two entities to exchange goods or services

Define Transaction

Agreement between two entities to exchange goods, services, or any other event that can be measured in economic terms by an organization

What is centralized processing?

All data kept and processed at a central location (even if PC is connected to a LAN to allow data entry remotely)

legal risk

All of the following are components of audit risk except A. control risk B. legal risk C. detection risk D. inherent risk

missing data check

An employee in the sales department keyed in a customer sales order from a terminal and inadvertently omitted the sales order number. What edit would best detect this error? A. access test B. completeness test C. validity test D. missing data check E. Redundancy check

Off-page connector

An entry from, or an exit to, another page

1. Explain the auditing process.

Auditing - Objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria. a. *Stage 1 - Planning* Establish Scope and objectives Organize audit team Develop knowledge of business operations Review prior audit results Identify risk factors Prepare audit program b. *Stage 2 - Collecting Evidence* Observation of operating activities Review of documentation Discussions with employees Questionnaires Physical examination of assets Confirmation through third parties Reperformance of procedures Vouching of source documents Analytical review Audit sampling c. *Stage 3 - Evaluating Evidence* Assess quality of internal controls Assess reliability of information Assess operating performance Consider need for additional evidence Consider materiality factors Document audit findings d. *Stage 4 - Communicating Audit Results* Formulate audit conclusions Develop recommendations for management Prepare audit report Present audit results to management

In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control technique to detect this action using employee identification numbers would be a a. batch total. b. record count. c. hash total. d. subsequent check. e. financial total.

C

A: Greater integration

Compared to a more risk-averse entity, the ERM of a more risk-aggressive entity demands __________. A: Greater integration B: A discrete, autonomous ERM unit C: Lower-velocity data D: Lower performance expectations

C: Timeliness of information.

Compared to batch processing, real-time processing has which of the following advantages? A: Ease of auditing. B: Ease of implementation. C: Timeliness of information. D: Efficiency of processing.

C: Increased, increased, decreased

Compared to manual systems, automated systems have ____ risks related to remote access, ____ risks related to the concentration of information, and, ______ opportunities for directly observing processes: A: Increased, increased, increased B: Decreased, decreased, decreased C: Increased, increased, decreased D: Increased, decreased, increased

Logical view

How people conceptually organize, view, and understand the relationships among data items

Open-invoice method

Method for maintaining accounts receiving in which customers typically pay according to each invoice

System Flowchart

Depicts the relationships among system input, processing, storage, and output.

Source documents

Documents used to capture transaction data at its source - when the transaction takes place. Examples include sales orders, purchase orders, and employee time cards.

What are source documents?

Documents used to obtain the information put into the system. (IE sales invoice, time sheets, check)

Complete

Does not omit important aspects of the events or activities it measures

Computer based storage concepts

Entity Attributes Field Record Data Value File Master file Transaction File Database

Operational Audit

Examination of the economical and efficient use of resources and the accomplishment of established goals and objectives

True or False? SDLC controls do not apply to the maintenance phase.

False

Employee Pressure Triangle

Financial, emotional and lifestyle

Referential integrity rule

Foreign keys which link rows in one table to rows in another table most have values that correspond to the value of a primary key in another table

Reliable

Free from error or bias; accurately represents organization events or activities

Reliable

Free from error or bias; accurately represents organizations, events or activities

Types of control

General and application controls

B: Lack of strategic focus

Gus McCrae, an accountant at Lonesome Dove Cattle Ranch, builds a spreadsheet to track cow movements between locations. However, there are so few movements of cattle between locations that the spreadsheet is unhelpful. This problem illustrates which of the following issues? A: Inadequate scope and scalability B: Lack of strategic focus C: Lack of strategic engagement D: Digitization

Turnkey System

Hardware and software sold as a package

Triggered Exception Reports

Have a pre-specified content and format but are only prepared in response to abnormal conditions (Inventory Shortages)

7. Identify the purpose and basic activities of the human resources management (HRM)/payroll cycle.

Human Resources Management (HRM)/Payroll Cycle - The recurring set of business activities and data processing operations associated with effectively managing the employee workforce. a. Recruiting and hiring new employees b. Training c. Job assignment d. Compensation (payroll) e. Performance evaluation f. Discharge of employees due to voluntary or involuntary termination

Program Flowchart

Illustrates the sequence of logical operations performed by a computer in executing a program A program flowchart describes the specific logic used to perform a process shown in a system flowchart.

Program Flowchart

Illustrates the sequence of logical operations performed by a computer in executing a program.

Pilot Conversion

Implements a system in one part of an organisation e.g. a branch

Delete anomaly

Improper organization of a database that results in the loss of all information about an entity when a row is deleted

Fraudulent Financial Reporting

International or reckless conduct, whether by act or omission, that results in materially misleading financial statements

Cross-functional analysis

In a database system, relationships, such as the association between selling costs and promotional campaigns, can be explicitly defined and used in the preparation of management reports.

A: Managing remote access.

In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator? A: Managing remote access. B: Developing application programs. C: Reviewing security policy. D: Installing operating system upgrades.

B: Internal audit staff who report to the board of directors.

In a large public corporation, evaluating internal control procedures should be the responsibility of A: Accounting management staff who report to the CFO. B: Internal audit staff who report to the board of directors. C: Operations management staff who report to the chief operations officer. D: Security management staff who report to the chief facilities officer.

C: CFO and CEO

In a public company, which of the following officers must certify that the accuracy of their firms' financial statements as filed with the SEC? A: CEO and CAO B: CAO and CFO C: CFO and CEO D: CEO and COO

physical controls

Includes controlled access, computer room entry log record, data backup storage, preprinted limits ond documents, inconspicuous location.

administrative controls

Includes security checks on personnel, segregation of duties, program testing after modification, rotation of computer duties, transaction limit amounts

Revenue Principle

Income is recorded when it is earned and irrespective of when the associated cash is is actually received by the business. A cornerstone of accrual accounting together with the matching principle.

electronic output

Information displayed by an electronic output device such as a terminal, monitor, or screen

Which general ledger accounts would have subsidiary ledgers?

Inventory, accounts payable, payroll, and accounts receivable.

Pay-and-Return Scheme

Involves a clerk with check-writing authority who intentionally pays a vendor twice for the same invoice for the purchase of inventory or supplies. The vendor, recognizing that its customer made a double payment, issues a reimbursement check to the victim company, which the clerk intercepts and cashes.

What is the separation of duties important for internal control?

It is intended to prevent fraud and error by having more than one person required to complete a task.

Sequence Code

Items are numbered consecutively so that gaps in the sequence code indicate missing items that should be investigated.

What is a LAN?

Local Area Network

Security Controls that detect Intrusions

Log analysis Intrusion Detection Systems Penetration Testing Continuous Monitoring

Disadvantages of developing in-house

Logic and Development Errors Inadequately tested applications Inefficient systems Poorly controlled and documented systems System incompatibilities Duplication of systems data; wasted resources Increased Costs

D: 1 mission, 2 vision, 3 core values

Match the statements below with the associated categories in ERM: 1. We will improve the quality of life of ... 2. We will be known for outstanding ... 3. We will treat our customers and employees with respect ... A: 1 core values, 2 risk appetite, 3 mission B: 1 strategy, 2 values, 3 vision C: 1 tolerance, 2 mission, 3 appetite D: 1 mission, 2 vision, 3 core values

Data Processing

Once data has been entered into the system, they must be processed to keep the databases current. Data processing activities are broken down into 4 activities (Also known as CRUD): 1. Creating new data records, such as adding a newly hired employee to the payroll database. 2. Reading, retrieving, or viewing existing data. 3. Updating previously stored data. Figure 2-4 depicts the steps required to update an accounts receivable record with a sales transaction. The two records are matched using the account number. The sale amount ($360) is added to the account balance ($1,500) to get a new current balance ($1,860). 4. Deleting data, such as purging the vendor master file of all vendors the company no longer does business with.

Parallel Conversion

Operates new and old AIS simultaneously for a period

Five fundamental control objective

Protect itself from users, protect users from each other, themselves, be protected from itself and it's environment.

Document

Records of transaction or other company data (checks, invoices, receiving reports, and purchase requisitions)

Most Important Tasks of the HRM/Payroll Cycle

Recruiting and training new employees Training Job assignment Compensation (payroll) Performance Evaluation Discharge of employees due to voluntary or involuntary termination

Characteristics of Useful Information

Relevant, reliable, complete, timely, understandable, verifiable, accessible

Advantages of Purchasing

Saves Time Simplifies the decision-making process Reduces Errors Avoids potential for disagreement

Web-Page Spoofing

See phishing

Pass Through Fraud

Similar to the shell company fraud with the exception that a transaction actually takes place. The false vendor then purchases the needed inventory from a legitimate vendor. The false vendor charges the victim company a much higher than market price for the items, but pays only the market price to the legitimate vendor. Perpetrator pockets the difference.

B: The method of communicating the risks to internal stakeholders.

The Buy N Large Company is a diversified, multinational consumer and wholesale products company. Which of the following is least likely to be a consideration in defining the company's risk appetite related to sustainability and climate change risk? A: The resources (e.g., financial and human) available to manage the risks. B: The method of communicating the risks to internal stakeholders. C: The risk profile. D: The risk capability.

D: Discuss the CEO's behavior and challenge the CEO to overcome these issues.

The CEO of Duke & Duke has been known to yell at employees. When the board first hears about such behavior, the role of the board in relation to the CEO's behavior is most likely to be to: A: Determine if the board is independent of the CEO. B: Define the organizational culture as risk averse. C: Fire the CEO. D: Discuss the CEO's behavior and challenge the CEO to overcome these issues.

COBIT 5 Framework

The COBIT 5 framework describes best practices for the effective governance and management of IT. COBIT 5 is based on the following five key principles of IT governance and management. These principles help organizations build an effective governance and management framework that protects stakeholders' investments and produces the best possible information system.

who designs and implements procedures that prevent attackers from penetrating a company's AIS?

The Cheif Information Security Officer (CISO)

D: Information, Communication, and Reporting.

The ERM component that includes email, board meeting minutes, and reports as important elements is A: Governance and Culture. B: Performance. C: Review and Revision. D: Information, Communication, and Reporting.

D: Establishing a communication program to obtain information about potential frauds

The Wasabi Electronics employee survey related to fraud risk includes this question: "Employees who report suspected improprieties are protected from reprisal." This question best relates to which of the following fraud management principles and processes? A: Establishing a fraud risk management program B: Selecting, developing, and deploying fraud controls C: Selecting, developing, and deploying evaluation and monitoring processes D: Establishing a communication program to obtain information about potential frauds

A: Database administrators.

The ability to add or update documentation items in data dictionaries should be restricted to A: Database administrators. B: System programmers. C: System librarians. D: Application programmers.

A: Business transactions.

The accounting cycle begins by recording _____________ in the form of journal entries. A: Business transactions. B: Financial information. C: Corporate minutes. D: Business contracts.

The Expenditure Cycle

The acquisition of materials, property, and labor in exchange for cash.

Process

The action that transforms data into other data or information

Data Value

The actual value stored in a field that describes a particular attribute of an entity

Data Value

The actual value stored in a field. It describes a particular attribute of an entity. For example, the customer name field would contain "ZYX Company" if that company was a customer.

Value of information

The benefit provided by information less the cost of producing it

Sales order

The document created during sales order entry listing the item numbers, quantities, prices, and terms of sales

limit check

The employee entered "40" into the "hours worked per day" field. Which check would detect this unintentional error? A. numeric/alphabetic data check B. validity check C> limit check D. Reasonableness check

Data Source

The entity that produces or sends the data that is entered into a system

Data Destination

The entity that receives data produced by a system

White box

The information contained within the black box on the inside ( processing )

Entity

The item about which information is stored in a record (employee, inventory item, customer)

Entity

The item about which information is stored in a record. Examples include an employee, an inventory item, and a customer.

Electronic data interchange (EDI)

The use of computerized communications and a standardized coding scheme to submit business documents electronically in a format that can be automatically in a format that can be automatically processed by the recipients

Multimodel Authentication

The use of multiple authentication credentials of the same type to achieve a greater level of security

1-b. Define AIS

a system of collecting, storing and processing financial and accounting data that is used by decision makers

Expected Loss

The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood). = Impact X Likelihood

B: An employee.

The perpetrator of a fictitious vendor fraud is usually A: A stakeholder. B: An employee. C: A mountebank. D: A customer.

Database administrator (DBA)

The person responsible for coordinating, controlling, and managing the database

database administrator

The person responsible for coordinating, controlling, and managing the database.

Bot Herder

The person who creates botnet by installing software on PCs that responds to the bot herder's electronic instructions

Field

The portion of a data record where the data value for a particular attribute is stored. For ex: in a spreadsheet each row might represent a customer and each column is an attribute of the customer. Each cell in a spreadsheet is a field.

Which is most likely to be a GL control account? a. Accounts receivable b. Petty cash c. Prepaid rent d. Retained earnings

a) AR

Patch Management

The process for regularly applying updates to all software used by an organisation

Hardening

The process of modifying the default configuration of endpoints to eliminate unnecessary settings and services

Authorization

The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform

Encryption

The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext

Encryption

The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.

Data Storage

The process of updating one or more databases with new transactions. Databases are broken down into general and subsidiary ledgers.

Knowledge Management Systems

The process through which organizations generate value from their intellectual and knowledge-based assets

Database Management System (DBMS)

The program that manages and controls the data and the interfaces between the data and the application programs that use the data stored in the database.

Attributes

The properties, identifying numbers, and characteristics of interest of an entity that is stored in a database. Examples: employee number, pay rate, name, and address

Revenue Cycle

The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales

Revenue Cycle

The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. The revenue cycle's primary objective is to provide the right product in the right place at the right time for the right price.

Production Cycle

The recurring set of business activities and related data processing operations associated with the manufacture of products

Multifactor Authentication

The use of two or more types of authentication credentials in conjunction to achieve a greater level of security

Physical view

The way data are physically arranged and stored in the computer system

corruption

dishonest conduct by those in power involving actions that are illegitimate, immoral, incompatible w/ethical standards

System

Two or more interrelated components that interact to achieve a goal, often composed of subsystems that support the larger system. (eg. College of Accounting a subsystem of the College of Business which is a part of a University System)

3. Explain how data storage is accomplished within an AIS.

This promotes ease of access in that they need to know how to manage data for maimum corporate use. This can be done via coding and Audit trails. a. Data in ledgers is organized logically using coding techniques. Coding is the systematic assignment of numbers or letters to items to classify and organize them. b. The following guidelines result in a better coding system. The code should: o Be consistent with its intended use, (code designer determines desired system outputs prior to selecting the code) o Allow for growth. o Be as simple as possible to minimize costs, facilitate memorization and interpretation, and ensure employee acceptance. o Be consistent with the company's organizational structure and across divisions. c. An audit trail is a traceable path of a transaction through a data processing system from point of origin to final output, or backward from final output to point of origin.

What is the Toyota case?

Toyota Production System (TPS) philosophies, principles, and business processes supported by IT.

Transaction found under Expenditure/Procurement cycle

Track vendor performance, record inventory receipts using the goods receipt transaction, process vendor invoices, pay invoices.

Transaction v. transaction processing

Transaction-Agreement between two entities to exchange G+S V.S. Transaction processing Transaction data is used to create financial statements

Give-get exchange

Transactions that happen a great many times, such as giving up cash to get inventory from a supplier and giving employees a paycheck in exchange for their labor

Give-get exchange

Transactions that happen a lot- such as giving up cash to get inventory and giving employees a paycheck

Hashing

Transforming plaintext of any length into a short code called a hash

White-Collar Criminals

Typically, businesspeople who commit fraud. White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.

Which of the following is NOT a step in the data processing cycle? a. Data collection b. Data input c. Data storage d. Data processing

a) Data collection

Hacking

Unauthorized access, modification, or use of an electronic device or some element of a computer system

Output Fraud

Unless properly safeguarded, displayed or printed output can be stolen

C: User accounts are not removed upon termination of employees.

When a client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk? A: User passwords are not required to be in alphanumeric format. B: Management procedures for user accounts are not documented. C: User accounts are not removed upon termination of employees. D: Security logs are not periodically reviewed for violations.

black box tests of program controls

When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing a. black box tests of program controls b. white box tests of program controls c. substantive testing d. intuitive testing

Confirming AR

When planning the audit, information is gathered by all of the following methods except A. completing questionnaires B. interviewing management C. observing activities D. confirming accounts receivable

Describe the Revenue Cycle.

Where goods/services are sold for cash or a future promise to receive cash. actions include: ~ Receive and answer customer inquiries ~ Take customer orders and enter them into the AIS ~ Approve credit sales ~ Check inventory availability ~ Initiate back orders for goods out of stock ~ Pick and pack customer orders ~ Ship goods to customers or perform services ~ Bill customers for goods shipped/services performed ~ Update (increase) sales and accounts receivable ~ Receive customer payments and deposit them in the bank ~ Update (reduce) accounts receivable ~ Handle sales returns, discounts, allowances, and bad debts ~ Prepare management reports Send appropriate information to the other cycles

D: Monitoring.

Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? A: Control environment. B: Risk assessment. C: Information and communication. D: Monitoring.

1-4. A dashboard is:

a summary screen typically used by managers

terminal

a beginning, end, or point of interruption in a process; also used to indicate an external party

what is the difference beetween a conceptual-level schema and an internal-level schema?

a conceptual-level sschema is a high-level view of the entire database, while an internal-level schema is a low-level, more detailed view of the database.

Data Flow Diagram (DFD)

a graphical description of data sources, data flows, transformation processes, data storage, and data destinations

which preventative control is designed to stop an attacker from installing a hardware-based keystroke logging device on a computer?

a physical access control

what is the difference between a primary key and a foreign key in a database?

a primary key uniquely identifies a specific row in a table, whereas a foreign key is a primary key in another table and is used to link the wo tables.

record

all the fields for one customer

during which step in the expenditure cycle could an incorrect posting to A/P occur?

approving supplier invoices

which activity in the expenditure cycle has the threat of discrepencies between the quoted price and the actual price charged?

approving supplier invoices

authorization

approving transactions and decisions

Turnkey systems

are completely finished and tested systems that are ready for implementation." Turnkey systems are completely finished and tested systems that are ready for implementation. These are often general-purpose systems or systems customized to a specific industry.

7. Define identity theft.

assuming somone's identity, usually for ecenomic gain

primary key

attribute (or combo) that uniquely IDs a specific row in a table

foreign key

attribute in a table that is a PK in another table; used to link

Computer-assisted audit techniques (CAATS)

audit software that uses auditor-supplied specifications to generate a program that performs audit functions

What is a server computer?

big computer used to 'serve data' for email, a database, or the internet

Which statement is FALSE? a) Flowcharts make use of many symbols b) A document flowchart emphasizes the flow of documents or records containing data c) DFDs help convey the timing of events d) Both a & b

c) DFDs help convey the timing of events

In which cycle does a company ship goods to customers? a. Production cycle b. Financing cycle c. Revenue cycle d. Expenditure cycle

c) Revenue cycle

which of the following attributes in the cash receipts table (representing payments received from customers) would most likely be a foreign key? a) cash receipt number b) customer check number c) customer number d) cash receipt date

c) customer number

Inbound Logistics

consists if receiving, storing , and distributing the materials an organization uses to create the services and products it sells

external-level schema

consists of a set of individual user views of portions of the database (aka subschema)

preventative controls

controls that deter problems before they arise

what are cost-effective controls?

controls that offer a higher risk reduction benefit than the controls cost

FC input/output symbols

devices or media from processing operations cut off rectangle = document terminal = bank, vendor, customer

Record layout

document that shows the items stored in a file, including the order and length of the data fields and the type of data stored

complete

does not omit important aspects of the events or activities it measures

audit committee

due to SOX: outside EE & independent directors -IC structure -financial reporting process -legal compliance

human resources cycle

during what cycle would the W4 be given out?

Which if the following is NOT an SDLC controllable activity? a. user specification b. systems authorization c. user test and acceptance procedures d. external audit participation e. all are SDLC controls

e. all are SDLC controls

Which of the following statements about the ITF technique for testing is NOT correct? a. applications may be tested directly without being removed from service b. ITF supports continuous monitoring of controls c. ITF has the potential to corrupt corporate databases d. during normal operations, test transactions are merged into the input stream of regular (production) transactions e. all of the above are correct statements

e. all of the above are correct statements

A user's application may consist of several modules stored in separate memory locations, each with its own data. One module must not be allowed to destroy or corrupt another module. This is an objective of a. EDI controls b. network controls c. Detection Risk controls d. application controls e. none of the above

e. none of the above

paper document file

file of paper documents; letters indicate file-ordering sequence: N = numerically, A = alphabetically, D = by date

which step does an attacker perform when conducting research for the purpose of penetrating an IS?

finds out the vulnerabilities of the software hat the company is using

What are potential computer crime related risks and threats?

fraud, error, service interruptions and delays, disclosure of confidential information, intrusions, information theft, information manipulation, malicious software, denial of service attacks, website defacements, extortion

proper authorization

general & specific

types of controls

general controls application controls

subsidiary ledger V general ledger

general ledger - A ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization. subsidiary ledger - A ledger used to record detailed data for a general ledger account with many individual subaccounts, such as accounts receivable, in- ventory, and accounts payable.

2NF

group the fields that belong together; no repeating rows; PK

understand the system, identify business documents, organize the flowchart, clearly label all symbols, use page connectors

guidelines for flow charts:

custodial

handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization's bank account

Disaster Recovery

identifies significant events that may threaten a firm's operations, outlining the procedures that ensure the firm's smooth resuming of operations in the case this event occurs

document flowchart

illustrates the flow of documents and data among areas of responsibility within an organization

program flowchart

illustrates the sequence of logical operations performed by a computer in executing a program

sales invoice number

in a sales table, the most likely primary key would be: sales invoice number, inventory item number, customer name, customer number

color and price

in an inventory table, the most likely nonkey would be: item number, color, price

FC flow & misc symbols

indicate flow of data/goods; also represent where operations begin/end, decisions are made and add explanatory notes

types of computer fraud

input processor output

Maintenance Phase (SDLC)

involves performing changes, corrections, additions, and upgrades to ensure the system continues to meet the business goals

system development life cycle

is the process of creating or modifying information systems to meet the needs of its user

how is cross-functional analysis a database benefit?

it allows dta relationships to be defined so that management reports can be easily prepared

which action does a company take during the customer order process in the revenue cycle?

it checks and approves customer credit

what is the purpose of information rights management (IRM) software?

it controls access to sensitive data

what is a benefit of a well-designed computer input screen?

it reduces data entry errors and ommissions

Sequence Codes

items are numbered consecutively to account for all items. Any missing items cause a gap in the numerical sequence. Examples include prenumbered checks, invoices, and purchase orders.

What is Batch Processing?

journal entries are completed in batches (in groups) being posted together at once

when employees start wokring at a company, they are given a formal job description and a policy and procedures manual. the manual includes the company's vision statements and code of conduct and explains the expected business practices and procedures used at the company. the job description and manual communicate components of this company's internal environment. which two components do they communicate?

methods to assigning authoritu and responsibility committment to integrity, ethical values, and competence

investment fraud

misrepresenting/leaving out facts to promote an investment that promises fantastic profits w/little to no risk

What are input devices?

mouse, keyboard, touch screen, bar code scanner

systems documentation

narratives, flowcharts, diagrams, other written materials that explain how a system works ID weak internal controls

which tool is an example of a preventative IS control?

network access passwords

production or conversion cycle

where raw materials are transformed into finished goods

discussion question and problem 2.3 2.3. What kinds of documents are most likely to be turnaround documents? Do an Internet search to find the answer and to find example turnaround documents. 2.3. An audit trail enables a person to trace a source document to its ultimate effect on the financial statements or work back from financial statement amounts to source docu- ments. Describe in detail the audit trail for the following: a. Purchases of inventory b. Sales of inventory c. Employee payroll

output from a computer, some extra information added to it, and then returned to become an input document. For example, meter cards are produced for collecting readings from gas meters, photocopiers, water meters etc. The audit trail for inventory purchases includes linking purchase requisitions, purchase orders, and receiving reports to vendor invoices for payment. All these documents would be linked to the check or EFT transaction used to pay for an invoice and recorded in the Cash Disbursements Journal. In addition, these documents would all be linked to the journal entry made to record that purchase. There would be a general ledger account number at the bottom of 3-3 each column in the journal. The journal reference would appear in the General Ledger, Inventory Ledger, and Accounts Payable ledge

Ciphertext

plaintext that was transformed into unreadable gibberish using encryption

Steps of SDLC

planning, analysis, design, implementation, maintenance

likelihood

probability that a threat will come to pass

normalization

process of removing redundant data to improve storage efficient, data integrity, scalability

Give 5 common activities of the production cycle

production cycle: give labor and give raw materials—get finished goods Design products Forecast, plan, and schedule production Request raw materials for production Manufacture products Store finished products Accumulate costs for products manufactured Prepare management reports

a company changes to a lean manufacturing process to minimize inventories in the manufacturing plant. which activity of the production cycle will this impact the most?

production operations

What is a trojan horse?

program that appears useful but contains hidden function that presents a security risk

What is a virus?

program that copies itself and then causes other programs to malfunction

examples of control

proper authorization of transactions & activities segregation of duties

a company has a policy that all purchase orders $100,000 or greater beapproved by the controller prior to being entered into the AIS. which category does this control procedure relate to?

proper authorization of transactions and activities

timely

provided in time for decision makers to make decisions

2.1. Table 2-1 lists some of the documents used in the revenue, expenditure, and human re- sources cycle. What kinds of input or output documents or forms would you find in the production (also referred to as the conversion) cycle?

requests for items to be produced • Documents to plan production • Schedule of items to be produced • List of items produced, including quantity and quality • Form to allocate costs to products • Form to collect time spent on production jobs • Form requesting raw materials for production process • Documents showing how much raw materials are on hand • Documents showing how much raw materials went into production • List of production processes • List of items needed to produce each product • Documents to control movement of goods from one location to another

SOX

requires companies to document processes and internal controls

control activities

responses, control policies and procedures are established and implemented throughout the various levels and functions

5 common activities of the revenue cycle

revenue cycle- encompasses all transactions involving sales to customers and the collection of cash receipts for those sales. give goods OR give service—get cash Receive and answer customer inquiries Take customer orders and enter them into the AIS Approve credit sales Check inventory availability Initiate back orders for goods out of stock Pick and pack customer orders Ship goods to customers or perform services Bill customers for goods shipped or services performed Update (increase) sales and accounts receivable Receive customer payments and deposit them in the bank Update (reduce) accounts receivable Handle sales returns, discounts, allowances, and bad debts Prepare management reports

Postimplementation Review

review made after a new system has been operating for a brief period to ensure that the new system is meeting its planned objectives, identify the adequacy of system standards, and review system controls

residual risk

risk that remains after management implements internal controls, or some other response

inherent risk

risks that exist before management takes any steps to control the likelihood or impact

firm infrastructure, human resource management, technology, purchasing

secondary activities of the value chain

Control Objectives for Information and Related Technology (COBIT)

security and control framework that allows management to benchmark the security and control practices of its IT environments, users of IT services to be assured that adequate security and control exist, and auditors substantiate their internal control opinions and advise on IT security and control matters (developed by the Information Systems Audit and Control Association [ISACA])

which tool is used to identify system vulnerabilities?

security testing

Segregation of Accounting Duties

separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud

How does XBRL benefit organizations?

serves as a means to electronically communicate business information to facilitate business reporting of financial and nonfinancial data to users. greatly enhances the speed and accuracy of business reporting. more efficient data collection and reporting easier data consumption and analysis Save costs by preparing data in one form and automatically generating many outputs analysis, forecasting and decision making improved relationships and communication with invenstors freedom from proprietary systems and software

which activity in the revenue cycle involves picking and packing a customer order?

shipping

What is the general ledger?

shows all transactions in each account type

What are two major privacy-related concerns?

spam and identity theft

data sources/destination

squares e.g. customers/banks

1-a. XBRL (extensible business reporting language) is

the computer language of choice for reporting business activities

logical view

the data view that shows how the user or programmer conceptually organizes and understand the data it the:

Database system

the data-base, the DBMS, and the applications programs that access the database through the DBMS

Data Flow

the movement of data among processes, stores, sources, and destinations.

If P > D + C then,

the organization's security procedures are effective, otherwise, security is ineffective

What is project management

the planning, organizing, supervising and directing of an IT project

flowchart

which are accountants more likely to use: flowcharts or BPD

Inherent Risk

the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control

costs of information

the time and resources spent to produce and distribute the information

Misappropriation of Assets

theft of a company assets by employees

DML

used for maintenance, including updating, inserting, deleting portions

DDL

used to: 1) build dictionary 2) initialize/create database 3) describe logical views 4) specifies limitations/constraints on security imposed on records/fields

What is web mining?

uses internet search engine to identify patterns on the web or on specific websites

What is symmetric cryptography?

uses the same key to both encode and decode data

What is data mining?

using algorithms to discover relationships or patterns in data

auditors must understand automated/manual processes used evidenced using narratives, flow charts, and business diagrams

what does SAS-94 say?

vendor performance

what information needs are generally associated with the acquire inventory business process

the purchase order triggers sales order from vendor

what is the difference in a purchase order and a sales order?

all of these

what tables were needed in the query that answered the question "how many televisions were sold in October": sales table, inventory table, sales-inventory table

financing cycle

where companies sell shares in the company to investors and borrow money and where investors are paid dividends and interest is paid on loans

Financing Cycle

where companies sell shares in the company to investors and borrow money, and where investors are paid dividends and interest is paid on loans

Human Resources/Payroll Cycle

where employees are hired, trained, compensated, evaluated, promoted and terminated

human resources/payroll cycle

where employees are hired, trained, compensated, evaluated, promoted, and terminated

all of these are requirements

which of the following is not a basic requirement of a relational database: every column in a row must be single valued, primary keys cannot be null, foreign keys, if not null, must have values that correspond to the value of a primary key in another table, all nonkey attributes in a table should describe a characteristic about the object identified by the primary key

it is inexpensive

which of the following is not a characteristic that makes information useful: it is reliable, its is timely, it is inexpensive, it is relevant

Chart of accounts

a listing of all numbers assigned to balance sheet and income statement accounts. The account numbers allow transaction data to be coded, classified, and entered into proper accounts. They also facilitate financial statement report preparation.

Steps in Data Processing Cycle

1. Data Input 2. Data storage 3. Data processing 4. Information output

The advantages of database systems

1. Data integration 2. Data sharing 3. Minimal data redundancy and data inconsistencies 4. Data independence 5. Cross-functional analysis

What is a hierarchical database?

An outdated method where you need data at a higher level to obtain data at a lower level.

flowchart

describe pictorially the transaction processing procedures a company uses and the flow of data through a system change of control; consistent timing

general controls

designated to ensure organization aid and control environment is stable/well managed 1. Information systems management controls 2. Security management controls 3. Information technology infrastructure controls 4. Software acquisition, development, and maintenance controls

D: An automated receiving system that includes multiple points of scanning of received goods

Happy's Nutty Clownery ordered 82 bags of balloons from a supplier but received only 28. Which of the following controls is most likely to have caught this error? A: Separation of duties in cash receipts B: Formalizing the process for authorizing the purchase of goods C: Requiring purchasing agents to disclose relationships with vendors and purchasers D: An automated receiving system that includes multiple points of scanning of received goods

B: The credit manager.

Harold is a sales person at a jeweler. His friend Robert wants to buy a ring for his fiancée. Who should establish the credit limit for Robert's purchase? A: Harold. B: The credit manager. C: The sales manager. D: Any of the above.

Demand Reports

Have a pre-specified content and format that are prepared only on request

Safeguard assets

Prevent/detect unauthorized acquisition/use

Functions of Internal Control

Preventative, Detective and Corrective

What are the three controls used to protect information systems?

Preventative, detective and corrective

Functions of internal control.

Prevention, detection and correction.

which component in this system flowchart represents a manual trasaction?

*image* compare & reconcile

what do the rectangles in this sytem flowchart represent?

*image* computer processes

Management can respond to risk in four ways:

1 Reduce 2 Accept 3 Share 4 Avoid

Foreign Key

An attribute in one table that is a primary key in another table

Data Flow Diagram

Shows the flow of data within a system

Common reasons for Information System failures

● Information is available to an unprecedented number of workers. Chevron, for example, has over 35,000 PCs. ● Information on distributed computer networks is hard to control. At Chevron, information is distributed among many systems and thousands of employees worldwide. Each system and each employee represent a potential control vulnerability point. ● Customers and suppliers have access to each other's systems and data. For example, Walmart allows vendors to access their databases. Imagine the confidentiality problems as these vendors form alliances with Walmart competitors.

Functions of Internal Controls

● Preventive Controls (Controls that deter problems before they arrive) ● Detective Controls (Controls designed to discover control problems that were not prevented ● Controls that identify and correct problems as well as correct and recover from the resulting errors

Management Response to Risk

● Reduce : Reduce the likelihood and impact of risk by implementing an effective system of internal controls. ● Accept : Accept the likelihood and impact of the risk. ● Share : Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions. ● Avoid : Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.

Bill of lading

A legal contract that defines responsibility for goods while they are in transit

File

A set of logically related records, such as payroll records of all employees

Timely information

Provided in time for decision makers to make decisions.

What is a limit check?

Used to identify field values that exceed an authorized limit.

Authentication

Verifies who a person is

7-2. the part of the data hierarchy that represents one instance of an entity is a:

a. field b. record * c. file d. database

which is a software program that runs a database system? a) DQL b) DBMS c) DML d) DDL

b) DBMS

database

data stored electronically in database

what is the formaula to calculate expected loss?

expected loss = impact * Likelihood

What is asymmetric cryptography?

person sending message has a public key and the receiver has a private key

What is the function of a CORRECTIVE control?

to remedy problems after they occur in an AIS

What can be used to assess the adequacy of a client's access controls?

" Penetration testing." Many firms are now performing penetration tests designed to assess access control by imitating known techniques that hackers use.

Which of the following is considered an intentional threat to the integrity of the operating system?

"individuals who browse the operating system to identify and exploit security flaws." These include systems programmers who access individual user files and operating systems developers who include a back door to avoid normal login procedures.

Access tests

"verify that individuals or programs are valid." Access tests verify that individuals or programs are valid. Access tests verify that individuals, programmed procedures, or messages (e.g., electronic data interchange [EDI] transmissions) attempting to access a system are authentic and valid. Access tests include verifications of user IDs, passwords, valid vendor codes, and authority tables.

The author distinguishes between the accounting information system and the management information system based on

"whether the transactions are financial or nonfinancial that directly affect the processing of financial transactions." The AIS captures financial transactions to support systems around the revenue, expenditure and conversion cycles. The MIS captures nonfinancial transactions to support systems for marketing, inventory, manufacturing and human resources.

rules of relational database

-every column must be single valued -PK cannot be null -FK (if not null) must have values that correspond to value of PK -all nonkey attributes must describe a characteristic of the object IDed PK

What are the 32 management processes set forth by the COBIT 5?

1 Align, plan and organize (APO) 2 Build, acquire, and implement (BAI) 3 Deliver, service and support (DSS) 4 Monitor, evaluate, and assess (MEA)

The Security-Life Cycle

1 Assess threats and select risk response 2 Develop and communicate policy 3 Acquire and implement solutions 4 Monitor performance

Data Storage Elements

1 Attributes 2 Data Values 3 Field 4 Entity 5 Records

Data Processing

1 Creating 2 Reading 3 Updating 4 Deleting

A typical misappropriation has the following important elements or characteristics. The perpetrator:

1 Gains trust or confidence of the entity being defrauded 2 Uses trickery, cunning, false or misleading info to commit fraud 3 Conceals the fraud by falsifying records or other info 4 Rarely terminates the fraud voluntarily 5 Sees how easy it is to get extra money 6 Spends the ill-gotten gains 7 Gets greedy 8 Grows careless or overconfident as time passes

Internal controls are often segregated into two categories:

1 General controls make sure an organization's control environment is stable and well managed 2 Application controls prevent, detect, and correct transaction errors and fraud in application programs

Primary Activities in Value Chain

1 Inbound Logistics 2 Operations 3 Outbound Logistics 4 Marketing and Sales 5 Service

Flowcharting Symbols Categories

1 Input/Output Symbols 2 Processing Symbols 3 Storage Symbols 4 Flow and Miscellaneous Symbols

Six Data Storage Concepts

1 Ledgers 2 Coding Techniques 3 Chart of Accounts 4 Journals 5 Audit Trail 6 Computer Based Storage Concepts

Four levels of control to help management reconcile the conflict between creativity and controls are... (set by Robert Simons)

1. Belief System: describes how a company creates value 2 Boundary System: helps employees act ethically 3 Diagnostic Control System: measures, monitors, and compares actual company progress to budget and performance goals 4 Interactive Control System: helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions

Data Input Steps (3)

1. Capture transaction data triggered by a business activity (event). 2. Make sure captured data are accurate and complete. Ensure company policies are followed (e.g., approval of transaction).

Three Important Business Functions Fulfilled by an AIS

1. Collect and store data about organizational activities, resources, and personnel. 2. Transform data into information so management can plan, execute, control, and evaluate activities, resources, and personnel. 3. Provide adequate controls to safeguard the organization's assets and data.

What are examples of corrective controls?

1. Computer incident response teams (CIRT) 2. Chief information security officer (CISO) 3. Patch management

Steps Attackers Take to Penetrate an Information System

1. Conduct Reconnaissance; Perusing an organization's financial statements, SEC filings, website, and press releases. Goal is to learn as much as possible about the target, and to identify potential vulnerabilities. 2. Attempt Social Engineering (Using deception to obtain unauthorized access to information resources 3. Scan and map the target; conduct more detailed reconnaissance to identify potential points of remote entry. Attacker may use automated tools to identify computers that can be remotely accessed and the types of software they are running. 4. Research; Once targets are identified, attackers learn as much as they can about software vulnerabilities. 5. Execute the attack; 6. Cover tracks; Cover tracks and Create "back doors" that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.

What are the basic steps criminals use to attack an organization's information system?

1. Conduct reconnaissance 2. Attempt social engineering (using deception to obtain unauthorized access to information resources) 3. Scan and map the target 4. Research 5. Execute the attack 6. Cover Tracks

What are ways you can make software user friendly?

1. Easy to Navigate 2. Customizable preferences 3. Efficient 4. Simple design, not too much information displayed...

Application Controls

1. Input Controls 2. Process Controls 3. Output Controls

What are the Application Controls for IT enviroments?

1. Input controls 2. Processing controls 3. Output controls

Four categories of flowcharting symbols

1. Input/output symbols 2. Processing symbols 3. Storage symbols 4. Flow and miscellaneous symbols

Flowchart Symbols

1. Input/output symbols show input to or output from a system. 2. Processing symbols show data processing, either electronically or by hand. 3. Storage symbols show where data is stored. 4. Flow and miscellaneous symbols indicate the flow of data, where flowcharts begin or end, where decisions are made, and how to add explanatory notes to flowcharts.

What are the three important factors that determine the strength of any encryption system?

1. Key length (longer=better) 2. Encryption Algorithm 3. Policies for managing the cryptographic keys

Components of internal environment

1. Management's philosophy, operating style, and risk appetite 2. Commitment to integrity, ethical values, and competence 3. Internal control oversight by the board of directors 4. Organizational structure 5. Methods of assigning authority and responsibility 6. Human resource standards that attract, develop, and retain competent individuals 7. External influences

COBIT 5 key principles

1. Meeting stakeholder needs : COBIT 5 helps users customize business processes and procedures to create an information system that adds value to its stakeholders. It also allows the company to create the proper balance between risk and reward. 2. Covering the enterprise end-to-end : COBIT 5 does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes. 3. Applying a single, integrated framework : COBIT 5 can be aligned at a high level with other standards and frameworks so that an overarching framework for IT governance and management is created. 4. Enabling a holistic approach : COBIT 5 provides a holistic approach that results in effective governance and management of all IT functions in the company. 5. Separating governance from management : COBIT 5 distinguishes between governance and management.

Activities in Expenditure Cycle

1. Ordering materials, supplies, and services 2. Receiving materials, supplies, and services 3. Approving supplier invoices 4. Cash disbursements

What steps should the CIRT team lead the organization's incident response process through?

1. Recognition that a problem exists 2. Containment of the problem 3. Recovery 4. Follow-Up

Objectives of Information Systems Audits

1. Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. 2. Program development and acquisition are performed in accordance with management's general and specific authorization. 3. Program modifications have management's authorization and approval. 4. Processing of transactions, files, reports, and other computer records is accurate and complete. 5. Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. 6. Computer data files are accurate, complete, and confidential.

The three major subsystems of the Accounting Information System.

1. The Management Information System 2. Transaction Processing System 3. General Ledger/Financial Reporting System

What are advantages of Batch processing?

1. able to correct errors before posting 2. Easer to trace transactions for auditing process 3. segregation od duties

What are advantages of centralized processing?

1. better data security 2. consistent processing

What are the main things to asses when choosing a new accounting software?

1. cost 2. budget 3. timeframe to implement

Knowledge Management Steps

1. create a supportive organizational culture 2. define business goals 3. perform a knowledge audit 4. create a visual map 5. develop a knowledge management strategy 6. purchase or build appropriate tools 7. Periodically reasses the value of the KMS and adjust accordingly

What are advantages of a database management system?

1. data redundancy 2. potential for data sharing between programs 3. data independence 4. data standardization 5. improved data security 6. availability of information and effectiveness

What are tips for average computer users to be safer?

1. don't write down your password 2. Have a good antivirus 3. never open email attachments unless you are certain of their source 4. never click links given in an email unless you are certain they are safe 5. avoid illegal software copying 6. maintain complete backup files incase you must start from scratch

match each description to its corresponding framework: 1. it contains only five components 2. it uses a three-dimensional model 3. it consoidates control standards from 36 control standards into a singe framework

1. it contains only five components = COSO's internal control framework 2. it uses a three-dimensional model = COSO's enterprise risk management framework 3. it consoidates control standards from 36 control standards into a singe framework = COBIT framework

What are the characteristics of a strong password?

1. length (longer is stronger) 2. complex (num, lowercase, uppercase, non num characters) 3. frequency of password change 4. password reuse (don't reuse a password)

What are disadvantages of shadow data?

1. poor error testing 2. poor data security 3. poor documentation

Data flow diagram

1.Data flow diagram represent the flow of data through a system such as one or more business processes. 2.They are constructed with increase detail to facilitate new system design 3.Uses limited symbols, easy to read and understand. 4.They are created in pairs, physical ( what position do the work) and logical views (what work gets done)

25. Which of the following is an example of an input error correction technique? a. immediate correction b. rejection of batch c. creation of error file d. all are examples of input error correction techniques

: D

b. may take the form of either a SYN flood or smurf attack.

A DDoS attack is more intensive than a. DoS attack because it emanates from single source. b. may take the form of either a SYN flood or smurf attack. c. is so named because it affects many victims simultaneously, which are distributed across the Internet. d. turns the target victim's computers into zombies that are unable to access the Internet. e. none of the above is correct.

computer processing

A computer-performed processing function; usually results in a change in data or information

Audit Trail

A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin. It is used to check the accuracy and validation of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance

Master File

A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records with a master file are updated to keep them current.

Master File

A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records within a master file are updated to keep them current.

Pressure

A person's incentive or motivation for committing fraud; split into financial statement pressure triangle and employee pressure triangle

detective control

A physical inventory count is an example of a A. preventive control B. detective control C. corrective control D. Feed-forward control

Document

A record of a transaction or other company data. Examples include checks, invoices, receiving reports, and purchase requisitions.

Enterprise Resource Planning Systems (ERP)

A system that integrates all aspects of an organizations activities such as accounting, finance, marketing, human resources, manufacturing, inventory management, into one system. An ERP system is modularized; companies can purchase individual modules that meet their specific needs. An ERP facilitates information flow among the company's various business functions and manages communications with outside stakeholders

ERP System

A system that integrates organisations information into one overall AIS

What is an accounting information system?

A system that records, processes, and reports both financial and non-financial information.

e. none of the above.

A user's application may consist of several modules stored in separate memory locations, each with its own data. One module must not be allowed to destroy or corrupt another module. This is an objective of a. EDI controls. b. network controls. c. computer center and security controls. d. application controls. e. none of the above.

Business Process Diagram

A visual way to describe the different steps or activities in a business process

Cross-Site Scripting (XSS)

A vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victims browser to execute code, thinking it came from the desired website

C: Change management.

According to COSO, the use of ongoing and separate evaluations to establish a new baseline after changes have been made can best be accomplished in which of the following stages of the monitoring-for-change continuum? A: Control baseline. B: Change identification. C: Change management. D: Control revalidation/update.

B: A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved.

According to COSO, which of the following activities provides an example of a top-level review as a control activity? A: Computers owned by the entity are secured and periodically compared with amounts shown in the records. B: A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. C: Reconciliations are made of daily wire transfers with positions reported centrally. D: Verification of status on a medical claim determines whether the charge is appropriate for the policy holder.

C: Information and communication.

According to the 17 COSO control principles, information quality primarily relates to which fundamental component of internal control: A: Control activities. B: Control environment. C: Information and communication. D: Monitoring.

B: The responsibilities never transfer to the outsourced party.

According to the COSO internal control framework, if an organization outsources certain activities within the business to an outside party: A: Responsibility also transfers to the outside party. B: The responsibilities never transfer to the outsourced party. C: The responsibilities only transfer if the outside party explicitly agrees to accept responsibility. D: The organization is no longer accountable for the outsourced activities.

Human Resources/Payroll Cycle

Activities associated with hiring, training, compensating, evaluating, promoting, and terminating employees.

Expenditure cycle

Activities associated with purchasing inventory for resale or raw materials in exchange for cash or a future promise to pay cash

Revenue cycle

Activities associated with selling goods and services in exchange for cash or a future promise to receive cash

Sarbanes-Oxley Act (2002)

Addresses plummeting institutional and individual investor confidence triggered in part by business failures and accounting restatements. Written to deal with problems related to capital markets, corporate governance, and the auditing profession, and has fundamentally changed the way public companies do business and how the accounting profession performs its attest function.

D: Unusual and manually posted.

Adjusting journal entries are of additional concern when they are A: Automated accruals or deferrals, B: RFID driven, C: Unusual and automated. D: Unusual and manually posted.

C: The controller.

Adjusting journal entries are often the responsibility of A: Production managers. B: The corporate finance officer. C: The controller. D: The JE clerk.

Flowchart

An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an IS in a clear, concise and logical manner

Foreign Key

An attribute in a table that is also a primary key in another table; used to link the two tables If not null, foreign keys must have values that correspond to the value of a primary key in another table (referential integrity rule)

B: Increased responsiveness and flexibility while aiding in the decision-making process.

An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? A: Modifications can be made to each module without affecting other modules. B: Increased responsiveness and flexibility while aiding in the decision-making process. C: Increased amount of data redundancy, since more than one module contains the same information. D: Reduction in costs of implementation and training.

Investigative Audit

An examination of incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities

Protyping

An experimental version of the system requested by users

C: Strategy and Objective-Setting

AppleNCheese Food Products recently completed a systematic analysis of the political, economic, social, technological, legal, and environmental conditions that it expects in the short and the long term. This analysis most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting

What items are reported on a Balance Sheet?

Assets, liabilities, and owner's equity.

22. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling) include all of the following actions by a computer criminal except a. gaining access to the output file and changing critical data values b. using a remote printer and incurring operating inefficiencies c. making a copy of the output file and using the copy to produce illegal output reports d. printing an extra hardcopy of the output file

B

Which of the following controls would best prevent the lapping of AR A. segregate duties so that the clerk responsible for recording in the AR subsidiary ledger has no access to the general ledger B. request that customers review their monthly statements and report any unrecorded cash payments C. separate the tasks of depositing cash receipts and posting to the AR subledger D. request that customers make checks payabale to the company

B

Which of the following is an example of an input control? a. making sure that output is distributed to the proper people b. monitoring the work of programmers c. collecting accurate statistics of historical transactions while gathering data d. recalculating an amount to ensure its accuracy e. having another person review the design of a business form

B

an employee in the receiving department keyed in shipment from a remote terminal and inadvertently omitted to the purchase order number. The best application control to detect this error would be a A. batch total B. missing data check C. completeness check D. reasonableness test E. compatibility test

B

A: An aged trial balance, to determine the age and collectability of accounts receivable.

Billy Bigswater reviews a listing of each customer and how long each amount owed by a customer has been outstanding. This is most likely A: An aged trial balance, to determine the age and collectability of accounts receivable. B: A customer order document, to determine if the correct items were shipped to a customer. C: A customer invoice, to determine if a customer's bill is correct. D: A bill of lading, to determine if the correct items were shipped to a customer.

Block code

Blocks of numbers that are reserved for specific categories of data, thereby helping to organize the data. An example is a chart of accounts.

UNIT 5 FORM A - How are vendors able to reduce the unit cost of general accounting systems to a fraction of in-house development costs?

By mass producing a standard system." By mass producing a standard system, the vendor can reduce the unit cost of these systems to a fraction of in-house development costs.

In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control to detect this action using employee identification numbers is a A. a batch tool B. a record count C. a hash total D.subsequent check E. financial total

C

cost of services

COS

Data Input

Capture transaction data and enter them into the system. The data capture process is usually triggered by a business activity. Data must be collected about three facets of each business activity: 1. Each activity of interest 2. The resource(s) affected by each activity 3. The people who participate in each activity

Source Data Automation

Captures data at the source when the transaction takes place Captures data at the source when the transaction takes place

Transaction found under financing cycle

Cash position analysis, debt repayment schedule, debt covenant management, send information to other business cycle.

Endpoints

Collective term for the workstations, servers, printers, and other devices that comprise an organization's network

COSO

Committee of Sponsoring Orgs (e.g. AICPA, AAA, FEI) guidance for eval/IC system for Management Control environment Risk assessment Control activities Information and communication Monitoring

The Conversion Cycle

Comprised of the production system and the cost accounting system. Production System: involves the planning, scheduling, and control of the physical product through the manufacturing process. The Cost Accounting System: monitors the flow of cost information including labor, overhead and raw materials related to production.

Nonrepudiation

Creating legally binding agreements that cannot be unilaterally repudiated by either party

Chief Information Security Officer

Critical enabler to achieve effective controls and security. Should be independent of other information systems functions and should report to either the COO or CEO

IT Controls that are used to preserve confidentiality

Encryption Training Access Controls Identify and Classify Information

Which of the following is NOT a test for identifying application errors? a. reconciling the source code b. reviewing test results c. retesting the program d. testing the authority table

D

Which of the following situations is NOT a segregation of duties violation? A. the treasurer has the authority to sign checks but gives the signature block to the assistant treasurer to run the check-signing machine B. the warehouse clerk, who has custodial responsibility over inventory in the warehouse, selects the vendor and authorizes purchases when inventories are low C. the sales manager has the responsibility to approve credit and the authority to write off accounts D. the department time clerk is given the the undistributed payroll checks to mail to absent employees E. the accounting clerk who shares the record-keeping responsibility for the AR subsidiary ledger performs the monthly reconciliation of the subsidiary ledger and the control account

D

Takes place as transactions are entered the system

Data validations of individual transactions in a direct access file processing system usually A. takes place in a separate computer run B. is performed at the beginning of each run C. takes place as transactions are entered into the system D. takes place during a backup procedure E. Is not performed because no batch exists in direct access file systems F. Is performed at the beginning of each run

Internal controls related to XBRL - risk of compromised data

Daily data backups firewalls mandatory password changes "Strong" password requirements password protected access virus protection software

Steps in the data processing cycle

Data Input Data Storage Data Processing Information Output

Data Processing Cycle

Data Input, Data Processing, Information Output, Data Store

The advantages of database systems

Data Integration Data Sharing Minimal data redundancy and data inconsistencies Data Independence Cross-functional analysis

What is the difference between data and information?

Data are raw facts (ie., numbers) that describe an event and have little meaning on their own. Information is data organized to be meaningful for the user. Data serves as an input.

Which access point is the most common for committing computer fraud?

Data collection." The data collection stage is the most common access point for perpetrating computer fraud.

B: staffing increases or decreases due to restructuring; email about decision making and performance.

Data from ______________ is typically structured, while data from ________ is typically unstructured. A: board meeting minutes; a governmental water scarcity report that is used by a beverage company B: staffing increases or decreases due to restructuring; email about decision making and performance. C: emerging interest in a new product from a competitor; an entity's risk tolerance D: marketing reports from website tracking services; government-produced geopolitical reports and studies

Processing Controls

Data matching, File Labels, Batch Total Recalculation, Cross footing and zero balance tests and write protection

The COBIT 5 Framework

Describes best practices for the effective governance and management of IT: 1 Meeting stakeholder needs 2 Covering the enterprise end-to-end 3 Applying a single, integrated framework 4 Enabling a holistic approach 5 Separating governance from management **Five processes referred to as EDM (evaluate, direct and monitor) (Governance)

Belief system

Describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values

Detective controls

Designed to discover control problems that were not prevented

Risk Based Audit Approach

Determine threats, Identify control procedures, evaluate control procedures and evaluate control weakness

Transaction Authorization

Ensuring that all material transactions processed by theinformation system are valid and in accordance with management's objectives is an example of A. transaction authorization B. Supervision C. Accounting Records D. Independent Verification

COSO-ERM

Enterprise Risk Mgt -reasonable assurance problems/surprises are minimized -achieve financial/performance targets -asses risk continuously & how to mitigate -avoid adverse publicity OBJECTIVES Internal environment Objective setting* Event ID* Risk assessment* Risk response* Control activities Info & communication Monitoring

Information Systems (Internal Control) Audit

Examination of the general application controls of an IS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets

Information overload

Exceeding the amount of information a human mind can absorb and process, resulting in a decline in decision-making quality and an increase in the cost of providing information

3. Identify the purpose and basic activities of the expenditure cycle.

Expenditure Cycle - A recurring set of business activities and related data processing operations associated with the purchase of and payment for goods and services. The primary objective in the expenditure cycle is to minimize the total cost of acquiring and maintaining inventories, supplies, and the various services the organization needs to function. a. *Ordering materials, supplies, and services * b. *Receiving materials, supplies, and services* c. *Approving Supplier Invoices* Threats: 1. errors on supplier invoices, such as discrepancies between quoted and actual prices charged or miscalculations of the total amount due. 2. Incorrect posting to A/P occur d. *Cash Disbursements*

What is a system flowchart?

Flowcharts used to show the relationship between the key elements - input sources, programs, and output products - of computer systems.

Normalization

Following relational database creation rules to design a relational database that is free from delete, insert, and update anomalies

Hijacking

Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge

What is a digital dashboard

Graphs and charts of key performance indicators are displayed on a single screen.

Special Purpose Analysis Reports

Have no specified content or format and are not prepared on a regular schedule

C: An anonymous hotline set up by Jiffy Grill.

Henry Higgins of Jiffy Grill has learned that the controller is likely embezzling money to fund an expensive drug and gambling habit. Ideally, Henry should communicate this information to: A: The controller. B: His boss. C: An anonymous hotline set up by Jiffy Grill. D: His employees.

C: Picking ticket.

Hildegard works at Amazon in the warehouse. What is the screen called that she most likely uses to assemble the goods for customers' orders for shipping? A: Sales order. B: Invoice. C: Picking ticket. D: Bill of lading.

Limited Brands supple case

How did Limited Brands solve these problems? What management, organization, and technology issues were addressed by the solution? Ans. Revolutionized their supply chain software Management - Limited Logistics Services launched several programs in attempt to ease the supply chain problems Organization - Limited Brands united their entire information operations under one entity called Limited Technologies Services Technology - Contracted Tibco to create a global SCM • Enabled OSCAR

D: Reducing system complexity

Hubert Humbert Fashion Designers is considering implementing an organization-wide ERP. Which of the following is least likely to be a motivation for implementing such a system? A: Reducing and eliminating data redundancy B: Improving organizational agility C: Improving data analytic capabilities D: Reducing system complexity

Corrective controls

Identify and correct problems as well as correct and recover from the resulting errors

4. Interpret a document flowchart and its components.

Illustrates the flow of documents and data among areas of responsibility within an organization. They trace a document from its cradle to its grave, showing wher each document originates, its distribution, its purpose, its disposition, and everything that happens as it flows through the system.

Time-Based Model of Security

Implementing a combination of preventative (P), detective (D), and corrective (C) controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and takes the steps to thwart it before any information is lost or compromised

c. authorized trading partners have access only to approved data

In an electronic data interchange (EDI) environment, when the auditor compares the terms of the trading partner agreement against the access privileges stated in the database authority table, the auditor is testing which audit objective? a. all EDI transactions are authorized b. unauthorized trading partners cannot gain access to database records c. authorized trading partners have access only to approved data d. a complete audit trail is maintained

c. access the vendor's inventory file with read-only authority

In an electronic date interchange environment (EDI), customers routinely a. access the vendor's accounts receivable file with read/write authority b. access the vendor's price list file with read/write authority c. access the vendor's inventory file with read-only authority d. access the vendor's open purchase order file with read-only authority

ERP System

Increased responsiveness and flexibility while aiding in the decision-making process. It is an enterprise-wide information system designed to coordinate all the resources, information, and activities needed to complete business processes such as order fulfillment or billing.

Disadvantages of Outsourcing

Inflexibility Loss of Control Reduced Competitive Advantage Lock-in-system Unfulfilled goals Poor service Increased Risk

Data dictionary

Information about the structure of the database, including a decision of each data element

What is mandatory information?

Information that is mandatory by law.

D: Recruiting and hiring employees.

James Victor's Snickers Joke House hires illegal workers. Which of the core activities of the HR department should have identified and prevented this violation of law? A: Complying with laws and regulations. B: Training and development. C: Salaries and benefits. D: Recruiting and hiring employees.

D: Monitor more important risks using direct information and less important risks using indirect information

Jeffrey Smiggles of Rajon Rondo Sportswear has developed a software application that helps monitor key production risks at company factories. In order to reduce costs, his approach to monitoring risks is likely to be: A: Monitor all risks using indirect information. B: Monitor all risks using direct information. C: Monitor more important risks using indirect information and less important risks using direct information. D: Monitor more important risks using direct information and less important risks using indirect information

B: Sharing.

Layton Company has implemented an enterprise risk management system and has responded to a particular risk by purchasing insurance. Such a response is characterized by COSO's Enterprise Risk Management Framework as: A: Avoidance. B: Sharing. C: Acceptance. D: Reduction.

prevents employee collusion to commit fraud

Management can expect various benefits to follow from implementing a system of strong internal control. Which of the following benefits is least likely to occur? A. reduced cost of an external audit. B. prevents employee collusion to commit fraud. C. availability of reliable data for decision-making purposes. D. some assurance of compliance with the Foreign Corrupt Practices Act of 1977.

A: Technology can identify conditions and circumstances that indicate that controls have failed or risks are present.

Management of Johnson Company is considering implementing technology to improve the monitoring of internal control. Which of the following best describes how technology may be effective at improving internal control monitoring? A: Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. B: Technology can ensure that items are processed accurately. C: Technology can provide information more quickly. D: Technology can control access to terminals and data.

D: Sharing.

Management of Warren Company has decided to respond to a particular risk by hedging the risk with futures contracts. This is an example of risk A: Avoidance. B: Acceptance. C: Reduction. D: Sharing.

C: Production

Mars Dreamy Clothing is a retailer with 15 locations. Which cycle is likely of least importance to Mars? A: Financing B: General ledger C: Production D: Revenue

Diagnostic control system

Measures, monitors, and compares actual company progress to budgets and performance goals

Balance-forward method

Method of maintaining accounts receivable in which customers typically pay according to the amount shown on a monthly statement, rather than individual invoices

data encryption

Methods used to maintain an audit trail in a computerized environment include all of the following EXCEPT A. transaction logs B. unique transaction identifiers C. data encryption D> log of automatic transactions

Forms of fraud

Misappropriation of Assets and Fraudulent Financial Reporting

Investment Fraud

Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk (ponzi schemes and securities fraud)

A: Guide managers, users, and auditors to adopt best practices related to the management of information technology.

One important purpose of COBIT is to A: Guide managers, users, and auditors to adopt best practices related to the management of information technology. B: Identify specific control plans that should be implemented to reduce the occurrences of fraud. C: Specify the components of an information system that should be installed in an e-commerce environment. D: Suggest the type of information that should be made available for management decision making.

What do we mean by the "matching principle?"

One of the basic underlying guidelines in accounting. Directs a company to report an expense on its income statement in the same period as the related revenues.

Foreign Corrupt Practices Act (FCPA) (1977)

Passed to prevent companies from bribing foreign officials to obtain business

Preventive Internal Controls

Passive techniques designed to reduce the frequency of occurrence of undesirable events.

C: Data-driven DSSs.

Peetie's Pet Care has a system that examines large data sets to determine patterns in clients' use of its facilities. This is most likely an example of: A: Operational systems. B: Management information systems (MISs). C: Data-driven DSSs. D: Model-driven DSS.

Preventive Controls

People : - Creation of a "security-aware" culture - Training Processes: User access controls (authentication & authorization) IT Solutions: - Anti-malware = Network access controls (firewalls, intrusion prevention systems, etc) - Device & Software Hardening (configuration controls) - Encryption Physical Security : access controls (locks, guards, etc) Change controls and change management

Master File

Permanent records, updated by transaction with the transaction file

Ciphertext

Plaintext that was transformed into unreadable gibberish using encryption

Control Activities

Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

4. Describe the process for determining if the new AIS meets post-implementation objectives.

Postimplementation Review - Review made after a new system has been operating for a brief period to ensure that the new system is meeting its planned objectives, identify the adequacy of system standards, and review system controls. Postimplementation Review Report - A report that analyzes a newly delivered system to determine if the system achieved its intended purpose and was completed within budget. Table of Contents I. Executive Summary of Postimplementation Review II. Overview of Development Project III. Evaluation of the Development A. Degree to Which System Objectives Were Met B. Analysis of Actual Vs. Expected Costs and Benefits C. User Reactions and Satisfaction IV. Evaluation of Project Development Team V. Recommendations A. Recommendations for Improving the New System B. Recommendations for Improving the System Development Process VI. Summary

Understandable information

Presented in a useful and intelligible format.

Conditions of Fraud

Pressures, Opportunities and Rationalisation

1. Explain how a well-designed AIS can help identify business problems and potential resolutions.

Prototyping - Advantages: a. Better definition of user needs b. Higher user involvement and satisfaction c. Fewer errors d. More opportunity for changes e. Less costly Disadvantages: f. Significant user time g. Less efficient use of system resources h. Inadequate tsting and documentation i. Negative behavioral reactions j. Never-ending development

Penetration Test

Provides a more rigorous way to test effectiveness of an organizations information security. It is an authorized attempt to break into the organization's information system.

Financial statements and internal controls.

Public company external audit firms must audit their clients': A: Financial statements. B: Internal controls. C: Financial statements and internal controls. D: Neither financial statements nor internal controls.

Turnaround Document

Records of company data sent to an external party and then returned to the system as input (sales orders, purchase orders, employee time cards)

What are retained earnings?

Refer to the percentage of net earnings not paid out as dividends, but retained by the company to be reinvested in its core business, or to pay debt.

A: Purchase orders.

Reggie is the purchasing agent for a wholesale paint store (Ye Ol' Paint Pots). Reggie's cousin, Earl-the-Earl, owns a small paint store. Reggie arranged for paint to be delivered to Earl-the-Earl's stores from paint manufacturers, thereby allowing Earl-the-Earl to get the paint at a wholesale (cheaper) price, which violates a policy of the Ye Ol' Paint Pots. Reggie was most likely able to violate this policy because of a failure in Ye Ol' Paint Pots' controls related to: A: Purchase orders. B: Cash disbursements. C: Bills of lading. D: Inventory control.

Characteristics of useful information

Relevant, reliable, complete, timely, verifiable, and accessible

What are the major transaction cycles?

Revenue Cycle Expenditure Cycle Production or Conversion Cycle Human Resources/Payroll Cycle Financing Cycle

C: Make changes to both the live and archive copies of programs.

Roberta is a programmer who writes applications for Parsnips Health Care. She also has access to the file library. This is a concern because she may: A: Grant system access inappropriately to others. B: Make changes in applications. C: Make changes to both the live and archive copies of programs. D: Fail to follow system change protocols.

Validity Check

Routines in a data entry program that test the input for correct and reasonable conditions, such as account numbers falling within a range, numeric data being all digits, dates having a valid month, day and year, etc. Example: When you enter your Social Security Number, the input test ensures that you have entered 9 digits.

to ensure that all data input is validated

Run-to-run control totals can be used for all of the following except a. to ensure that all data input is validated b. to ensure that only transactions of a similar type are being processed c. to ensure the records are in sequence and are not missing d. to ensure that no transaction is omitted

Information Rights Management (IRM)

Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files

Reports

System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities.

Boundary system

System that helps employees act ethically by setting boundaries on employee behavior

The Management Information System

System that processes non financial transactions not normally processed by traditional accounting information systems.

Systems Development Lifecycle

Systems analysis, conceptual design, physical design, implementation and conversation, operations and maintainence

True or False - Documentation methods such as DFDs, BPDs, and flowcharts save both time & money, adding value to an organization

TRUE

true or false - resistance is often a reaction to the methods of instituting change rather than to change itself

TRUE

Cloud Computing

Takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software (software as a service), data storage devices (storage as a service), hardware (infrastructure as a service), and entire application environments (platform as a service). This arrangement is referred to as a "private", "public", or "hybrid" cloud depending upon whether the remotely accessed resources are entirely owned by the organization, a third party, or a mix of the two.

What are substantive tests?

Tests that determine whether database contents fairly reflect the organization's transactions.

What are tests of controls?

Tests that establish whether internal controls are functioning properly.

MOD 14- Which of the following is true about the black box approach to auditing computer applications?

The application does not need to be removed from service and tested directly." The black box approach (also called auditing around the computer) does not require the application to be removed from service and tested directly.

Cost-effective Controls

The benefits of an internal control procedure must exceed its costs. Cost-effective controls should be implemented to reduce risk. Risk can be accepted if it is within the company's risk tolerance range.

C: A purchase requisition.

The best control to avoid ordering unneeded goods is A: A receiving report. B: A vendor invoice. C: A purchase requisition. D: Automated payment.

Source Data Automation

The collection of transaction data in machine readable form at the time and place of origin

Source Data Automation

The collection of transaction data in machine-readable form at the time and place of origin. Examples are point-of-sale terminals and ATMs.

Internal Environment

The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk

Internal environment

The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.

Database System

The data-base, the DBMS, and the application programs that access the database through the DBMS.

A: CustomerNumber is an example of a field.

The following customer data is stored in the sales processing system to a regional produce distributor: CustomerNumber, CustomerName, CustomerPhone, CustomerContact, CustomerCreditLimit Which of the following is true? A: CustomerNumber is an example of a field. B: CustomerNumber is an example of a data value. C: CustomerNumber is an example of a record D: All of the above are true.

Control Account

The general ledger account corresponding to a subsidiary ledger

A: Transactions, reports

The general ledger cycle receives _____________ and generates ________________. A: Transactions, reports B: Reports, transactions C: Reports, funds D: Controls, funds

independent verification

The office manager forgot to record in the accounting records the daily bank deposit. Which control procedure would most likely prevent or detect this error? A. segregation of duties B. independent verification C. accounting records D. supervision

Database administrator

The person responsible for coordinating, controlling, and managing the database

Key Escrow

The process of storing a copy of an encryption key in a secure location

Internal Controls

The processes and procedures implemented to provide reasonable assurance that control objectives are met

Which trait is associated with an antiviral program?

The program is a safeguard for mainframes, networks, and personal computers." Antiviral programs are used to safeguard mainframes, networks, and personal computers.

Database management system (DBMS)

The program that manages and controls the data and the interfaces between the data and the application programs that use the data stored in the database

Database Management System (DBMS)

The program that manages and controls the data and the interfaces between the data and the application programs that use the data stores in the database

Attributes

The properties, identifying numbers, and characteristics of interest of an entity that is stored in a database (employee number, pay rate, name and address)

HRM/Payroll Cycle

The recurring set of business activities and data processing operations associated with effectively managing the employee workforce.

Revenue Cycle

The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. *Primary objective is to provide the right product in the right place at the right time for the right price*

Implementation of the control procedure should not have a significant adverse effect on efficiency or profitability

The underlying assumption of reasonable assurance regarding implementation of internal control means that A. auditors are reasonably assured that fraud has not occurred in the period B. auditors are reasonably assured that employee carelessness can weaken an internal control structure C. Implementation of the control procedure should not have a significant adverse effect on efficiency or profitability D. management assertions about control effectiveness should provide auditors with reasonable assurance E. a control applies reasonably well to all forms of computer technology

Controls for Processing Integrity - Processing

Threats/Risks - Errors in output and stored data Controls - Data matching, file labels, batch totals, cross-footing and zero-balance tests, write-protection mechanisms, database processing integrity controls

Functions of Control

Three functions of internal controls are: Preventive, Detective and corrective controls.

C: A higher return.

To be willing to accept higher risk, an organization should expect _________ A: A higher strategy. B: Vision questing. C: A higher return. D: A lower performance severity.

D: The planning and logistics team, which is responsible for opening new offices, is operating below capacity.

Umbrella Corporation sells office and factory equipment. Company management is concerned that the company has not assumed sufficient risks in opening new offices. Which of the following results would best indicate that the company has not assumed sufficient risk? A: The company opened more new offices than expected. B: A 4% decrease in calls to the whistleblower hotline. C: Firing the CRO. D: The planning and logistics team, which is responsible for opening new offices, is operating below capacity.

Understand the proper accounting for unearned revenue.

Unearned revenue should not be included as income yet; rather, it is recorded as a liability.

Spam

Unsolicited e-mail that contains either advertising or offensive content.

Spam

Unsolicited email that contains advertising or offensive content

Internal control flowchart

Used to describe, analyze, and evaluate internal controls, including identifying system strengths, weaknesses, and inefficiencies

C: Character, field, record, file.

What is the correct ascending hierarchy of data in a system? A: Character, record, file, field. B: Field, character, file, record. C: Character, field, record, file. D: Field, record, file, character.

Goal conflict

When a subsystem's goals are inconsistent with the goals of another subsystem or the system as a whole

Describe the Financing Cycle.

Where companies sell shares in the company to investors and borrow money, and where investors are paid dividends and interest is paid on loans. actions include: ~ Forecast cash needs ~ Sell stock/securities to investors ~ Borrow money from lenders ~ Pay dividends to investors and interest to lenders ~ Retire debt ~ Prepare management reports Send appropriate information to the other cycles

D: Ledgers, journals, invoices

_____, ______, and ______ are all elements of a manual accounting system. A: Journals; ledgers; e-vouchers B: Ledgers, automated transactions, assets C: Journals, receivables ledgers, concentration of information D: Ledgers, journals, invoices

General Journal

a journal used to record infrequent or nonroutine transactions, such as loan payments and end-of-period adjusting and closing entries.

What is data encryption?

a method of scrambling a readable message/document into an unreadable message/document

What is a workstation?

a node operated by end users

10-9. if a manager wanted to sort out any differences between quantities or amounts on the purchase order, the receiving report, and the purchase invoice, which of the following AIS reports would be most useful?

a. a purchase analysis report b. an inventory control report c. a check register report d. a discrepancy report *

4-1. all of the following are reasons why IT is important to accountants except:

a. accountants often help clients make IT decisions b. auditors must evaluate computerized systems c. IT questions often appear on professional certification exams *d. the costs of IT are skyrocketing

6-5. In selecting a new AIS, the steering committee should consider:

a. all expected costs and benefits of the new systems, including maintenance and operating costs b. support that a vendor can provide, including training, maintenance, and backup *c. compatibility of new system with existing systems d. all of the above are considerations in selecting a new system e. only a & b are important considerations in selecting the new systems

15-3. auditing around the computer:

a. is the approach to auditing that is recommended in most cases to reduce IT audit costs b. focuses on computerized control procedures c. assumes that accurate output is sufficient evidence that processing operations are appropriate * d. follows the audit trail through internal computer operations

15-7. in auditing program change control, the IT auditor will:

a. make sure that only computer programmers have tested the changes they made to programs b. ensure an organization is following the process described in their documentation for program change control * c. not need to inspect program authorization forms for signatures d. make sure that only computer programmers mover their own changes into a production environment

8-2. the differences between (1) a database management system (DBMS) and (2) a database, is:

a. nothing - these terms are synonyms b. the first is hardware, the second is software c. the first is program software, the second is proprietary data and related files* d. the first refers to a complete accounting system, the second refers to a subset of that

15-6. which of the following is NOT an audit technique for auditing computerized AIS?

a. parallel simulation b. use of specialized control software c. continuous auditing d. all of the above are techniques used to audit computerized AIS *

Tracing is a technique that a. performs an electronic walk through of computed logic b. allows test data to be merged with production data and traces the effects in the database c. reviews interest calculations to identify a salami fraud d. none of these

a. performs an electronic walk through of computed logic

14-3. fault-tolerant systems are designed to tolerate computer errors and are built on the concept of ________

a. redundancy * b. COBIT c. COSO d. integrated security

Firm Infrastructure

accounting, finance, legal, and general administrative activities that allow an organization to function

Technology

activities improve a product or service

technology

activities improve a product or service

Human Resources

activities include recruiting, hiring, training, and compensating employees

Purchasing

activities procure raw materials, supplies, machinery, and the buildings used to carry out the primary activities

Service

activities provide post-sale support to customers

service

activities provide post-sale support to customers

outbound logistics

activities that warehouse and distribute the finished goods to the customers

Operations

activities transform inputs into final products or services

operations

activities transform inputs into final products or services

which two activities occur during the A/R file updating process?

adding a transaction amount to a customer's account balance comparing the customer's new balance to the cutomer's credit limit

Billing Schemes

also known as vendor fraud, and are perpetrated by employees who cause their employer to issue a payment to a false supplier (vendor) by submitting invoices for fictitious goods or services, inflated invoices, or invoices for personal purchases.

risk appetite

amount of risk a company is willing to accept in order to achieve its goals and objectives

improving products or services through information that increases quality and reduces costs, providing timely and reliable information to decision makers

an AIS provides value by:

fraud

any and all means a person uses to gain an unfair advantage over another person false statement, representation, disclosure material fact intent to deceive justifiable reliance injury/loss

What is a NODE?

any device connected to a network

"audit trail"

audit trail - A path that allows a transaction to be traced through a data processing sys- tem from point of origin to out- put or backwards from output to point of origin. It is used to check the accuracy and valid- ity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.

accessible

available to users when they need it and in a format they can use

risk response

avoid reduce share accept

Which transaction cycle includes interactions between an organization and its suppliers? a. Revenue cycle b. Expenditure cycle c. HR/payroll cycle d. GL and reporting system

b) Expenditure cycle

Which would contain the total value of all inventory owned by an organization? a. Source document b. General ledger c. Cash budget

b) General ledger

which is the planning technique that identifies implementation activities & their relationships, constructs a network of arrows & nodes, and then determines the critical path thru the network? a) Gantt chart b) PERT diagram c) physical model d) data flow diagram

b) PERT diagram

all are recommended guidelines for making flowcharts more readable, clear, concise, consistent, and understandable EXCEPT: a) divide a document flowchart into columns w/labels b) flowchart all data flows, especially exception procedures & error routines c) design flowchart so that flow proceeds from top to bottom and from left to right d) show the final disposition of all documents to prevent loose ends that leave the reader dangling

b) flowchart all data flows, especially exception procedures & error routines

which type of fraud is associated w/50% of all auditor lawsuits? a) kiting b) fraudulent financial reporting c) Ponzi schemes d) lapping

b) fraudulent financial reporting

how a user conceptually organizes & understands data is referred to as the a) physical view b) logical view c) data model view d) data organization view

b) logical view

the relational data model portrays data as being stored in a) hierarchies b) tables c) objects d) files

b) tables

how can an AIS for the value chain activity of operations?

by transforming inputs into final products or services

update anomaly

changing the customer data would require reviewing the entire table and selecting each occurrence for that one change

relevant, reliable, complete, timely, understandable, verifiable, accessible

characteristics of useful information

which control is applied to the payroll preparation step of the payroll cycle?

comparing hash totals of employee numbers

When an employee attempts to access a particular information systems resource, the system performs a ....

compatibility test

What is decentralized processing?

computer applications and processing are distributed over many locations

Carter's Taxonomy - incidental

computer is not required for the crime but is related to the criminal act

What is is routing devices?

computers used for directing traffic on a network (IE bridges, routers, and gateways)

lapping

concealing theft of $ by means of series of delays in posting collections to A/R pocketing cash until the posting date which will be covered by the next customer (Ponzi scheme)

opportunity

condition/situation that allows a person/org to commit/conceal a dishonest act & convert it to personal gains commit conceal convert

inbound logistics

consists of receiving, storing, and distributing the materials an organization uses to create the services and products it sells

What is C2C?

consumers sell to each other (IE FaceBook Marketplace)

fields

contain data about one customer e.g. name, address

Instance Document

contain the actual dollar amounts or the details of each of the elements within the firm's XBRL database

data dictionary

contains information about the structure of the database; serves as a repository of facts about elements employed in applications

detective controls

controls designated to discover control problems that were not prevented

application controls

controls that prevent, detect, correct transaction errors and fraud in application programs -accuracy -completeness -validity -authorization

how can information sharing between customers ad suppliers contribute to information system failures?

customers and suppliers having access to each others'systems and data can lead to breaches in confidentiality

which would managers most likely use to retrieve info about sales during the month of October? a) DML b) DSL c) DDL d) DQL

d) DQL

broad types of big data

descriptive, predictive, prescriptive

which is NOT a reason why companies make changes to their AIS? a) gain a competitive advantage b) increase productivity c) keep up w/business growth d) downsize company ops e) all of the above

e) all of the above

Which of the following is NOT a control concern in a distributed data processing environment? a. Redundancy b. Hiring qualified professionals c. Incompatibility d. Lack of standards e. All of the above are control concerns

e. All of the above are control concerns

Which of the following is not an operating system objective? a. The operating system must protect itself from users b. The operating system must protect users from themselves c. The operating system must be protected from its environment d. The operating system must protect users from each other e. All of the above are operating system objectives

e. All of the above are operating system objectives

When someone disguises the source of Internet messages to make appear that it is coming from a different source, this is called: a. Deep packet inspection b. Message packet switching c. Dual-homed signaling d. IP screening e. None of the above

e. None of the above

entity file record fields

entity - the item about which information is stored in a re- cord. Examples include an em- ployee, an inventory item, and a customer. file - A set of logically related records, such as the payroll re- cords of all employees. record - A set of fields whose data values describe specific at- tributes of an entity, such as all payroll data relating to a single employee. An example is a row in a spreadsheet. field - the portion of a data record where the data value for a particular attribute is stored. For example, in a spreadsheet each row might represent a customer and each column is an attribute of the customer. Each cell in a spreadsheet is a field.

rationalization

excuse fraud perpetrators use to justify their illegal behavior attitude justification lack of personal integrity

revenue cycle, expenditure cycle, production or conversion cycle, human resources/payroll cycle, financing cycle

five major business process or transaction cycles:

give 5 common activities of the human resource/ payroll cycle

give cash—get labor Human Resources/Payroll Recruit, hire, and train new employees Evaluate employee performance and promote employees Discharge employees Update payroll records Collect and validate time, attendance, and commission data Prepare and disburse payroll Calculate and disburse taxes and benefit payments Prepare employee and management reports Send appropriate information to the other cycles

reliable information

information that is accurate, unbiased, and verifiable

Auditing

objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria

linking table

junction: associates 2+ PKs of tables for many-many

internal-level schema

low-level view of databases of how the data is stored and accessed record layouts definitions addresses indexes

why is data in an internet-based system somtime not protected as well as data in a centralied computer system?

many companies fail to completely understand the control implcations of moving to an internet-based system.

takes time to create/maintain, missing some clarifications

negatives of flow charts

may not see see separation of duties, documents are harder to trace

negatives of narratives:

nonkey attribute

neither PK or FK; describe a characteristic about the object identified by the primary key

Carter's Taxonomy - associated

new versions of traditional crime

1NF

no repeating columns; not storing two pieces of information in one field

Plaintext

normal text that has not been encrypted

Security Controls that Correct Intrusions

o Computer incident response teams (CIRT) o Chief information security officer (CISO) o Patch management

pressure

person's incentive/motivation for committing crime employee's -financial -lifestyle -emotional financial statement -financial -industry conditions -mgt characteristics

understandable

presented in a useful and intelligible format

fraud triangle

pressure opportunity rationalization

data mining

process of analyzing data repositories for new knowledge about company data and biz processes

Authentication

process that establishes the origin of information or determines the identity of a user, process, or device

Backbone systems

provide a basic system structure on which to build." Backbone systems provide a basic system structure on which to build. Backbone systems come with all the primary processing modules programmed. The vendor designs and programs the user interface to suit the client's needs. Some systems such as enterprise resource planning (ERP) offer a vast array of modules for dealing with almost every conceivable business process, and all are interfaced seamlessly into a single system.

What is a cash receipts journal?

records of transactions in which cash is received

What is a payroll journal?

records payments to employees

What is a General Journal?

records transactions that are not recorded in other journals

benefits of information

reduced uncertainty, improved decisions, and improved ability to plan and schedule activities

relevant information

reduces uncertainty, improves decision making, or confirms or corrects prior expectations

revelant

reduces uncertainty, improves decision making, or confirms or corrects prior expectations

Data loss prevention (DLP)

software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.

What is a worm?

special virus that can run independently and copies itself over a network (not attaching to other programs)

Data Value

the actual value stored in a field. It describes a particular attribute of an entity. Ex: the customer field name would contain "ZYX company" if that was a customer.

value of information

the benefit provided by information less the cost of producing it

"value of information"

the benefit provided by information less the cost of producing it. educed uncertainty, improved decisions, and improved ability to plan and schedule activities. The costs include the time and resources spent to produce and distribute the information. Information costs and benefits can be difficult to quantify

data mining

the use of statistical and other advanced software to discover non obvious patterns hidden in a database

primary and support

the value chain concept is composed of the following two types of activities:

physical view

the way data are physically arranged and stored in the computer system is:

misappropriation of assets

theft of company assets by EE gains trust uses trickery conceals fraud ease of money access spends gains gets greedy/needy grows careless

Primary activities of the value chain? (5)

to provide value to their customers 1. inbound logistics - receive, store, distribute 2. operations - manufacturing, repackaging 3. outbound logistics - distribute +shipping 4. marketing and sales-advertising, sales 5. Service - repair/maintenance

internal environment

tone or culture of a company and helps determine how risk conscious employees are

which activity is part of the Human resource Management (HRM)/Payroll cycle?

tracking the job assignments of each employee at a company

Social Engineering

using deception to obtain unauthorized access to information resources

Data mining

using sophisticated statistical analysis to "discover" un-hypothesized relationships in the data

Objectives of Internal Controls

● Safeguard assets—prevent or detect their unauthorized acquisition, use, or disposition. ● Maintain records in sufficient detail to report company assets accurately and fairly. ● Provide accurate and reliable information. ● Prepare financial reports in accordance with established criteria. ● Promote and improve operational efficiency. ● Encourage adherence to prescribed managerial policies. ● Comply with applicable laws and regulations.

when we are going to give something as a product or service

when do you receive a purchase order?

Revenue Cycle

where goods and services are sold for cash or a future promise to receive cash

revenue cycle

where goods and services are sold for cash or a future promise to receive cash

Production/Conversion Cycle

where raw materials are transformed into finished goods

data privacy

which of the following is not an advantage of database systems: data sharing, data independence, data privacy, data integration

System Flowchart

which shows the relationship among the input, processing, and ouput in an information system

Program Flowchart

which shows the sequence of logical operations a computer performs as it executes a program.

Overall Security: Audit procedures - Test of Controls

~ Observe and test computer-site access procedures ~Observe the preparation of and off-site storage of backup files ~Test assignment and modification procedures for user IDs and passwords ~Investigate how unauthorized access attempts are dealt with ~Verify the extent and effectiveness of data encryption ~Verify the effective use of data transmission controls ~Verify the effective use of firewalls and virus protection procedures ~Verify the use of preventive maintenance and an uninterruptible power supply ~Verify amounts and limitations on insurance coverage ~Examine the results of disaster recovery plan test simulations

Reasons why data isn't protected wisely

● Some companies view the loss of crucial information as a distant, unlikely threat. ● The control implications of moving from centralized computer systems to Internet-based systems are not fully understood. ● Many companies do not realize that information is a strategic resource and that protecting it must be a strategic requirement. For example, one company lost millions of dollars because it did not protect data transmissions. A competitor tapped into its phone lines and obtained faxes of new product designs. ● Productivity and cost pressures motivate management to forgo time-consuming control measures.

1.3) Compare the strengths and limitations of OUTSOURCING an AIS.

*Strengths* ▪ A business solution ▪ Asset utilization ▪ Access to greater expertise and better technology ▪ Lower costs ▪ Loss development time ▪ Elimination of peaks-and-valleys usage ▪ Facilitation of downsizing *Limitations* ▪ Inflexibility ▪ Loss of control ▪ Reduced competitive advantage ▪ Locked-in system ▪ Unfulfilled goals ▪ Poor service ▪ Increased risk

2-6. which of the following is true?

*a. XBRL is a subset of XML b. XML is a subset of TCP c. PBX is a subset of HTML d. none of these is true

Source Documents

Documents used to capture transaction data at its source - when the transaction takes place

Objectives of AIS

Information security, program development and acquisition, program modification, computer processing, source files, data files

B: Zero out the revenue and expense accounts.

One purpose of closing entries is to A: Record accruals and deferrals. B: Zero out the revenue and expense accounts. C: Estimate unrecorded liabilities. D: Comply with laws and regulations.

Transaction processing

Process of capturing transaction data, processing it, storing it for later use, and producing information output, such as managerial report or a financial statement

Production/Manufacturing

Process raw material into finish product, update inventory for raw material, create standard costs using production recipe and overhead allocation.

2-a. Define spoofing

Pretending to be someone else in order to get unauthorized access by someone else

4 Basic Revenue Cycle Activities

Sales Order Entry Shipping Billing Cash Collections

Online Real-Time Processing

The computer system processes data immediately after capture and provides updated information to users on a timely basis

Online, Real-time Processing

The computer system processes data immediately after capture and provides updated information to users on a timely basis.

Information technology

The computers and other electronic devices used to store, retrieve, transmit, and manipulate data

Opportunity

The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain (three C's: commit, conceal, convert)

Which information from timecards provides an audit trail to support financial reporting?

The correct answer is "Hours worked." Payroll expenses should be supported with hours worked by employees on a specified date.

124356

The correct purchase order number, 123456, was incorrectly recorded as shown in the solutions. All of the following are transcription errors EXCEPT A. 1234567 B. 12345 C. 124356 D. 123457

D: Optical disc recorder.

Which of the following devices "burns" data onto a surface? A: Magnetic tape reader. B: Supercomputer. C: ROM. D: Optical disc recorder.

In the value chain concept, upgrading IT is considered what kind of activity? a. Primary activity b. Support activity c. Service activity d. Structured activity

b) Support activity

Which IS a function of AIS? a. Reducing the need to identify a strategy & strategic position b. Transforming data into useful information c. Allocating organizational resources d. Automating all decision making

b) Transforming data into useful info

A report telling how well all approved vendors have performed in the past 12 months is info that is MOST needed in which business process? a. Paying vendors b. Acquiring inventory c. Selling merchandise d. Paying employees

b) acquiring inventory

the constraint that all primary keys must have non-null data values is referred to as... ? a) referential integrity rule b) entity integrity rule c) normalization rule d) relational data model rule

b) entity integrity rule

A DFD is a representation of which of the following? a) the logical ops performed by a computer program b) flow of data in an organization c) decision rules in a computer program d) computer hardware configuration

b) flow of data in an organization

a database contains data that can be used by many authorized users. which benefit of a database does this example describe?

data sharing

which step in the data processing cycle relies on coding techniques, such as sequence codes and block codes, to organize data in ledgers?

data storage

Symmetric Encryption Systems

Encryption systems that use the same key both to encrypt and to decrypt

Database system

The database, the DBMS, and the application programs that access the database through DBMS

Which efficiencies do real-time general ledger/financial reporting systems have on an organization's ability to produce financial statements?

" A real-time general ledger/financial reporting system uses integrated transaction processing for concurrent posting in the system." An efficiency of a real-time general ledger/financial reporting system is integrated transaction processing, which allows concurrent posting in the system.

Which attributes are used to describe data that are reliable for use according to the Safe Harbor Agreement?

" Accurate, complete, and current." Organizations need to ensure that the data they maintain are accurate, complete, and current, and thus reliable for use.

An organization could have more than one system in place; there could be an in-house system along with a newer commercial system. How is the communication among many different systems made possible?

" By applying special software patches where needed." Special software patches need to be applied.

What is the main difference between centralized data processing (CDP) and distributed data processing (DDP)?

" CDP uses a common data center for all the processing needs of the organization; in DDP, every department has its own processing capabilities." The CDP uses common processing capabilities for the whole organization, while the DDP encourages localized processing.

UNIT 2 FORM B- What does efficiency mean in the data collection process?

" Collecting data only once." Efficiency in data collection means that data is collected only once.

An organization uses a flat-file data management system. The shipping department receives notice that shipping costs are increasing by 10% effective immediately. Customers placing new orders are still billed with the old shipping costs. Which problem is exemplified in this scenario?

" Currency of information." The shipping department must inform the billing department of any changes in shipping costs, or the bills will be issued based on outdated information.

A vendor-supported system provides the development and maintenance of database tables for an application. What is being provided when a vendor does this? Database support

" Database support." Database support involves developing and maintaining database tables for an application.

What is a potential result of redundant tasks in a closed database environment?

" Delays in orders." Delays could be caused by redundant data entry.

How does implementation affect the success of a system?

" Improper implementation leads to system failure." Most system failures are due to poor designs and improper implementation.

What does the letter C in an inverted triangle mean in a system flowchart?

" It is a temporary file using a chronological filing system." The inverted triangle means that it is a temporary file and the C means that it uses a chronological filing system.

What describes an efficient information system?

" Makes data available for multiple requests." An efficient system makes the same data available for requests from different users.

UNIT 4 FORM B- What is the role of a database management system (DBMS)?

" Provides controlled access to a database." The DBMS provides controlled access to the database. It is programmed to know which data elements each user is authorized to access.

An enterprise resource planning (ERP) system is more than simply an elaborate transaction processing system. What else does an ERP system provide?

" Real-time decision-making information." It is a decision support tool that supplies management with real-time information and permits timely decisions that are needed to improve performance and achieve competitive advantage.

Which statement describes the condition of onward transfer?

" Sharing information with organizations that belong to or follow the Safe Harbor Agreement principles unless instructed otherwise." Unless they have the individual's permission to do otherwise, organizations may share information only with those third parties that belong to the Safe Harbor Agreement or that follow its principles.

Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information lacks summarization?

" The decision maker is overwhelmed by the amount of detail in the information." As information flows upward through an organization, decision makers need more summarized data.

Why are accountants involved in the information system development team?

" They are the domain experts, determining the nature of the information required, its source, its destination, and the rules that need to be applied." The accountants have a very specialized role due to understanding what data are needed, where data can be found within the system, and what rules need to be applied.

Which comparison serves as a tool for managers by using data from the budget master file and from the responsibility center file?

"A comparison of budgets to actual amounts and review of the variance." A comparison of budgeted amounts in accounts to actual revenue and expense amounts by responsibility center in accounts can signal accounts that require further inquiry.

Which department is responsible for receiving the supplier's invoice, the purchase order, and the receiving report in order to post the acquisition of fixed assets?

"Accounts Payable." Accounts Payable receives the supplier's invoice, purchase order, and receiving report to post the acquisition of fixed assets in the accounts payable subledger.

According to the Public Company Accounting Oversight Board (PCAOB) Standard No. 5, auditors need to understand transaction flows, including the controls pertaining to how transactions are initiated, authorized, recorded, and reported. Which accounts are affected by this requirement?

"All financial accounts with material implications for financial reporting." The auditors are interested in the financial accounts that can materially affect the accuracy of the financial statements.

What is the role of management regarding the effectiveness of internal controls over financial reporting, according to the Sarbanes-Oxley Act (SOX)

"Assess their effectiveness." SOX mandates that management must assess the effectiveness of the organization's internal controls over financial reporting.

Who reconciles simulation output with production data?

"Auditor." The auditor reconciles simulation output with production data.

Which systems come with all primary processing modules programmed and are basic system structures on which to build?

"Backbone systems." Backbone systems provide a basic system structure on which to build, and they come with all the primary processing modules programmed.

What might a vendor-supported system offer?

"Backup and recovery of programs and data as part of an organization's disaster recovery plan." This is one of the available options for organizations purchasing vendor-supported systems.

What is a characteristic incorporated into a disaster recovery plan of a vendor-supported system?

"Backup of programs." Storing and retrieving data is part of an organization's disaster recovery plan.

flowchart

"Big picture" of what is happening using columns to designate segregation of duties and various symbols to depict inputs, processes, outputs, and storage

How do accountants provide technical support during the systems development phase?

"By choosing the correct depreciation method." The accountant must provide expertise to the systems design process.

Which control framework does the general ledger/financial reporting system (GL/FRS) follow?

"Committee of Sponsoring Organizations of the Treadway Commission (COSO)." The discussion of GL/FRS control activities follows the COSO framework.

An office manager receives the following marketing fax from a current supplier: "Our company is having a promotion this month for all our main products. Please call for more information." Which characteristic of useful information is missing from this scenario?

"Complete." The fax does not include all the information necessary to take appropriate action: phone number, products that fall under the promotion, promotion terms etc.

Which of the following statements about continuous auditing is true?

"Continuous auditing enables the auditor to review transactions at frequent intervals or as they occur." Continuous auditing enables the auditor to review transactions at frequent intervals or as they occur. The growth of electronic commerce requires the auditors to rethink their traditional practices. Using intelligent electronic agents, transactions can be continuously monitored, and alarms can sound when an anomaly occurs.

What describes encryption?

"Conversion of data into a secret code." Encryption is the conversion of data into a secret code for storage in databases and transmission over networks.

Which operation represents the steps for the encryption of data?

"Convert cleartext message, encrypt into ciphertext, decode back to cleartext message". The sender uses an encryption algorithm to convert the original message (called cleartext) into a coded equivalent (called ciphertext). At the receiving end, the ciphertext is decoded (decrypted) back into cleartext.

All business processes are examined to identify waste and non-value-added activities and to take steps to eliminate them. Which non-value-added activity can a responsive, user-oriented information system eliminate?

"Counting inventory." The responsive, user-oriented information system can eliminate counting of items and inventory. Counting does not add value.

Which systems often have long development timelines for firms?

"Custom in-house systems." Months or even years of development may pass before a custom system can be fully implemented.

Which entry is made to record wages payable?

"Debit work-in-process; credit wages payable." To record wages payable, the general ledger accountant will debit work-in-process and credit wages payable.

Why is there is a high degree of data redundancy in a closed database environment?

"Distinct, separate, and independent databases exist because the data remain in the application." Each department and functional area has its own database.

MOD 8 - Which of the following is one of the core ERP applications?

"Distribution." The core ERP applications are sales, distribution, business planning, shop floor control and logistics. Core applications are those applications that operationally support the day-to-day activities of the business. If these applications fail, so does the business. Typical core applications include, but are not limited to, sales and distribution, business planning, production planning, shop floor control, and logistics. Core applications are also called online transaction processing (OLTP) applications.

Which system represents multiple module software packages that evolved primarily from traditional manufacturing resource planning (MRP II) systems?

"Enterprise resource planning (ERP) system." ERPs evolved from in-house systems that were not able to successfully integrate with systems outside the organization.

Why does a simulated application reprocess transactions that a production application previously processed?

"For reconciliation purposes." The results obtained from the simulation are reconciled with the results of the original production run to determine if application processes and controls are functioning correctly.

Which of the following is NOT a reasonable control for fixed assets?

"Fully depreciated assets are disposed of immediately." Requiring that fully depreciated assets be disposed of immediately is not a reasonable control for fixed assets. Fully depreciated assets may have years of useful life remaining. For example, manufacturing machinery may be depreciated over three years but many factories use machines that are 10, 15, or 20 years old if they are well maintained.

Accountants will provide technical expertise in

"GAAP, GAAS, SEC requirements and IRS codes." Accountants will provide technical expertise in GAAP, GAAS, SEC Requirements and IRS Codes. The implementation of a new accounting or financial information system will need to be sure to include data and reporting that assists the accounting and finance departments in following GAAP, GAAS and meeting SEC and IRS requirements. Accountants are the experts. They guide the project team in meeting these needs.

What is one of the four areas that ethical issues in business can be divided into?

"Honesty." Ethical issues in business can be divided into the areas of equity, rights, honesty, and exercise of corporate power. These areas can be used to assess any ethical situation, whether it is a computer-based issue or not.

What contributes to the success of the electronic data interchange system?

"Implementation of agreements." Implementation of agreements contributes to the success by circumventing discrepancies.

An objective of internal control is to mitigate the risk from errors and fraud. What is the primary risk associated with revenue cycle transactions?

"Inaccurately recording sales and cash receipt transactions in journals and accounts." Recording sales and cash receipt transactions in journals and accounts must be accurate.

UNIT 6 FORM B- Which component of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is being considered when an auditor is reviewing a walk-through and process narrative of an established process and decides to gain an understanding of the process by tracing a single transaction from the source documents through the accounting information system to the financial statements?

"Information and communication." By gaining an understanding of the process and following a transaction through the system an auditor can assess how the system processes information (transaction processing) and communicates the results (reporting). Testing a single transaction would not qualify as testing of the control environment , ensuring monitoring or showing how management assesses risk. It would help in gaining an understanding of what information is in the system and how it is reported.

Which of the following is true about commercial software?

"It can be installed faster than a custom system." Commercial software can be installed faster than a custom system. One of the major advantages of a commercial system, especially one chosen because of its ability to support the firm and meet the firm's requirements, is that it can be installed more quickly than a custom system. Programs have been written and tested. Modules have been documented. Controls to meet audit requirements are in place. In a custom development, all of these must be built from scratch.

Which characteristic applies to black box testing?

"It is used for inputs and outputs that are easily reconciled." Black box testing is feasible for applications that are relatively simple with inputs and outputs that are easily reconciled.

What function does prescriptive analytics serve?

"It tells the user what actions should be taken in response to specific questions." Prescriptive analytics tells the user what actions should be taken in response to specific questions. For example, some companies use predictive analytics to optimize trade promotions. Prescriptive analytics helps them determine which campaigns to run and for which products.

Why are journal vouchers reviewed and approved before entry into the general ledger (GL)?

"Journal vouchers are reviewed and approved as part of a system of internal control to ensure GL entries are authorized." Journal vouchers are entered into the GL and require a level of review and approval to ensure information is accurate, complete, authorized, and supported.

What is a limitation of the preventive-detective-corrective (PDC) control model?

"Lacks practical guidance." Conceptually, the PDC framework addresses all necessary areas regarding preventing, detecting, and correcting errors, but it fails to give specific examples of controls to implement.

What do stronger application controls translate into?

"Lower financial reporting risk." There is less room for risk.

According to the Sarbanes-Oxley Act (SOX), what is management's responsibility regarding controls designed to prevent and detect fraud that could lead to financial statements being materially misstated?

"Management is responsible for implementing controls." Management is responsible for implementing the controls designed to prevent and detect fraud that could lead to financial statements being materially misstated.

UNIT 2 FORM A - Li has implemented a new accounting information system (AIS) to help him manage his construction company. Li uses the information captured by the system to plan each project, forecasting the requirements for raw materials and the cash flow expected. Which AIS subsystem helps Li in planning?

"Management reporting system (MRS)." The MRS subsystem of the AIS provides management with special reports that aid in budgeting and forecasting.

It is a standard and a necessity to maintain the master file integrity of an organization so that if the current master files become corrupt, destroyed, or plagued with errors, the organization has a recourse. What should the organization have in place in case of such an event?

"Master file backup." IT professionals can retrieve the most current backed-up file from the archives and use it to reconstruct the current version of the master file

Which digital computer file contains account data that are updated by transactions and includes the general ledger and subsidiary ledgers?

"Master file." The general ledger and subsidiary ledgers are examples of master files.

Which internal control is primarily supported by a manager's review of a checklist after a task has been completed?

"Measure compliance with an organization's prescribed policies and procedures." The primary purpose of reviewing a checklist after the fact would be to ensure that the proper procedures and policies had been followed. The review process itself may not be efficient, but the assumption is that making sure employees are following established policies and procedures should help with safeguarding assets, accuracy of information, and more efficient operations overall.

A system flowchart is a graphical representation of the physical relationships among key elements of a system. What do these elements include?

"Organizational departments." Organizational departments are included in system flowcharts.

How would shipping logs be depicted in a system flowchart?

"Parallelogram symbol." The parallelogram symbol is used to depict many types of hard-copy accounting records.

Which of the following situations represents an internal control weakness?

"Paychecks are distributed by the employees' immediate supervisor." The distribution of paychecks by the employees' immediate supervisor is an internal control weakness. Paychecks should go directly to employees either by mail or through direct deposit. Giving the responsibility for distribution to the supervisor creates the possibility of loss, theft, or withholding of pay from an employee that the supervisor simply does not like. An additional risk arises if the employee is absent on payday and the supervisor has no secure storage for the check until the employee is back.

What is a common form of contra-security behavior?

"Post-it syndrome." The post-it syndrome, in which passwords are written down and displayed for others to see, is a contra-security behavior.

What was designed to overcome a private key encryption security weakness?

"Public key." Public key encryption uses two different keys: one for encoding messages and the other for decoding. Receivers never need to share private keys with senders, which reduces the likelihood the keys will fall into the hands of an intruder.

What is a type of data source for the accounting information system (AIS)?

"Raw material is moved into work-in-process." Transferring raw material into work-in-process is an internal transaction that involves the movement of resources within the organization. This is a data source for the AIS.

Why is there no lag time with real-time systems?

"Real-time systems process transactions individually when the events occur." Because transactions happen at the same time, no time lags exist between occurrence and processing.

UNIT 6 FORM A- An organization's internal controls have been deemed effective by management and external audits for the last five years. A proposal is made to upgrade the enterprise resource planning (ERP) system at a significant cost. The proposal mentions slightly increased IT controls to better detect errors. Which modifying assumption would keep management from implementing the upgrade?

"Reasonable assurance." The reasonable assurance modifying assumption states that the four objectives of internal control are met in a cost-effective manner. The upgrade is expensive, and the benefits will be limited. Since the current system is effective, the management team may decide to reject the upgrade due to cost-effectiveness.

What is the purpose of the blind copy?

"Reconcile and verify contents." The blind copy is used to force the clerk to count contents to verify items match.

Which task is included when a supervisor reviews and approves employee time (timecards, time sheets, and job tickets)?

"Review and approval of the numbers of hours worked." Supervisors review and approve the number of hours worked to determine if information is accurate and complete

Which component of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is being considered when an auditor is comparing a company's organization chart to the prior year's chart to identify new personnel who are responsible for internal controls?

"Risk assessment." Risk assessment's purpose is to identify, analyze, and manage risks related to financial reporting. New personnel create risk because they may not fully understand or be aware of an organization's internal controls.

What is an advantage of sequential codes?

"Sequential coding supports the reconciliation of a batch of transactions at the end of processing." If the transaction processing system detects any gaps in the sequence of transaction numbers, it alerts management to the possibility of a missing or misplaced transaction.

What is used in a traditional system to provide proof that a transaction has occurred?

"Signed invoices." Physical documents, sales agreements, and signed invoices are used to provide proof that a transaction has occurred in traditional systems.

Which individuals have an interest in a system but are not formal end users?

"Stakeholders." Stakeholders are individuals who have an interest in a system but are not formal end users. These include the internal steering committee that oversees systems development, internal auditors including IT auditors, and external auditors acting as consultants or serving in the role of internal auditor.

Which systems development participants are outside consultants who work with a development team to ensure that the systems development process is properly implemented and controlled?

"Stakeholders." Stakeholders work with the development team to ensure that users' needs are met, that adequate internal controls are designed into the information systems under construction, and that the systems development process itself is properly implemented and controlled.

The applications that emerge from the systems development life cycle (SDLC) must possess controls that are in accordance with the provisions of which Statement on Auditing Standards?

"Statement on Auditing Standards No. 109." The applications that emerge from the SDLC must possess controls that are in accordance with the provisions of Statement on Auditing Standards No. 109.

What are two general forms of risk related to the technology of network communications?

"Subversive threats and equipment failures." The technology of network communications is subject to two general forms of risk: subversive threats and equipment failures.

What causes system failures?

"System design." A poorly designed system will fail.

What is the multistage process that guides an organization's management through the in-house development or purchase of information systems?

"Systems development life cycle (SDLC)." The systems development life cycle is the process of acquiring new information systems.

Which flat-file system problem is solved by using a database approach?

"Task-data independence." Task-data independence is a problem of flat files that a database approach can solve.

UNIT 3 FORM B- Which strategic agreement is made between buyer and seller for electronic data interchange?

"The agreement details the quantities to be sold, guaranteed delivery times, payment terms, and methods of handling disputes." The strategic agreement of the electronic data interchange technology has specific terms agreed on prior to utilization of the service.

Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information is incomplete?

"The decision maker does not have enough information in order to act." The decision maker is using an incomplete set of information, which leads to either needing to seek additional information or taking a risk that the missing information materially affects.

Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information is inaccurate?

"The decision maker receives materially wrong information." The decision maker needs information that has no material errors.

Useful information has the following characteristics: relevance, timeliness, accuracy, completeness, and summarization. What happens if the information is untimely?

"The decision maker wastes resources analyzing outdated information." The decision maker spends time and resources on the outdated information, which delays the optimal decision.

Why is the general ledger history file used for comparative financial reports?

"The file uses the same format as the general ledger master, and therefore, the account structures will be the same for information year to year." The same format and account structures allow for transactions to be grouped and categorized consistently from year to year.

Management is required to provide external auditors with documented evidence of functioning controls related to selected material accounts in a report on control effectiveness. How is this evidence obtained?

"The internal audit department documents this evidence." The internal audit department of the organization would perform and document the necessary tests.

Which control objective ensures that no module should be allowed to destroy or corrupt another module?

"The operating system must be protected from itself." The operating system is made up of modules. For the operating system to be protected from itself, no module should be allowed to destroy or corrupt another module.

Which important information does external feedback about the level of uncollected customer accounts indicate to the management information system?

"The organization needs to review its credit-granting policies." The uncollected customer accounts are an indication that some customers have received too much credit, and management should review those policies.

A characteristic of the management reporting system (MRS) is

"that it focuses on internal decision-making information." The management reporting system (MRS) focuses on internal decision-making information. The MRS is the source for reports that managers will use to analyze business performance such as variance analysis, production efficiency, sales, and purchases.

Which risk is associated with charge accounts within the revenue cycle?

"The sales clerk allows customers who are not creditworthy to buy items on the charge account." The clerk can be careless and allow purchases from individuals who do not pay their bills.

Which of the following is an advantage of the test data technique?

"The test data technique requires extensive computer expertise on the part of the auditor." To employ this approach, the auditor requires detailed and current systems documentation: (1) program flowcharts that describe the application's internal logic and allow the auditor to determine which logic branches to test, and (2) record layout diagrams that describe the structure of transaction and master files, which will allow the auditor to create test data.

What is the circular symbol labeled A in the system flowchart?

"This is an on-page connector used to replace flow lines that otherwise would cause excessive clutter on the page." The connector replaces the lines that signify the movement. Lines should be used whenever possible to promote clarity. Restricted use of connectors, however, can improve the readability of a flowchart.

Why is an accumulator routine used in a banking application?

"To address rounding errors." An accumulator routine is a special technique used to keep track of the rounding differences between calculated and reported balances.

Why should the systems development function be separated into two independent groups: new systems development and systems maintenance?

"To improve systems documentation." The segregation of duties between the new systems development team and the systems maintenance team leads to improved systems documentation. The maintenance group needs to have adequate documentation to perform their maintenance duties.

Sara has started a very successful online company selling custom-made jewelry. One of her competitive advantages is a state-of-the-art information system that promotes visibility within the supply chain. Which one of the information system's subsystems helps Sara manage the customer orders she receives?

"Transaction processing system (TPS)." The TPS records the orders as financial transactions in the accounting records.

Which information does the management reporting system (MRS) provide?

"Variance reports." The MRS provides the internal information needed to run a business (e.g., variance reports).

Which third-party trust organization issues three classes of certificates?

"Verisign, Inc." Verisign, Inc. issues three classes of certificates to individuals, businesses, and organizations.

A data mart is

"a data warehouse created for a single function or department." A data mart is a data warehouse created for a single function or department. Modern data warehouses may contain gigabytes of data for use by all business functions and departments. To maximize value for single functions or departments, a data mart may be created within the data warehouse that contains the data specific to the function's requirements. For example, a sales data mart will contain all of the data related to customers, salespeople, inventory, sales orders, etc., but not manufacturing or financial data.

MOD 1 - The primary input to the transaction processing system is

"a financial transaction." The financial transaction is the primary input to the transaction processing system. Financial transactions are economic events that affect assets and equities and are reflected on the financial statements.

MOD 9 -Verisign is

"a for-profit organization that provides assurance regarding the security of transmitted data." Verisign is a for-profit organization that provides assurance regarding the security of transmitted data. Its mission is to provide digital certificate solutions that enable trusted commerce and communications. Its products allow customers to transmit encrypted data and verify the source and destination of transmissions.

Which of the following is considered an unintentional threat to the integrity of the operating system?

"a hardware flaw that causes the system to crash." A hardware flaw that causes the system to crash is an unintentional threat to the integrity of the operating system. Modern computer hardware is very reliable, but problems do happen. Common flaws occur in moving parts such as spinning discs. Disc drive failure is called a head crash and results in the read/write heads touching the disc surface, destroying it. To protect the data, backups are done on a regular basis.

When a firm wants its coding system to convey meaning without reference to any other document, it would choose

"a mnemonic code." When a firm wants its coding system to convey meaning without reference to any other document, it would choose a mnemonic code. For example, colleges and universities use mnemonic codes- such as "Acct 101" for Intro to Accounting- to define courses by department and level. These mnemonic codes provide helpful information for decision making.

A VAN is

"a network that is used for EDI." In an EDI environment, a client's trading partner's computer automatically generates electronic transactions, which are relayed across a value-added network (VAN), and the client's computer processes the transactions without human intervention.

An accounting system that maintains an adequate audit trail is implementing which internal control procedure?

"accounting records." Adequate audit trails use accounting records as an internal control procedure. The accounting records of an organization consist of source documents, journals, and ledgers. These records capture the economic essence of transactions and provide an audit trail of economic events. The audit trail enables the auditor to trace any transaction through all phases of its processing from the initiation of the event to the financial statements.

Which department is least likely to be involved in the revenue cycle?

"accounts payable." The accounts payable department is least likely to be involved in the revenue cycle. Accounts payable is charged with managing the segment of the expenditure cycle that involves payments to vendors and creditors.

The departments involved in the purchasing process are purchasing, receiving, inventory control and

"accounts payable." The departments involved in the purchasing process are purchasing, receiving, inventory control and accounts payable. Accounts payable completes the purchasing process by authorizing and executing the cash disbursement based on a signal from receiving or inventory control.

The greatest risk of misappropriation of funds occurs in

"accounts payable." The greatest risk of misappropriation of funds occurs in accounts payable. This may take the form of payments for goods not ordered or received and to vendors that do not exist. The risk can be reduced through supervision, segregation of duties, independent verification, or automated processes.

Systems development is separated from data processing activities because failure to do so

"allows programmers access to make unauthorized changes to applications during execution." Systems development is separated from data processing activities because failure to do so allows programmers access to make unauthorized changes to applications during execution. Consolidating these functions invites fraud. With detailed knowledge of an application's logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during program execution. Such changes may be temporary (in real-time) and will disappear with little or no trace when the application terminates.

A key offering for a vendor supported system is

"application installation, system configuration, data conversion, personnel training, and trouble shooting and maintenance." Vendor-supported systems are systems that the vendor develops and maintains for the client organization. The vendor will offer services in application installation, system configuration, data conversion, personnel training, and trouble shooting and maintenance.

Seals of assurance

"are evidence that a web-based business is trustworthy." In response to consumer demand for evidence that a web-based business is trustworthy, a number of trusted third-party organizations are offering seals of assurance that businesses can display on their website home pages. To legitimately bear the seal, the company must show that it complies with certain business practices, capabilities, and controls. This best known six seal-granting organizations are - Better Business Bureau (BBB), TRUSTe, Verisign, Inc., International Computer Security Association (ICSA), AICPA/CICA WebTrust, and AICPA/CICA SysTrust.

Most organizations implement data warehousing

"as part of a strategic ERP initiative." Most organizations implement a data warehouse as part of a strategic IT initiative that involves an ERP system. Implementing a successful data warehouse involves installing a process for gathering data on an ongoing basis, organizing it into meaningful information, and delivering it for evaluation. The data warehousing process has the following essential stages: Modeling data for the data warehouse, extracting data from operational databases, cleansing extracted data, transforming data into the warehouse model, and finally, loading data into the data warehouse database.

MOD 6- What type of data is found in the general ledger master file?

"balances for each account in the chart of accounts." Balances for each account in the chart of accounts are found in the general ledger master file. The text describes the general ledger file as the information hub for the accounting system. Each record in the general ledger master file corresponds with one of the accounts in the chart of accounts. Each record is either a GL Master account (i.e., Sales) or a control account (i.e. Accounts Receivables control)

MOD 13- Operating system control objectives may not be achieved

"because of flaws in the operating system that are exploited either accidentally or intentionally." Operating system control objectives may not be achieved because of flaws in the operating system that are exploited either accidentally or intentionally. Accidental threats include hardware failures that cause the operating system to crash. Intentional threats to the operating system are most commonly attempts to illegally access data or violate user privacy for financial gain.

The purpose of the sales invoice is to

"bill the customer." The purpose of the sales invoice is to bill the customer. The sales invoice will be sent to the customer for payment. At the same time the invoice will also update inventory, send a journal to the general ledger, and record the sales journal.

The coding scheme most appropriate for a chart of accounts is

"block code." The most appropriate coding scheme for a chart of accounts is block code. As described in the text, the use of block codes allows accounts to be logically grouped in blocks. For example, 100 - 199 Current Assets, 200 - 299 Fixed Assets, and so on.

Documentation standards are set

"by the accountant on the project team." In the implementation phase, the accountant plays a role in specifying system documentation. Because financial systems must periodically be audited, they must be adequately documented. The accountant must actively encourage adherence to effective documentation standards.

MOD 2- Which system is part of the expenditure cycle?

"cash disbursements." Cash disbursements is part of the expenditure cycle. Cash disbursement is the way a firm pays vendors, creditors, and employees.

The systems steering committee

"oversees systems development and assigns priorities." The systems steering committee oversees systems development and assigns priorities. Most organizations have a C-level Steering Committee chaired by the Chief Information Officer that sets overall systems development priorities and strategies. They will also have a project level steering committee that will oversee the project and set priorities.

In a technology enabled payroll system, Personnel, Time Keeping, Payroll, and Accounts Payable connect to which department to pay employees?

"cash disbursements." In a technology-enabled payroll system, Personnel, Time Keeping, Payroll and Accounts Payable connect to cash disbursements to pay employees. Personnel inputs the basic employee information and rate of pay; Time Keeping collects hours worked and verifies time cards; Payroll inputs the hours worked into the payroll system which calculates gross and net pay, taxes, and other deductions; Accounts Payable approves the payment amount; and finally cash disbursements issues pay checks or direct deposit. The general ledger will be updated after the cash disbursement occurs.

Which report is an output of the financial reporting system (FRS)?

"comparative balance sheet." A comparative balance sheet is an output of the financial reporting system. The law requires that corporations generate a series of financial reports - Income Statement, Balance Sheet, Statement of Cash Flows, Tax Returns, and others. This requirement is met by the financial reporting system.

MOD 12- Tests of controls include

"completing questionnaires." Tests of controls include completing questionnaires. The Sarbanes-Oxley Act requires that management certify that the financial statements are correct. In order to ensure that the financial statements are, in fact correct, accounting processes and information systems will be built with checks, balances and controls. Auditors will use questionnaires to guide their approach to testing the controls in the system. Questions include topics such as "Is fraud awareness training carried out?" and "Do particularly critical or sensitive activities require two levels of authority?"

What factor conceptually distinguishes external auditing and internal auditing?

"constituencies." External auditing and internal auditing are distinguished by constituencies. Internal auditors focus on company management. External auditors perform services to assure external investors, tax and regulatory authorities that the financial statements are complete and accurate.

Testing the three-way match involves

"creating two master files." This test involves creating two test master files: a purchase order file and a receiving report file. The transaction in this case is the supplier's invoice. The test data should be designed to contain discrepancies that fall both within and outside of acceptable limits, based on company policy. When the invoice is entered, the AP system should match the three documents (create a digital AP packet) and reconcile the quantities ordered with those received, and the invoice amount with the expected price. The auditor will reconcile both rejected and accepted invoices to determine that the control is functioning in accordance with company policy.

MOD 7- Which of the following is a problem usually associated with the flat-file approach to data management?

"data redundancy." Data redundancy is a problem with the flat-file approach. Excel spreadsheets are an example of a flat file database. There is no simple way to determine if a particular data item is already in the spreadsheet, especially as the spreadsheet grows.

An important reconciliation in the payroll system is

"general ledger compares the labor distribution summary from cost accounting to the disbursement voucher from accounts payable." An important reconciliation in the payroll system is that the general ledger compares the labor distribution summary from cost accounting to the disbursement voucher from accounts payable. Cost accounting will be tracking the job tickets to properly account for work in process. Accounts payable will produce a disbursement voucher based on input from timecards. Job tickets and timecards should match when hours and hourly rates are extended.

A sequential file backup technique is called

"grandfather-father-son." A sequential file backup technique is called grandfather-father-son. One of the most common ways of controlling backups is to employ a three-copy system known as grandfather-father-son. When a new backup copy is made, it becomes the son, the son (now second most recent) becomes the father, the father (now the third most recent) becomes the grandfather and the grandfather (the oldest retained copy) will be returned to the data center for reuse.

An appraisal function housed within the organization that performs a wide range of services for management is

"internal auditing." An appraisal function housed within the organization that performs a wide range of services for management is internal auditing. Internal auditors verify the accuracy and security of the information systems and also work with various business segments to secure and optimize processes.

Parallel simulation

"is used to reprocess the same transactions that the production application previously processed." Parallel simulation involves creating a program that simulates key features or processes of the application under review. The simulated application is then used to reprocess the same transactions that the production application previously processed.

An example of a nonfinancial transaction is

"log of customer calls." The log of customer calls is a key source of information for customer service, marketing and the sales departments.

The deletion anomaly in unnormalized tables

"may result in the loss of important data." The deletion anomaly may result in the loss of important data. The deletion anomaly arises when data is inadvertently deleted from the table, resulting in the loss of important data.

The most important advantage of sequential coding is that

"missing or unrecorded documents can be identified." The most important advantage of sequential coding is that missing or unrecorded documents can be identified. For example, checks, invoices and orders are commonly coded in sequence to easily identify missing or unprocessed items.

The update anomaly in unnormalized tables

"occurs because of data redundancy." The update anomaly occurs because of data redundancy in unnormalized tables. Because data can appear multiple times in an unnormalized database, it is difficult to ensure that all occurrences get updated when a change occurs. This problem becomes much worse as the database grows in size.

Which symbol is used to represent a data source or destination of documents and reports in a system flowchart?

"oval." This symbol is used to represent a data source or destination of documents and reports.

Individuals who acquire some level of skill and knowledge in the field of computer ethics are involved in which level of computer ethics?

"para computer ethics." Individuals who acquire some level of skill in the field of computer ethics are involved in para computer ethics. A researcher has defined three levels of computer ethics: Para, pop, and theoretical para computer ethics involves taking a real interest in computer ethics cases and acquiring some level of skill and knowledge in the field. All systems professionals need to reach this level of competency so they can do their jobs effectively.

Both the revenue and the expenditure cycle can be viewed as having two key parts. These key parts are

"physical and financial." The two key parts of the revenue and expenditure cycle are physical and financial. The physical portion refers to the documents that support the necessary transactions; the financial portion refers to the effect that the appropriate transactions have on assets and equity.

In contrast to a batch processing system, in a real-time system

"processing takes place when the economic event occurs." In a real-time system processing takes place when the economic event occurs. For example, when an item is scanned at your local grocery store during checkout, the store inventory, daily sales, and cashier productivity systems are updated immediately.

MOD 11- Which ethical principle states that the benefit from a decision must outweigh the risks, and that there is no alternative decision that provides the same or greater benefit with less risk?

"proportionality." The ethical principle that states the benefit from a decision must outweigh the risks is proportionality. Proportionality in the business context is similar to the view first posited by the Utilitarians that an ethical act is one that brings the greatest benefit to the most people.

MOD 5- The fixed asset system records the

"purchase of a new plant." The fixed asset system records the purchase of a new plant. The fixed asset system records property, plant, and equipment used in the operation of the business. These represent the largest investments of the firm.

In a firm with proper segregation of duties, adequate supervision as a compensating control is still necessary in

"receiving." In a firm with proper segregation of duties, adequate supervision is most critical in receiving. Every day materials arrive on the receiving dock. Until those receipts are recorded in the system, they are invisible to anyone but the receivers and their supervisors. Supervision is a compensating control appropriate before more automated controls take effect. Scanning technology and automated three-way match are technological controls that reduce risk.

Authentication

"requires accountants to develop a new skill set in the electronic environment." Authentication requires accountants to develop a new skill set in the electronic environment. In traditional systems, the business paper on which it was written determines the authenticity of a sales order from a trading partner or customer.

Which accounting application is least suited to batch processing?

"sales order processing." Sales order processing is least suited to batch processing. The production process needs to know as soon as possible if customer orders are required. At the same time, it is important to know what the potential revenue is at any given time.

Which of the following is a part of the COSO framework?

"segregation of duties." Segregation of duties is a key part of the COSO framework. Segregation of duties can take many forms, depending on the specific duties to be controlled. Examples include: The authorization for a transaction is separate from the processing of the transaction; responsibility for the custody of assets should be separate from the record-keeping responsibility; and the organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities.

Segregation of duties in the computer-based information system includes

"separating the programmer from the computer operator." Segregation of duties in the computer-based information system includes separating the programmer from the computer operator. The segregation of systems development (both new systems development and maintenance) and operations activities is of great importance. The responsibilities of these groups should not be commingled. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud.

Closed Database architecture is

"similar in concept to the basic flat-file model." Closed database architecture is similar in concept to the basic flat-file model. Under this approach, a database management system is used to provide minimal technological advantage over flat-file systems. The database management system is little more than a private but powerful file system.

Which is the most critical segregation of duties in the centralized IT function?

"systems development from computer operations." The most critical segregation of duties in the centralized IT function is systems development and computer operations. Access to the data center must be very carefully controlled to comply with SOX. This includes both physical and electronic access. Once the system is turned over to operations, developers lose their access to the live system. Should an error occur, the developers will diagnose the error in their development copy or in a test system. When the error is corrected, the update will be turned over to operations for installation.

Special-purpose systems

"target selected segments of the economy." Special-purpose systems target selected segments of the economy. Some software vendors create special-purpose systems that target selected segments of the economy. For example, the medical field, the banking industry, and government agencies have unique accounting procedures, rules, and conventions that general- purpose accounting systems do not always accommodate.

Which of the following is an external end user?

"tax authorities." Tax authorities are external users who expect an accurate accounting of tax due. In addition, the non-discretionary reports from the accounting information system provide what is needed for tax authorities to evaluate tax liability.

The prime advantage of in-house development is

"the ability to produce applications to exact specifications." The prime advantage of in-house development is the ability to produce applications to exact specifications. This advantage also describes a disadvantage of commercial software. Sometimes, the user's needs are unique and complex, and commercially available software is either too general or too inflexible.

Statement on Auditing Standards No. 109 requires

"the accountant's involvement at both the detailed design and implementation phases." Statement on Auditing Standards No. 109 requires the accountant's involvement at both the detailed design and implementation phases. Controls may be programmed or manual procedures. Some controls are part of the daily operation of the system, while others are special actions that precede, follow, or oversee routine processing.

The transaction processing system includes which of the following?

"the conversion cycle." The conversion cycle is included within the transaction processing system because it records cost accounting and production activities.

Encryption is

"the conversion of data into a secret code for storage in databases and transmission over networks." Encryption is the conversion of data into a secret code for storage in databases and transmission over networks. The sender uses an encryption algorithm to convert the original message (called cleartext) into a coded equivalent (called ciphertext). At the receiving end, the ciphertext is decoded (decrypted) back into cleartext.

MOD 3- Which document triggers the revenue cycle?

"the customer purchase order." The customer purchase order triggers the revenue cycle. The receipt of the customer purchase order indicating the items and quantity required is the first step in the revenue cycle. Customer purchase orders can be received by phone, email, regular mail, or other means.

Which problem is characteristically associated with the flat-file approach to data management?

"the inability to determine what data is available." The inability to determine what data is available is a characteristic problem with flat-file data management. The only way to determine if data is available in the file is to sequentially read through the entire file from beginning to end, or until the desired data is encountered.

A description of the physical arrangement of records in the database is

"the internal view." The description of the physical arrangement of records is the internal view. The internal view shows the way that the data is organized in the database. This is also known as the hierarchical view.

When a cash disbursement in payment of an accounts payable is recorded

"the liability account is decreased." When a cash disbursement in payment of an accounts payable is recorded the liability account is decreased. On the Balance Sheet, accounts payable is a current liability. When a cash disbursement is recorded, the liability will be reduced.

Control risk is

"the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts." Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess the level of control risk by performing tests of internal controls. An auditor could create test transactions, including some with incorrect total values, which are processed by the application in a test run. The results of the test will indicate that price extension errors are not detected and are being incorrectly posted to the AR file.

An example of a financial transaction is

"the purchase of computer." The purchase of a computer adds an asset to the organization.

The systems development process constitutes a set of activities that are of interest to accountants and auditors because

"the quality of accounting information presented in an organization's financial statements is directly related to the quality of the accounting information systems that process and report it." A materially flawed financial application can corrupt financial data, which may then be incorrectly reported in the financial statements.

The most common method of password control is

"the reusable password." The most common method of password control is the reusable password. The user defines the password to the system once and then reuses it to gain future access. The quality of the security a reusable password provides depends on the quality of the password itself.

Commercial accounting systems have fully integrated modules. The word "integrated" means that

"the transfer of information among modules occurs automatically." The word "integrated" means that the transfer of information among modules occurs automatically. In a fully integrated system, the shipping advice will generate the request for invoice automatically. This eliminates the risk that the invoice request is not processed or is processed for a different amount.

The growth of commercial software development is driven in part by

"the trend toward downsizing organizational units and the move toward distributed data processing." Four factors have contributed to the growth of the commercial software market: (1) the relatively low cost of general commercial software as compared to customized software; (2) the emergence of industry-specific vendors who target their software to the needs of particular types of businesses; (3) a growing demand from businesses that are too small to afford in-house systems' development staff; and (4) the trend toward downsizing organizational units and the move toward distributed data processing has made the commercial software option appealing to larger organizations.

Which of the following may provide many distinct views of the database?

"the user view." The user view provides many distinct views of the database. The user view (subschema) shows the segment of the database that the user can access. This access will vary by user as their requirements vary by business function.

The system development process is important to accountants because

"they are as concerned about the integrity of this process as they are with any manufacturing process that has financial resource implications." The system development process is important to accountants because they are as concerned about the integrity of this process as they are with any manufacturing process that has financial resource implications. The quality of accounting information presented in an organization's financial statements is directly related to the quality of the accounting information systems that process and report it.

End users are

"those for whom the system is built." End users are those for whom the system is built. There are many users at all levels in an organization. These include managers, operations personnel from various functional areas including accountants. During systems development, systems professionals work with the primary users to obtain an understanding of the users' problems and a clear statement of their needs. For example, accountants must specify accounting techniques to be used for certain transactions, internal control requirements.

An accountant's responsibility in the systems development life cycle (SDLC) is

"to ensure that the system applies proper accounting conventions and rules and possesses adequate control." A primary role for accountants during the systems development lifecycle (SDLC) is to ensure that the system applies proper accounting conventions and rules and possesses adequate control. As with the design phase, accountants must ensure that both the system, and the development process, are applying proper accounting conventions and controls. Not only are proper accounting rules and processes being built into the system but is the system development subject to proper testing and documentation controls as required by SAS 109 and Sarbanes- Oxley.

The objective of an ERP is

"to integrate key processes of the organization, such as order entry, manufacturing, procurement and accounts payable, payroll, and human resources." The objective of an ERP is to integrate key processes of the organization, such as order entry, manufacturing, procurement and accounts payable, payroll, and human resources. By doing so, a single computer system can serve the unique needs of each functional area.

MOD 10- A primary role for accountants during the detailed design phase is

"to provide expertise." A primary role for accountants during the detailed design phase is to provide expertise in accounting functions, controls and processes.

An accountant's responsibility during the implementation of the system is

"to represent the interests of the accounting and finance department." A primary role for accountants during the implementation phase is to represent the interests of the accounting and finance department. The member of the project team representing accounting and finance will work with the other team members to ensure that the requirements agreed during the design and development phases are properly implemented. They will look at test results and documentation to ensure that results are correct and meet requirements.

A commercial software system that is finished, tested, and ready for implementation is called a

"turnkey system." A commercial system that is finished, tested and ready for implementation is called a turnkey system. Turnkey systems are generally sold with very limited capability for customization outside of some input, output and processing options chosen through menu selections. Examples of turnkey systems include general accounting systems, special purpose systems and office automation systems.

Big data analytics are characterized by

"volume, velocity, and variety of data." Big data analytics are characterized by volume, velocity, and variety of data. These are referred to as the three Vs: extreme volumes of data (megabytes, terabytes, petabytes, etc.), the rapid velocity at which the data must be processed (particularly in applications involving machine learning and artificial intelligence), and the wide variety of structured and unstructured data types that need to be integrated (audio, video, external web data, social media, the financial reporting system, the management reporting system).

8. Describe the steps of the human resources management (HRM)/payroll cycle.

*Step 1 - Updating the payroll master database* to reflect various types of internally initiated changes: new hires, terminations, changes in pay rates, or changes in discretionary withholdings ~ Segregation of duties prevents someone from distributing wages to fictitious employees. *Step 2 - Validate each employee's time and attendance data* ~ Segregation of duties requires the tracking and verification of each employee's job assignment *Step 3 - Preparing payroll* ~ Threats include errors, disclosure of confidential salary information, untimely payments ~ Batch totals. Hash totals of employee numbers, for example, are particularly useful. If the original and subsequent hash totals of employee numbers agree, it means that (1) all payroll records have been processed, (2) data input was accurate, and (3) no bogus time cards were entered during processing. *Step 4 - Actual disbursement of paychecks* to employees ~ To see why this segregation of duties is so important, assume that the person responsible for hiring and firing employees also distributes paychecks. This combination of duties could enable that person to conveniently forget to report an employee's termination and subsequently keep that employee's future paychecks. *Step 5 - Calculate and remit payroll taxes and employee benefits* to the appropriate government or other entity

1.1) Compare the strengths and limitations of PURCHASING.

*Strengths* ▪ Companies can rent software from application service providers (ASPs), who deliver software over the Internet. ▪ This provides scalability as the business grows and global access to information. ▪ It automates software upgrades, allows companies to focus on core financial competencies rather than information technology (IT) issues, and can reduce software costs and administrative overhead. ▪ Software can be test-driven *Limitations* ▪ A major problem with canned software is that it may not meet all of a company's information needs. This is overcome by modifying the software.

1.2) Compare the strengths and limitations of DEVELOPING IN-HOUSE.

*Strengths* ▪ User creation, control, an implementation ▪ Systems that meet user needs ▪ Timeliness ▪ Freeing up of systems resources ▪ Versatility and ease of use *Limitations* ▪ Logic and development errors ▪ Inadequately tested applications ▪ Inefficient systems ▪ Poorly controlled and documented systems ▪ System incompatibilities ▪ Duplication of systems and data; wasted resources ▪ Increased costs

6-8. when converting to a new system, which of the following conversion alternatives would be the most risky for a financial services firm?

*a. direct conversion b. modular conversion c. parallel conversion d. turnkey conversion

5-10. a decision table shows:

*a. the possible conditions and processing alternatives for a given situation b. who sat where at a board meeting c. the rules for drawing PDFs. d. the local outsourcing vendors in the area for documentation tasks

which component in this diagram is a data flow?

*image* (represented by arrow) Payroll Report

what do the inverted triangles represent in this document flowchart?

*image* (represented by inverted triangle) files stored and retrieved manually

which typ of component is 'customer' in this diagram?

*image* (represented by rectangle) a data destination

which process does this flowchart represent?

*image* an invoice is manually prepared and then sent electronically to a customer

a company has several machines that accumulate production data onto magnetic disks, the date from these magnetic disks are uploaded into a computer each day. the data are then processed, summarized, and printed in a daily production report. which documentation tool represents this process?

*image* don't be fooled by the magnetic disks. the data on the magnetic disks are uploaded onto a computer into *databases* each day, THEN, from the databases, they are collectively processed, summarized, and THEN, printed in a daily production report.

when individuals donate equipment to a youth soccer league, the donation is recorded in a database and a receipt is providedto the donor. which symbol should be used to represent a donor in a DFD of this process?

*images* (a donor is a data source/destination) represented by rectangle

Strengths of outsourcing an AIS

- An economic business solution that allows companies to focus on core competencies - Improved cash position from reducing expenses - Access to greater expertise and better technology - Less development time (and less systems development politics) - Elimination of peaks-and-valleys usage - Facilitation of downsizing

Detective Controls

- Log analysis - Intrusion detection systems - Penetration testing - Continuous monitoring

Limitations of Developing In-House AIS

- Logic and development errors - Inadequately tested applications - Inefficient systems = Poorly controlled and documented systems - System incompatibilities - Duplication of Systems and data; wasted resources - Increased costs

Collection of Audit Evidence

- Observations of activities; - review of documentation; - discussions with employees; - questionnaires; - physical examination of assets; - confirmation through third parties; - reperformance of procedures; - vouching of source documents; - analytical review; - audit sampling

Information needed to sell merchandise

- Pro forma income statement - Credit card costs - Customer credit status

Production Cycle Activites

- Product design - Planning and scheduling - Production operations - Cost Accounting

Revenue Cycle

- Receive and answer customer inquiries - Take customer orders and enter them into the AIS - Approve credit sales - Check inventory availability - Initiate back orders for goods out of stock - Pick and pack customer orders - Ship goods to customers or perform services - Bill customers for goods shipped or services performed - Update (increase) sales and accounts receivable - Receive customer payments and deposit them in the bank - Update (reduce) accounts receivable - Handle sales returns, discounts, allowances, and bad debts - Prepare management reports - Send appropriate information to the other cycles

Steps of Revenue Cycle

- Receive and answer customer inquiries - Take customer orders and enter them into the AIS - Approve credit sales - Check inventory availability - Initiate back orders for goods out of stock - Pick and pack customer orders - Ship goods to customers or perform services - Bill customers for goods shipped/services performed - Debit Accounts Receivable / Credit Sales - Receive customer payments and deposit them in the bank - Credit accounts receivable / Debit cash - Handle sales returns, discounts, allowances, and bad debts - Prepare management reports; send appropriate information to the other cycles

Human Resources/Payroll Cycle

- Recruit, hire, and train new employees - Evaluate employee performance and promote employees - Discharge employees - Update payroll records - Collect and validate time, attendance, and commission data - Prepare and disburse payroll - Calculate and disburse taxes and benefit payments - Prepare employee and management reports - Send appropriate information to the other cycles

Expenditure Cycle

- Request goods and services be purchased - Prepare, approve, and send purchase orders to vendors - Receive goods and services and complete a receiving report - Store goods - Receive vendor invoices - Update (increase) accounts payable - Approve vendor invoices for payment - Pay vendors for goods and services - Update (reduce) accounts payable - Handle purchase returns, discounts, and allowances - Prepare management reports - Send appropriate information to the other cycles

Major Transaction Cycles

- Revenue cycle - Expenditure cycle - Human resources/payroll cycle - Production cycle - Financing cycle

3 Additional Elements added by ERM

- Setting objectives - Identifying events that may affect the company - Developing a response to assessed risk

Documentation Tools

- narratives - flowcharts - diagrams - other written material (ex. questionnaires)

what are two objectives of cost accounting? choose 2 answers

- providing product data to be used for making pricing decisions - collecting information to calculate to COGS

What are two advantages of purchasing or renting an AIS? choose 2 answers

- software upgrades are automated - the company can test-drive the system

which two guidelines result in a better coding system for storing data in an AIS?

- the coding system should take into consideration expected company growth - the coding system should be consistent with the company's organizational structure

businesses must pay a variety of taxes. match each item of information to the type of tax that requires it. - total wage expense - total sales - point-of-purchase rate tables

- total wage expense = Paroll Tax - total sales = sales tax - point-of-purchase rate = sales tax

which two methods improve the accuracy and completeness of data that is entered in to an AIS?

- using point-of-sale scanners to capture machine-readable data - using pull-down menus on the data input screen

Support Activities of Value Chain

1 Firm Infrastructure 2 HR 3 Technology 4 Purchasing

AIS Threats

1 Natural and political disasters 2 Software and technology errors 3 Accidents or innocent errors and omissions (unintentional acts) 4 Computer crime, fraud, sabotage (intentional acts)

Internal controls perform three important functions:

1 Preventive controls deter problems before they arise 2 Detective controls discover problems that are not prevented 3 Corrective controls identify and correct problems as well as correct and recover from the resulting errors

Internal controls are the processes implemented to provide reasonable assurance about which control objectives are achieved?

1 Safeguard assets - prevent or detect their unauthorized acquisition, use, or disposition 2 Maintain records in sufficient detail to report company assets accurately and fairly 3 Provide accurate and reliable information 4 Prepare financial reports in accordance with established criteria 5 Promote and improve operational efficiency 6 Encourage adherence to prescribed managerial policies 7 Comply with applicable laws and regulations

Steps of the data input process

1) Capture the transaction data and enter them into the system. 2) Make sure captured data are accurate and complete. 3) Make sure company policies are followed, such as approving or verifying a transaction

Controls to Preserve Confidentiality

1) Identify and classify the information to be protected 2) Encrypt the information 3) Control access to the information 4) Train employees to properly handle the information

COBIT 5 Framework Key Principles

1) Meeting Stakeholder Needs 2) Covering the enterprise end-to-end 3) Applying a single integrated framework 4) Enabling a holistic approach. 5) Separating Governance from Management

HRM and Payroll Cycle Activities

1) Update master data 2) validate time and attendance 3) prepare payroll 4) distribute payroll 5) disburse taxes and miscellaneous deductions

What are internal controls?

1. Adequate documents and records 2. Solid personal policies and practices 3. Separation of duties 4. Physical protection of assets 5. Proper authorization for sales and payments 6. Reviews of controls (internal audit) 7. Timely performance reports

Importance of Documentation Tools

1. At a minimum, you must be able to read documentation to determine how a system works. 2. You may need to evaluate documentation to identify internal control strengths and weaknesses and recommend improvements as well as to determine if a proposed system meets the company's needs. 3. More skill is needed to prepare documentation that shows how an existing or proposed system operates.

What are the four basic functions of event processing in segregation of duties?

1. Authorizing Events 2. Executing Events 3. Recording Events 4. Safeguarding Resources Resulting from Consummating Events

Fraud Conditions

1. False representation 2. Material fact 3. Intent to deceive 4. Justifiable reliance 5. Injury or loss

What federal regulations impose specific requirements on organization's to protect the privacy of their customer's personal information?

1. Health Insurance Portability and Accountability Act (HIPAA) 2. Health Information Technology for Economic and Clinical Health Act (HITECH) 3. Financial Services Modernization Act (Gramm-Leach-Bliley Act)

What are ethical behaviors?

1. Honesty 2. protecting computer systems - don't hog the network 3. protecting confidential information 4. social responsibility - act responsibly 5. rights of privacy - organization's right to read private email? 6. Acceptable Use

What controls need to be implemented to protect privacy?

1. Identification of the information that needs to be protected 2. Encryption 3. Access Controls 4. Training

What four actions (four components of) must be taken in order to preserve the confidentiality of sensitive information?

1. Identify and classify the information to be protected 2. Encrypt the information 3. Control access to the information 4. Train employees to properly handle the information

Six components of AIS

1. People who use systems 2. Producers and instructions used to collect, process, and store data 3. Data about the organization and its business activities 4. Software used to process the data 5. Information technology infrastructure 6. Internal controls and security measures that safeguard AIS data

What are the General Controls for IT environments?

1. Personnel controls - segregation of duties, accounts, and knowledge 2. File Security controls - 3. Fault-tolerant systems, backup, and contingency planning 4. Computer facility controls 5. Access to computer files

Control Activities (Categories)

1. Proper authorization of transactions and activities 2. Segregation of duties 3. Project development and acquisition controls 4. Change management controls 5. Design and use of documents and records 6. Safeguarding assets, records, and data 7. Independent checks on performance

7 Characteristics of useful information

1. Relevant- 2. Reliable - no bias 3.Complete - not omit aspects + events of activites 4. Timely - in time to make decision 5. Understandable presented meaningfully 6. Verifiable - 2 ind. same conclusion 7. Accessible - Availability

5 basic transaction cycles

1.Revenue cycle: give goods / give service—get cash 2.Expenditure cycle: get goods / get service—give cash 3.Production cycle: give labor and give raw materials—get finished goods 4.Payroll cycle: give cash—get labor 5.Financing cycle: give cash—get cash

19. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. Which control would prevent this from happening? a. header label check b. expiration date check c. version check d. validity check

A

2. Which control is not associated with new systems development activities? a. reconciling program version numbers b. program testing c. user involvement d. internal audit participation

A

28. When the auditor reconciles the program version numbers, which audit objective is being tested? a. protect applications from unauthorized changes b. ensure applications are free from error c. protect production libraries from unauthorized access d. ensure incompatible functions have been identified and segregated

A

29. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing a. black box tests of program controls b. white box tests of program controls c. substantive testing d. intuitive testing

A

31. Which test is not an example of a white box test? a. determining the fair value of inventory b. ensuring that passwords are valid c. verifying that all pay rates are within a specified range d. reconciling control totals

A

32. When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing a. the test transactions b. error reports c. updated master files d. output reports

A

34. All of the following are disadvantages of the test data technique except a. the test data technique requires extensive computer expertise on the part of the auditor b. the auditor cannot be sure that the application being tested is a copy of the current application used by computer services personnel c. the auditor cannot be sure that the application being tested is the same application used throughout the entire year d. preparation of the test data is time-consuming

A

35. All of the following statements are true about the integrated test facility (ITF) except a. production reports are affected by ITF transactions b. ITF databases contain "dummy" records integrated with legitimate records c. ITF permits ongoing application auditing d. ITF does not disrupt operations or require the intervention of computer services personnel

A

Relational data model

A 2D table representing data- each row represents a unique entity (record) and each column is a field where record attributes are stored

Internal Control—Integrated Framework (IC)

A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.

Enterprise Risk Management - Integrated Framework (ERM)

A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control—Integrated.

Transaction Processing System

A central to the overall function of the information system. It converts economic events into financial transactions in the accounting records (journals and ledges), and distributes essential financial information to operations personnel to support their daily operations. Activity composed of three major subsystems - the revenue cycle, the expenditure cycle, and the conversion cycle.

D: Establish off-site mirrored Web server.

A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies? A: Back up the server database daily. B: Store records off-site. C: Purchase and implement RAID technology. D: Establish off-site mirrored Web server.

B: Errors in employees' overtime computation.

A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least? A: Fraudulent reporting of employees' own hours. B: Errors in employees' overtime computation. C: Inaccurate accounting of employees' hours. D: Recording of other employees' hours.

C: The financing cycle.

A company's trading activities may be of additional concern in relation to A: HR. B: Sales contracts. C: The financing cycle. D: The general ledger cycle.

Denial-of-Service (DoS) Attack

A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the internet service provider's e-mail server is overloaded and shuts down

header label check

A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. What control would prevent this from happening? A. header label check B. expiration date check C. version check D. validity check

check digit

A control designed to validate a transaction at the point of data entry is A. a check digit B. recalculate record count C. recalculate batch total D. checkpoints E. recalculation of a hash total

B: OLAP

A data analyst at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to analyze customer sales to determine the optimal opening and closing times for its retail stores. The analyst is most likely using the _________ component of the system. A: CRM B: OLAP C: OLTP D: Supply chain management

3. Interpret a data flow diagram and its components.

A data flow diagram (DFD) graphically describes the flow of data within an organization. It uses the first four symbols to represent four basic elements: ▪ data sources and destinations (send and receive data the system uses or produces) ▪ data flows (movement of data among processes, stores, sources, and destinations) ▪ transformation processes (action that transforms data into information for use) ▪ data stores (repository or medium where system data is stored)

What is a relational database?

A database used frequently today that allows all business streams to access data and information as required by the business. Example: Sheridan Student Services booking system.

Data Flow Diagram (DFD)

A graphical description of the flow of data within an organization, including data sources/destinations, data flows, transformation processes, and data storage. Logical and balanced DFD's.

What is a subsidiary ledger?

A group of similar accounts whose combined balances equal the balance in a specific general ledger account .

Digital Signature

A hash encrypted with the hash creator's private key

A: likelihood rating; impact ratings

A heat map used as a part of assessing risks plots the___________________ on the vertical axis against the___________________ on the horizontal axis. A: likelihood rating; impact ratings B: inherent risk; risk appetite C: target residual risk, actual residual risk D: internal control; inherent risk

Specialized Journal

A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements

Specialized Journal

A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements.

Specialized Journals

A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements.

General Journal

A journal used to record infrequent or non-routine transactions, such as loan payments and end-of-period adjusting and closing entries

General Journal

A journal used to record infrequent or nonroutine transactions, such as loan payments and end-of-period adjusting and closing entries.

Subsidiary Ledger

A ledger used to record detailed data for a general ledger account with many individual sub accounts, such as accounts receivable, inventory, and accounts payable.

Internal-level schema

A low-leveled view of the entire database describing how the data are actually stored and accessed

d. logic bomb.

A malicious program that attaches to another legitimate program but does NOT replicate itself is called a a. virus. b. worm. c. Trojan horse. d. logic bomb.

Packet Filtering

A process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet

zero-balance test

A processing control that verifies that the balance of a control account equals zero after all entries to it have been made.

D: Experience on a public company's compensation committee.

A public company audit committee's "financial expert" must have all of the following except: A: An understanding of GAAP and financial statements. B: Experience in preparing or auditing financial statements of comparable companies and application of such principles in connection with accounting for estimates, accruals, and reserves. C: Experience with internal auditing controls. D: Experience on a public company's compensation committee.

Expenditure Cycle

A recurring set of business activities and related data processing operations associated with the purchase and payment for goods and services In the expenditure cycle, the primary external exchange of information is with suppliers (vendors).

Accounts receivable aging report

A report listing customer accounts balances by length of time outstanding

Postimplementation Review Report

A report that analyzes a newly delivered system to determine if the system achieved its intended purpose and was completed within budget.

Query

A request for the data base to provide the information needed to deal with a problem or answer a question. The information is retrieved, displayed or printed, and/or analyzed as requested.

4. Explain the fundamental concepts of Schemas.

A schema is a description of the data elements in a database, the relationships among them, and the logical model used to organize and describe the data. There are three levels of schemas: a. The conceptual-level schema, a high-level, organization-wide view of the entire database, lists all data elements and the relationships among them. b. The external-level schema is an individual user's view of portions of a database, each of which is referred to as a subschema. c. The internal-level schema, a low-level view of the database, describes how the data are stored and accessed, including record layouts, definitions, addresses, and indexes.

Control Objective for Information and Related Technology (COBIT)

A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.

Demilitarized Zone (DMZ)

A separate network located outside the organization's internal information system that permits controlled access from the Internet

Record

A set of fields whose data values describe specific attributes of an entity, such as all payroll data relating to a single employee. An example is a row in a spreadsheet.

Record

A set of fields whose data values describe specific attributes of an entity, such as all payroll data relating to a specific employee

Database

A set of interrelated, centrally controlled data files that are stored with as little data redundancy as possible. A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications

Database

A set of interrelated, centrally controlled data files that are stored with as little data redundancy as possible. A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications.

Databases

A set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible

File

A set of logically related records, such as the payroll records of all employees

b. worm

A software program that replicates itself in areas of idle memory until the system fails is called a a. Trojan horse b. worm c. logic bomb d. none of the above

Firewall

A special-purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks

Remote Authentication Dial-In User Service (RADIUS)

A standard method for verifying the identity of users attempting to connect via dial-in access

AIS

A system that collects, processes and stores accounting and other data to report information to assist users in decision-making.

Accounting Information System (AIS)

A system that collects, records, stores, and processes data to produce information for decision makers. It includes people, procedures and instructions, data, software, information technology infrastructure, and internal controls and security measures.

Corrective Internal Controls

Actions taken to reverse the effects of errors detected.

Production or conversion cycle

Activities associated with using labor, raw materials, and equipment to produce finished goods

Production or Conversion Cycle -

Activities associated with using labor, raw materials, and equipment to produce finished goods.

the test data technique requires extensive computer expertise on the part of the auditor

All of the following are disadvantages of the test data technique except a. the test data technique requires extensive computer expertise on the part of the auditor b. the auditor cannot be sure that the application being tested is a copy of the current application used by computer services personnel c. the auditor cannot be sure that the application being tested is the same application used throughout the entire year d. preparation of the test data is time-consuming

d. the recipient's application software can validate the password after the transaction has been processed

All of the following techniques are used to validate electronic data interchange transactions except a. value added networks can compare passwords to a valid customer file before message transmission b.prior to converting the message, the translation software of the receiving company can compare the password against a validation file in the firm's database c. the recipient's application software can validate the password prior to processing d. the recipient's application software can validate the password after the transaction has been processed

d. install public-domain software from reputable bulletin boards

All of the following will reduce the exposure to computer viruses except a. install antivirus software b. install factory-sealed application software c. assign and control user passwords d. install public-domain software from reputable bulletin boards

ways to address information overload

Allow more time to complete important tasks. Compress, aggregate, categorize, and structure information. Formalize the language used to describe information. Handle information as it comes to you don't put it off! Use graphs and other visual aids.

A: Sequential

An accountant at Henry Higgins Language Lessons must sort the master file before processing recent transactions to update the master file. Henry Higgins uses ______ file storage. A: Sequential B: RAID C: Optical disk D: Data mart

C: OLTP

An accountant at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to prepare a payroll tax return. The accountant is most likely using the _________ component of the system. A: CRM B: OLAP C: OLTP D: Supply chain management

Flowchart

An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an IS in a clear, concise, and logical manner.

Flowcharting

An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an information system in a clear, concise, and logical manner

B: Increased responsiveness and flexibility while aiding in the decision-making process.

An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? A: Modifications can be made to each module without affecting other modules. B: Increased responsiveness and flexibility while aiding in the decision-making process. C: Increased amount of data redundancy, since more than one module contains the same information. D: Reduction in costs for implementation and training.

A: What is the relationship between our strategy and objectives?

An entity reviews its ERM practices. Which question is the organization least likely to investigate as a part of this review? A: What is the relationship between our strategy and objectives? B: How did the entity perform? C: Are we taking sufficient risks to attain desired performance? D: Were risk estimates accurate?

sum of the social security numbers

An example of a hash total is A. total payroll checks B. total number of employees C. sum of the social security numbers D> none of the above

Supply chain

An extended system that includes an organization's value chain as well as its suppliers, distributors, and customers.

What is an attest function?

An independent review of an audit conducted by an accountant. Examines all the data used in the audit as well as the finished audit report. Conducted by a CPA, it is intended to express an opinion on the accuracy of a company's financial statements.

External-level schema

An individual user's view of portions of database

Range Check

An input control that catches input errors that are upper or lower than acceptable values.

a. operating system.

An integrated group of programs that supports the applications and facilitates their access to specified resources is called a(n) a. operating system. b. database management system. c. utility system. d. facility system. e. object system.

limit check

An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a. numeric/alphabetic data checks b. limit check c. range check d. reasonableness check

D: Review its ERM practices.

An organization launches a new product and finds the product is performing better than expected and that the volatility of sales is less than expected. Which of the following is the organization most likely to do? A: Review its internal control procedures. B: Investigate new technologies to improve product performance. C: Revise its tolerance and decrease its risk appetite D: Review its ERM practices.

Fraud

Any and all means a person uses to gain an unfair advantage over another person

Computer Fraud

Any type of fraud that requires computer technology to perpetrate

which of the following is often called compensating control? A. transaction authorization B. supervision C. accounting records D. segregation of duties

B

How does a direct access file processing system edit individual transactions? a. takes place in a separate computer run b. takes place in online mode as transactions are entered c. takes place during a backup procedure d. is not performed due to time constraints e. is not necessary

C

In a computer system, how are accounting records posted? a. master file is updated to a transaction file b. master file is updated to an index file c. transaction file is updated to a master file d. master file is updated to a year-to-date file e. current balance file is updated to an index file

C

The underlying assumption of reasonable assurance regarding implementation of internal control means that A. auditors are reasonably assured that fraud has not occurred in the period B. auditors are reasonably assured that employee carelessness can weaken an internal control structure C. implementation of the control procedure should not have a significant adverse effect on efficiency or profitability D. management assertions about control effectiveness should provide auditors wit reasonable assurance E. a control applies reasonably well to all forms of computer technology

C

Which of the following benefits is least likely to result from a system of internal controls? A. reduction of cost of an external audit B. prevention of employee collusion to commit fraud C. availability of reliable data for decision-making purposes D. some assurance of compliance with the Foreign Corrupt Practices Act of 1977 E. some assurance that important documents and records are protected

C

the fraud scheme that is similar to the concept of "borrowing from Peter to pay Paul" is A. expense account fraud B. bribery C. lapping D. transaction fraud

C

Data manipulation language (DML)

DBMS language that changes database content including data element creations updates, insertions, and deletions

Information

Data that have been organized and processed to provide meaning and improve the decision-making process

C: Determine responses to the risks.

Devon Company is using an enterprise risk management system. Management of the company has set the company's objectives, identified events, and assessed risks. What is the next step in the enterprise risk management process? A: Establish control activities to manage the risks. B: Monitor the risks. C: Determine responses to the risks. D: Identify opportunities.

1. Explain the purpose of documentation.

Documentation explains how a system works, including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls. This helps with training IT employee to use the system. a. At a minimum, you must be able to read documentation to determine how a system works. b. You may need to evaluate documentation to identify internal control strengths and weaknesses and recommend improvements as well as to determine if a proposed system meets the company's needs. c. More skill is needed to prepare documentation that shows how an existing or proposed system operates.

Complete information

Does not omit important aspects of the events or activities it measures.

Complete

Doesn't omit important aspects of the event/activities

12. Which statement is not true? A batch control record a. contains a transaction code b. records the record count c. contains a hash total d. control figures in the record may be adjusted during processing e. All the above are true

E

5 common activities of the expenditure cycle

Expenditure cycle: get goods / get service—give cash Send appropriate information to the other cycles Expenditure Request goods and services be purchased Prepare, approve, and send purchase orders to vendors Receive goods and services and complete a receiving report Store goods Receive vendor invoices Update (increase) accounts payable Approve vendor invoices for payment Pay vendors for goods and services Update (reduce) accounts payable Handle purchase returns, discounts, and allowances

A: It is vague and imprecise.

Farmers and Ranchers Credit Union has set the following statement of risk appetite: "Net credit losses will be really low." Which of the following claims regarding this statement are most accurate? A: It is vague and imprecise. B: It is excellent and appropriate. C: "Net credit losses" are not an appropriate metric for a statement of risk appetite. D: Statements of risk appetite must be stated in the active voice.

Information Output

Final step in data processing cycle. Displayed on monitor is called "soft copy," and displayed on paper is called "hard copy." Usually presented in a document, report, or query response.

5 production activities of the human financing cycle

Financing cycle: give cash—get cash Send appropriate information to the other cycles Financing Forecast cash needs Sell stock/securities to investors Borrow money from lenders Pay dividends to investors and interest to lenders Retire debt Prepare management reports Send appropriate information to the other cycles

Vulnerabilities

Flaws in programs that can be exploited to either crash the system or take control of it

c. all nodes are of equal status; responsibility for managing communication is distributed among the nodes

In a ring topology a. the network consists of a central computer which manages all communications between nodes b. has a host computer connected to several levels of subordinate computers c. all nodes are of equal status; responsibility for managing communication is distributed among the nodes d. information processing units rarely communicate with each other

D: The organizational culture is closely linked to the organization's strategy, objectives, and business context.

In a risk-aware organization, A: The organizational culture is independent of management. B: The organizational culture will be risk averse. C: Investments in unproven technologies will be minimized. D: The organizational culture is closely linked to the organization's strategy, objectives, and business context.

b. individual workstations can function locally but cannot communicate with other workstations

In a star topology, when the central site fails a. individual workstations can communicate with each other b. individual workstations can function locally but cannot communicate with other workstations c. individual workstations cannot function locally and cannot communicate with other workstations d. the functions of the central site are taken over by a designated workstation

hash total

In an automated cash disbursement system, a supervisor substituted a legitimate vendor invoice with a fictitious invoice, which was payable to himself under a false company name. The fictitious invoice was for the same dollar amount as the substituted invoice. The best control technique to detect this action would be a A. control total B. record count C. hash total D. sequence check E. Financial total

Online Real-Time Processing

Involves a continual input, process and output of data. e.g. Online reservation

2. Describe the objectives of an information system audit.

Information Systems (internal control) Audit - Examination of the general and application controls of an IS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets. a. Objective 1: *Overall Security* - Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. b. Objective 2: *Program Development and Acquisition* - Program development and acquisition are performed in accordance with management's general and specific authorization. c. Objective 3: *Program Modification* - Program modifications have management's authorization and approval. d. Objective 4: *Computer Processing* - Processing of transactions, files, reports, and other computer records is accurate and complete. e. Objective 5: *Source Data* - Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. f. Objective 6: *Data Files* - Computer data files are accurate, complete, and confidential.

5. Identify the types of information output produced by an AIS.

Information is usually presented in three forms: a. Document - records of transaction or other company data. Examples include checks, invoices, receiving reports, and purchase requisitions. b. Report - Meaningful system output used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities. c. Query - A request for the data base to provide the information needed to deal with a problem or answer a question quickly. The information is retrieved, displayed or printed, and/or analyzed as requested.

What is discretionary information?

Information that is not required by law. Think: secret

General ledger and reporting system

Information-processing operations involved in updating the general ledger and preparing reports for both management and external parties.

B: The automated system requires controls related to people, software, and hardware.

Jones and Willy recently implemented an automated accounting system to replace their manual accounting system. While setting up the system, they find that: A: They need to permanently run the manual and automated accounting systems as a control over processing. B: The automated system requires controls related to people, software, and hardware. C: Access controls are of less importance in the new system. D: The company's external auditors are best qualified to set up the new system.

General Ledger

Ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization

Subsidiary Ledger

Ledger used to record detailed data for a general ledger account with many individual sub-accounts such as accounts receivable, inventory and accounts payable

Sarbanes-Oxley Act (SOX)

Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud

Foreign Corrupt Practices Act (FCPA)

Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintained a system of internal accounting controls

Mnemonic code

Letters and numbers that are interspersed to identify an item. The mnemonic code is derived from the description of the item and is usually easy to memorize. For example, Dry300W05 could represent a low end (300), white (W) dryer (Dry) made by Sears (05).

A: That functions that had previously been spread across multiple employees have been combined.

Morgan Property Management, Inc. recently switched from a manual accounting system to a computerized accounting system. The system supports online real-time processing in a networked environment, and six employees have been granted access to various parts of the system in order to perform their jobs. Relative to the manual system, Morgan can expect to see A: That functions that had previously been spread across multiple employees have been combined. B: An increase in the incidence of clerical errors. C: A decrease in the incidence of systemic errors. D: A decrease in the need for access controls to the accounting records.

AIS threats

Natural & political disasters Software errors & equipment malfunction Unintentional acts Intentional acts (computer crimes)

What do the three variables of the Time-Based Model of Security mean?

P = The time it takes an attacker to break through the organization's preventative controls D = The time it takes to detect that an attack is in progress C = The time it takes to respond to the attack and take corrective action

3 Internal Control Functions

Preventive Controls Detective Controls Corrective Controls

Technical controls

Primarily implemented and executed through mechanisms contained in computing related equipment.

Business Continuity Planning

Process that identifies events that may threaten an organization and provides a framework to ensure that the organization will continue to operate when the threatened event occurs or will resume operations with a minimum of disrption

Processor Fraud

Processor fraud includes unauthorized system use, including theft of computer time and services

Purchasing

Procure raw materials, supplies, machinery, and buildings used to carry out primary activities

4 Basic activities of the production Cycle

Product Design Planning & Scheduling Production Operations Cost Accounting

5. Identify the purpose and basic activities of the production cycle.

Production Cycle - The recurring set of business activities and related data processing operations associated with the manufacture of products. The objective is to create a product that meets customer requirements in terms of quality, durability, and functionality while simultaneously minimizing production costs. a. Product Design b. Planning and Scheduling c. Production Operations d. Cost Accounting

Edits

Programmed procedures that test transaction data to ensure they are free from errors before they are processed are called A. operating procedures B. integrated test facilities C. Compiler programs D. edits E. valuation tests

Operational control

Protecting a firm's premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party users.

Shell Company Fraud

Requires that the perpetrator establish a false supplier on the books of the victim company. The fraudster then manufactures false purchase orders, receiving reports and the invoices in the name of the vendor and submits them to the accounting system, which creates the illusion of a legitimate transaction. System will set up an accounts payable and ultimately issue a check to the false supplier.

1. Identify the purpose and basic activities of the revenue cycle.

Revenue Cycle - The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. The revenue cycle's primary objective is to provide the right product in the right place at the right time for the right price. a. Sales Order Entry b. Shipping c. Billing d. Cash Collections

What are the typical business cycle of AIS

Revenue cycle, Expenditure cycle, Hr/Payroll cycle, Production/Manufacture cycle, Financing cycle.

B: Drill down.

Robert the Grievous is reading an online summary production cost report and wants to know why the cost of sprockets, used in constructing orbital sanders, is so high. Robert most likely needs to: A: Data mine. B: Drill down. C: Slice and dice. D: Use the OLAP system.

Virtualization

Running multiple systems simultaneously on one physical computer. This takes advantage of the power and speed of modern computers to run multiple systems and cuts hardware costs.

Control Objectives

Safeguard assets Maintain records in sufficient detail to report company assets accurately and fairly Provide accurate and reliable information Prepare financial reports in accordance with established criteria Promote and improve operational efficiency Encourage adherence to prescribed managerial policies. Comply with applicable laws and regulations

What is used in a test of credit approvals?

Sales amount." Sales amount is used in a test of credit approvals.

b. used by network administrators to analyze network traffic.

Sniffer software is a. used by malicious Web sites to sniff date from cookies stored on the user's hard drive. b. used by network administrators to analyze network traffic. c. used by bus topology intranets to sniff for carriers before transmitting a message to avoid data collisions. d. an illegal program downloaded from the Web to sniff passwords from the encrypted data of Internet customers. e. illegal software for decoding encrypted messages transmitted over a shared intranet channel.

B: Selecting, developing, and deploying fraud controls

The Greensburg Agriculture Products employee survey related to fraud includes this statement: "We are discouraged from sharing our computer passwords with others." This statement best relates to which of the following fraud management principles and processes? A: Establishing a fraud risk management program B: Selecting, developing, and deploying fraud controls C: Selecting, developing, and deploying evaluation and monitoring processes D: Establishing a communication program to obtain information about potential frauds

Enterprise Risk Management Framework (ERM) vs. Internal Control Framework (IC)

The IC framework has been widely adopted as the way to evaluate internal controls, as required by SOX. The more comprehensive ERM framework takes a risk-based rather than a controls-based approach. ERM adds three additional elements to COSO's IC framework: setting objectives, identifying events that may affect the company, and developing a response to assessed risk. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred.

C: All personnel.

The IT department at Piggy Parts BBQ has recently learned of phishing attempts that rely on social engineering to break into its financial systems. Information about these attempts should be communicated to: A: Internal auditors. B: Other personnel. C: All personnel. D: Support functions.

B: Performance

The Resource Development Company mines for rare earth minerals in developing countries. The company is currently assessing aspects of risk to determine which risks are most and least important. This analysis most likely occurs as a part of which component in the ERM framework? A: Governance and Culture B: Performance C: Strategy and Objective-Setting D: Information, Communication, and Reporting

System flowcharts do which one of the following?

The correct answer is "represent relationships between key elements of manual and computer systems." System flowcharts represent relationships between key elements of manual and computer systems. The system flowchart is a graphic representation of the process that is used by the programmer/analyst and systems auditors to understand the flow of data through the program or system and the files/functions that are involved from input to storage to output.

A: Effectiveness and efficiency of operations.

The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) in the professional standards includes the reliability of financial reporting, compliance with applicable laws and A: Effectiveness and efficiency of operations. B: Effectiveness of prevention of fraudulent occurrences. C: Incorporation of ethical business practice standards. D: Safeguarding of entity assets.

D: Both control baseline and change management

The materials manager of a warehouse is given a new product line to manage with new inventory control procedures. Which of the following sequences of the COSO internal control monitoring-for-change continuum is affected by the new product line? A: Control baseline but not change management B: Change management but not control baseline C: Neither control baseline nor change management D: Both control baseline and change management

Public Key Infrastructure (PKI)

The system for issuing pairs of public and private keys and corresponding digital certificates

Coding

The systematic assignment of numbers or letters to items to classify and organize them

Coding

The systematic assignment of numbers or letters to items to classify and organize them.

C: Code approved changes to a payroll program.

To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities? A: Modify and adapt operating system software. B: Correct detected data entry errors for the cash disbursement system. C: Code approved changes to a payroll program. D: Maintain custody of the billing program code and its documentation.

Query

To retrieve stored data, users query databases. A significant advantage of database systems is the ability to create ad hoc queries to provide the information needed for decision making. No longer is financial information available only in predefined formats and at specified times. Instead, powerful and easy-to-use relational database query languages can find and prepare the information management needs whenever they want it.

Hashing

Transforming plaintext of any length into a short code called a hash.

c. denial of service attack.

Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is a a. request-response control. b. smurf attack. c. denial of service attack. d. call-back response control. e. none of the above.

True or False? Attendance question - choose True that you're here in class.

True

End User Computing

User creation, control and implementation

Advantages of Developing In-House

User creation, control, and implementation System that meets user needs Timeliness Freeing up of system resources Versatility and ease of use

Online analytical processing (OLAP)

Using queries to investigate hypothesized relationships among data

SMS Spoofing

Using short message service (SMS) to change the name or number a text message appears to come from

Data mining

Using sophisticated statistical analysis to "discover" un-hypothesized relationships in data

2.2 With respect to the data processing cycle, explain the phrase "garbage in, garbage out." How can you prevent this from happening

When garbage, defined as errors, is allowed into a system that error is processed and the resultant erroneous (garbage) data stored. The stored data at some point will become output. Thus, the phrase garbage in, garbage out. Data errors are even more problematic in ERP systems because the error can affect many more applications than an error in a non-integrated database. Companies go to great lengths to make sure that errors are not entered into a system. To prevent data input errors: • Data captured on source documents and keyed into the system are edited by the computer to detect and correct errors and critical data is sometimes double keyed. • Companies use turnaround documents to avoid the keying process. • Companies use source data automation devices to capture data electronically to avoid manual data entry with its attendant errors. • Well-designed documents and screens improve accuracy and completeness by providing instructions or prompts about what data to collect, grouping logically related pieces of info

Describe the Expenditure Cycle.

Where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash. actions include: ~ Request goods and services be purchased ~ Prepare, approve, send purchase orders to vendors ~ Receive G/S and complete a receiving report ~ Store goods ~ Receive vendor invoices ~ Update (increase) accounts payable ~ Approve vendor invoices for payment ~ Pay vendors for goods and services ~ Update (reduce) accounts payable ~ Handle purchase returns, discounts, and allowances ~ Prepare management reports ~ Send appropriate information to the other cycles

Describe the HRM/Payroll Cycle.

Where employees are hired, trained, compensated, evaluated, promoted, and terminated. actions include: ~ Recruit, hire, and train new employees ~ Evaluate employee performance and promote employees ~ Discharge employees ~ Update payroll records ~ Collect and validate time, attendance, and commission data ~ Prepare and disburse payroll ~ Calculate and disburse taxes and benefit payments ~ Prepare employee and management reports ~ Send appropriate information to the other cycles

Describe the Production/Conversion Cycle.

Where raw materials are transformed into finished goods. actions include ~ Design products ~ Forecast, plan, and schedule production ~ Request raw materials for production ~ Manufacture products ~ Store finished products ~ Accumulate costs for products manufactured ~ Prepare management reports ~ Send appropriate information to the other cycles

A: Inventory report

Which document lists the items in inventory? A: Inventory report B: Bill of materials C: Move ticket D: Operations list

D: Operations list

Which document lists the steps in making a product? A: Inventory report B: Bill of materials C: Move ticket D: Operations list

validity check

Which input validation check would detect a payroll check made to a nonexistent employee? A. missing data check B. numeric/alphabetic check C. range check D. Validity Check

Work performed by internal auditors who organizationally report to the controller

Which is NOT a source of evidence for an external auditor? A. Work performed by internal auditors who organizationally report to the controller B. Test of Controls C. Substantive Tests D. Work performed by internal auditors who report to the audit committee of the BOD

c. public key encryption

Which method will render useless data captured by unauthorized receivers? a. echo check b. parity bit c. public key encryption d. message sequencing

A: Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.

Which of the following characteristics distinguishes computer processing from manual processing? A: Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. B: Errors or fraud in computer processing will be detected soon after their occurrences. C: The potential for systematic error is ordinarily greater in manual processing than in computerized processing. D: Most computer systems are designed so that transaction trails useful for audit purposes do not exist.

D: Machine operators are supervised by the programmer.

Which of the following constitutes a weakness in the internal control of a computer system? A: One generation of backup files is stored in an off-premises location. B: Machine operators distribute error messages to the control group. C: Machine operators do not have access to the complete systems manual. D: Machine operators are supervised by the programmer.

C: Periodically requiring purchasing agents to disclose their relationships to all vendors

Which of the following controls is mostly likely to prevent a kickback to a purchasing agent? A: Prenumbering of purchase order B: Matching packing lists to vendor invoices C: Periodically requiring purchasing agents to disclose their relationships to all vendors D: Requiring authorization to receive goods from vendors

C: Systems analyst.

Which of the following employees normally would be assigned the operating responsibility for designing a computer installation, including flowcharts of data processing routines? A: Computer programmer. B: Data processing manager. C: Systems analyst. D: Internal auditor

B: Types of decisions to be made

Which of the following factors has the greatest impact on the design of an effective management reporting system? A: Number of transactions to be processed B: Types of decisions to be made C: Number of authorized users D: Number of regulatory agencies to be satisfied

D: Information and communication.

Which of the following factors is not included in the control environment component of internal control? A: Commitment to competence. B: Organizational structure. C: Integrity and ethical values. D: Information and communication.

C: Data entry and application programming.

Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals? A: Network maintenance and wireless access. B: Data entry and antivirus management. C: Data entry and application programming. D: Data entry and quality assurance.

inference tests

Which of the following is NOT a common type of white-box test of controls? A. inference tests B. redundancy tests C. completeness tests D. Access tests

c. Maintaining the critical application list

Which of the following is NOT a data network control objective? a. Preventing illegal access b. Correcting message loss due to equipment failure c. Maintaining the critical application list d. Rendering useless any date that a perpetrator successfully captures e. All the above are network control objectives

Determining the degree of reliance on controls

Which of the following is NOT a task performed in the audit planning phase? A. Reviewing an organization's policies and practices B. Planning Substantive Testing Procedures C. Reviewing General Controls D. Determining the degree of reliance on controls

e. All of the above are operating system objectives.

Which of the following is NOT an operating system objective? a. The operating system mus protect itself from users. b. The operating system must protect users from themselves. c. The operating system must be protected from its environment. d. The operating system must be protected users from each other. e. All of the above are operating system objectives.

A: Pattern recognition.

Which of the following is a critical success factor in data mining a large data store? A: Pattern recognition. B: Effective search engines. C: Image processing systems. D: Accurate universal resource locator (URL).

transforming data into useful information

Which of the following is a function of an AIS? reducing the need to identify a strategy and strategic position, transforming data into useful information, allocating organizational resources, automating all decision making

credit check before approving sale on account

Which of the following is a preventive control? A. credit check before approving a sale on account B. bank reconciliation C. physical inventory count D. comparing the accounts receivable subsidiary ledger to the control account

numeric/alphabetic check

Which of the following is an example of a field interrogation? A. reasonableness check B. hash total check C. sequence check D. numeric/alphabetic check

all are examples of input error correction techniques

Which of the following is an example of an input error correction technique? a. immediate correction b. rejection of batch c. creation of error file d. all are examples of input error correction techniques

A: Enterprise resource planning.

Which of the following is an example of applications software that a large client is most likely to use? A: Enterprise resource planning. B: Operating system. C: Central processing unit. D: Value-added network.

Sequence check

Which of the following is an example of record interrogation? A. Range check B. Zero value check C. Limit Check D. sequence check

check digits are designed to detect transcription errors

Which of the following is correct? A. Check digits should be used for all data codes B. Check digits are always placed at the end of data codes C. Check digits do not affect processing efficiency D. Check digits are designed to detect transcription errors E. all of the above are incorrect

A: A distinct, easily followed audit trail

Which of the following is least likely to be an advantage of an automated accounting system? A: A distinct, easily followed audit trail B: Processing speed C: Fewer idiosyncratic errors D: Less likelihood of intrusion

C: Move ticket

Which of the following is most likely to be linked to a bar-coding or RFID system that scans parts? A: Parallel simulation B: Cost driver C: Move ticket D: Operations list

B: Minimizing the time required to move goods from raw materials to in-process inventory

Which of the following is not a goal of the HR/payroll cycle? A: Accurately computing taxes B: Minimizing the time required to move goods from raw materials to in-process inventory C: Securing information about an employee's drug addiction D: Complying with employment laws and regulations

B: External forces may attack the system.

Which of the following is not a limitation of internal control? A: Human judgment in decision making may be faulty. B: External forces may attack the system. C: Management may override internal control. D: Controls may be circumvented by collusion.

D: Assigning labor costs to jobs

Which of the following is not part of the HR and payroll cycle? A: Assessing employee performance B: Computing payroll taxes C: Maintaining controls over employee data D: Assigning labor costs to jobs

D: Purchase order

Which of the following is often a contract with a vendor for the purchase of goods? A: Remittance advice B: Vendor invoice C: Packing lists D: Purchase order

to prevent the record keeper from authorizing transactions

Which of the following is the best reason to separate duties in a manual system? A. to avoid collusion between the programmer and the computer operator B. to ensure that supervision is not required C. to prevent the record keeper from authorizing transactions D. to enable the firm to function more efficiently

C: The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems

Which of the following is the best risk statement in relation to executive management's role in a major IT project undertaken by a large telecommunications company? A: The risk that executive management disregards project communications and meetings B: The risk that executive management disregards project communications and meetings, resulting in inadequate oversight, because of management's inattention and lack of focus C: The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems D: The risk that executive management disregards project communications and meetings, despite frequent efforts by the project management team to inform executive management of the importance of their involvement and engagement

D: I, II, III, IV.

Which of the following procedures would enhance the control of a computer operations department? I. Periodic rotation of operators. II. Mandatory vacations. III. Controlled access to the facility. IV. Segregation of personnel who are responsible for controlling input and output. A: I, II. B: I, II, III. C: III, IV. D: I, II, III, IV.

C: Global visibility.

Which of the following risks increases the least with cloud-based computing compared with local server storage for an organization that implements cloud-based computing? A: Data loss. B: Vendor security failure. C: Global visibility. D: System hacks.

A: Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business.

Which of the following statements about risk appetite, tolerance, and risk indicators are true? A: Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business. B: Key risk indicators apply to the development of strategy, risk appetite applies in the implementation of strategy, and tolerance applies at any level of the business. C: Tolerance applies to the development of strategy, risk appetite applies in the implementation of strategy, and key risk indicators apply at any level of the business. D: Tolerance applies to the development of strategy, key risk indicators apply in the implementation of strategy, and risk appetite applies at any level of the business.

C: II only.

Which of the following statements is (are) true. I. A greater level of control is necessary in automated than manual systems. II. The uniformity of transaction processing is higher in automated than manual systems. A: Both I and II. B: I only. C: II only. D: Neither I or II.

A: A primary goal of IT governance is to balance risk versus return over IT and its processes.

Which of the following statements is correct regarding information technology (IT) governance? A: A primary goal of IT governance is to balance risk versus return over IT and its processes. B: IT governance is an appropriate issue for organizations at the level of the board of directors only. C: IT goals should be independent of strategic goals. D: IT governance requires that the Control Objectives for Information and related Technology (COBIT) framework be adopted and implemented.

D: Neither I or II.

Which of the following statements is correct? I.An important advantage of flat file systems is that they are program independent. II.Flat file systems contain little data redundancy. A: Both I and II. B: I only. C: II only. D: Neither I or II.

A: Emerging data analytic methods are unhelpful to risk assessment.

Which of the following statements is false (untrue) regarding data analytics, data mining, and risk assessment? A: Emerging data analytic methods are unhelpful to risk assessment. B: Emerging data mining methods can help detect previously hidden relationships. C: Data analytic methods can help evaluate assumptions found in an organization's strategy D: Key risk indicators can be used to identify risk changes.

B: A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.

Which of the following statements is true regarding internal control objectives of information systems? A: Primary responsibility of viable internal control rests with the internal audit division. B: A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies. C: Control objectives primarily emphasize output distribution issues. D: An entity's corporate culture is irrelevant to the objectives.

Any framework can be used that encompasses all of COSO's general themes

Which of the following statements is true? A. Both the SEC and the PCAOB require use of the COSO framework B. Any framework can be used that encompasses all of COSO"s general themes C. The SEC recommends COBIT, and the PCAOB recommends COSO. D. Both the SEC and the PCAOB require COBIT framework E. None of the above are true

D: Restricting access to the computer center by use of biometric devices.

Which of the following statements presents an example of a general control for a computerized system? A: Limiting entry of sales transactions to only valid credit customers. B: Creating hash totals from Social Security numbers for the weekly payroll. C: Restricting entry of accounts payable transactions to only authorized users. D: Restricting access to the computer center by use of biometric devices.

C: A transaction processing system (TPS).

Which of the following types of systems would you use to record the number of hours worked during the current pay period for each of your employees? A: An office automation system (OAS). B: A decision support system (DSS). C: A transaction processing system (TPS). D: A partitioned system (PS).

header labels are barcode numbers affixed to the outside of the tape or disk

Which statement is NOT correct? A. the purpose of file interrogation is to ensure that correct file is being processed by the system B. header labels are barcode numbers affixed to the outside of the tape or disk. C. File interrogation checks are particularly important for master files D. an expiration date check prevents a file from being deleted before it expires

transactions are processed more than once

Which statement is NOT correct?The goal of batch controls is to ensure that during processing A. transactions are not omitted B. transactions are not added C. transactions are processed more than once D. an audit trail is created

a transaction log is a temporary file

Which statement is not correct? A. only successful transactions are recorded on a transaction log? B. Unsuccessful transactions are recorded in an error file C. a transaction log is a temporary file D. a hard copy transaction listing is provided to users

IT auditing is independent of the general financial audit

Which statement is not true? A. Auditors must maintain independence. B. IT auditors attest to the integrity of the computer system. C. IT auditing is independent of the general financial audit. D. IT auditing can be performed by both external and internal auditors

control figures in the record should be the same during processing

Which statement is not true? A batch control record a. contains a transaction code b. records the record count c. contains a hash total d. control figures in the record should be the same during processing

C: portfolio, profile

While both views highlight risk severity, the _______ view of risk is from the entity-wide level while the _______ view of risk is from the perspective of units or levels with the entity. A: incident, root cause B: root cause, incident C: portfolio, profile D: profile, portfolio

A: Review W-2s.

Winifred, an internal auditor, wants to determine if payroll taxes have been properly withheld and paid. Her best strategy for accomplishing this goal is to A: Review W-2s. B: Review Form 941. C: Review W-4s. D: Review the cumulative earnings register.

the documentation skills that accountants require vary w/their job function. however, all accountants should at least be able to do which of the following? a) read documentation to determine how the systems work b) critique & correct documentation that others prepare c) prepare documentation for a newly developed info system d) teach others how to prepare documentation

a) read documentation to determine how the systems work

the constraint that all foreign keys must have either null values or the value of a primary key in another table is referred to as.. ? a) referential integrity rule b) entity integrity rule c) foreign key value rule d) null value rule

a) referential integrity rule

what type of software conceals processes, files, network connections, memory addresses, systems utility programs, & system data from the operating system and other programs? a) rootkit b) spyware c) malware d) adware

a) rootkit

A firm, its suppliers, and its customers collectively form which of the following? a. Supply chain b. Value chain c. ERP system d. AIS

a) supply chain

what is often the most significant prob a company encounters in designing, developing & implementing a system? a) human element b) technology c) legal challenges d) planning for the new system

a) the human element

Records of company data sent to an external party & then returned to the system as input are called a. Turnaround documents b. Source data automation documents c. Source documents d. External input documents

a) turnaround documents

2. Identify what information a business needs in order to acquire capital, sell merchandise, and pay taxes.

a. Acquire Capital ▪ Cash flow projections to determine how much. ▪ Pro forma financial statements to find investors or borrow funds. ▪ Loan amortization schedule to obtain the best terms for borrowing. b. Sell Merchandise ▪ Pro forma income statement to determine markup percentage. ▪ Credit card costs to offer in-house credit. ▪ Customer credit status to determine which credit cards to accept. c. Pay Taxes ▪ Government regulations to determine relevant payroll tax requirements. ▪ Total wage expense to determine sales tax requirements. ▪ Total sales.

Which of the following statements about test data techniques for testing application controls are NOT correct? a. Applications may be tested directly without being removed from service b. the test provides only a static picture of application integrity c. implementing the test is costly and labor-intensive d. the test provides explicit evidence of application functions e. all of the above are correct statements

a. Applications may be tested directly without being removed from service

4-9. which of these devices is capable of storing the most data?

a. CD-ROM disk b. DVD disk c. USB (flash memory) drive *d. magnetic (hard) disk

1. Describe the benefits of a database.

a. *Data integration*. Master files are combined into large "pools" of data that many application programs access. An example is an employee database that consolidates payroll, personnel, and job skills master files. b. *Data sharing.* Integrated data are more easily shared with authorized users. Databases are easily browsed to research a problem or obtain detailed information underlying a report. c. *Minimal data redundancy and data inconsistencies.* Because data items are usually stored only once, data redundancy and data inconsistencies are minimized. d. *Data independence.* Because data and the programs that use them are independent of each other, each can be changed without changing the other. This facilitates programming and simplifies data management. e. *Cross-functional analysis.* In a database system, relationships, such as the association between selling costs and promotional campaigns, can be explicitly defined and used in the preparation of management reports.

2. Describe the steps of the revenue cycle.

a. *Sales Order Entry* ▪ Step 1 - Taking the customer's order ▪ Step 2 - Checking and approving customer credit ▪ Step 3 - Checking inventory availability b. *Shipping* ▪ Step 4 - Picking and Packing the order ▪ Step 5 - Shipping the order c. Billing ▪ Step 6 - Invoicing accounts receivable ▪ Step 7 - Updating accounts receivable d. *Cash Collections* ▪ Step 8 - Collecting and processing payments from customers

2. Distinguish between primary keys and foreign keys in a database.

a. A primary key is the database attribute, or combination of attributes, that uniquely identifies a specific row in a table. Usually, the primary key is a single attribute. In some tables, two or more attributes are needed to identify uniquely a specific row in a table. b. A foreign key is an attribute in a table that is also a primary key in another table and is used to link the two tables.

Describe the functions of an AIS.

a. Collect and store data about organizational activities, resources, and personnel. Organizations have a number of business processes, such as making a sale or purchase raw materials, which are repeated frequently. b. Transform data into information so management can plan, execute, control, and evaluate activities, resources, and personnel. Decision making is discussed in detail later in this chapter. c. Provide adequate controls to safeguard the organization's assets and data. ...by providing tools to alert managers when an unauthorized user attempts to use assets. ... by requiring a correct password to be entered to access the company network

5. Identify security controls that CORRECT intrusions.

a. Computer incident response team (CIRT) Recognition Containment Recovery Follow-up b. Chief information security officer (CISO) In charge of designing and implanting the prevention of a penetrating attack c. Patch management Process of regularly applying patches and update to all software on a regular basis.

2. Explain the steps an attacker may take to penetrate an information system.

a. Conduct reconnaissance. The objective of this initial reconnaissance is to learn as much as possible about the target and to identify potential vulnerabilities. b. Attempt social engineering - Using deception to obtain unauthorized access to information resources. The attacker calls a newly hired administrative assistant and asks that person to help obtain the critical files. Another common ruse is for the attacker to pose as a clueless temporary worker who cannot log onto the system and calls the help desk for assistance. c. Scan and map the target. The attacker uses a variety of automated tools to identify computers that can be remotely accessed and the types of software they are running. d. Research. the next step is to conduct research to find known vulnerabilities for those programs and learn how to take advantage of those vulnerabilities. e. Execute the attack. The criminal takes advantage of a vulnerability to obtain unauthorized access to the target's information system. f. Cover tracks. After penetrating the victim's information system, most attackers attempt to cover their tracks and create "back doors" that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.

4. Compare the major frameworks designed to standardize and improve control processes.

a. Control Objectives for Information and Related Technology (COBIT) - A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that reliable and adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters. b. Committee of Sponsoring Organizations (COSO) - A private- sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.

Which of the following is NOT requirement of Section 302 of SOX? a. Corporate management (including the CEO) must certify monthly and annually their organization's internal controls over financial reporting b. Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit c. Auditors must determine whether changes in internal control have materially affected, or are likely to materially affect, internal control over financial reporting. d. Management must disclose any material changes in the company's internal controls that have occurred during the most recent fiscal quarter. e. All of the above are requirements

a. Corporate management (including the CEO) must certify monthly and annually their organization's internal controls over financial reporting

4. Describe AIS data processing activities.

a. Creating new data records, such as adding newly hired employee to the payroll database. b. Reading, retrieving, or viewing existing data. c. Updating previously stored data. Online, real-time processing updates each transaction as it occurs to stay current, thereby increasing its decision-making usefulness. Errors can be corrected in real time or refused. File update process: o Verify data accuracy o Match primary key (account number) o Add transaction amount to current balance o Compare new balance to credit limit o Repeat for all transactions o Print summary reports d. Deleting data, such as purging the vendor master file of all vendors the company no longer does business with.

2. Identify the tools used to complete documentation.

a. Data flow diagram (DFD), a graphical description of data sources, data flows, transformation processes, data storage, and data destinations b. Flowchart, which is a graphical description of a system. There are several types of flow charts, including: ▪ Document flowchart, which shows the flow of documents and information between departments or areas of responsibility ▪ System flowchart, which shows the relationship among the input, processing, and ouput in an information system ▪ Program flowchart, which shows the sequence of logical operations a computer performs as it executes a program. c. Business Process diagrams, which is a graphical description of the business processes used by a company

1. Identify the steps in the data processing cycle.

a. Date Input To capture transaction data and enter them into the system. Data collected includes each activity of interest, resources affected by each activity, and people participating in each activity. Turnaround Documents - records of company data sent to an external party and then returned to the system as input. b. Data Storage To understand how data are organized and stored in an AIS and how they can be accessed. In essence, how to manage data for maximum corporate use; via coding and Audit trails. c. Data Processing To maintain a current database by creating, reading, updating, and deleting data. d. Information Output To present output data in the form of a document, a report, or a query response.

7. Identify the appropriate documentation tool for a given scenario.

a. Documentation explains how a system works, including the who, what, when, where, why, and how of data entry, data processing, data storage, information output, and system controls.we explain three common systems documentation tools: 1. data flow diagrams, 2. flowcharts, and 3. business process diagrams.

2-8. which of these identifies a private, point-to-point network?

a. EDI b. DES c. IP *d. VAN

9-3. a form control that does not change from record to record is probably:

a. a design-time control b. a bound control c. an unbound control * d. a mistake

Which of the following statements about the GAS techniques for substantive testing is NOT correct? a. GAS captures data during processing without removing the application from service b. GAS languages are easy to use and require little IT background c. GAS techniques are limited to use with flat files and relational database tables d. Complex file structures need to be flattened before they can be read by GAS e. All of the above are correct statements

a. GAS captures data during processing without removing the application from service

6. Identify the IT controls that are used to preserve confidentiality.

a. Identify and classify the information to be protected b. Encrypt the information c. Control access to the information Information Rights Management (IRM) - Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. d. Train employees to properly handle the information.

5. Explain how an accounting information system (AIS) can add value to an organization.

a. Improving the quality and reducing the costs of products or services. This helps maintain product quality, reduces waste, and lowers costs. b. Improving efficiency. For example, timely information makes a just-in-time manufacturing approach possible, as it requires constant, accurate, up-to-date information about raw materials inventories and their locations. c. Sharing knowledge. Sharing knowledge and expertise can improve operations and provide a competitive advantage. Employees can search the corporate database to identify experts to provide assistance for a particular client; thus, a CPA firm's international expertise can be made available to any local client. d. Improving the efficiency and effectiveness of its supply chain. For example, allowing customers to directly access inventory and sales order entry systems can reduce sales and marketing costs, thereby increasing customer retention rates. e. Improving the internal control structure. An AIS with the proper internal control structure can help protect systems from fraud, errors, system failures, and disasters. f. Improving decision making. Improved decision making is vitally important.

1. Describe common reasons for information system failure.

a. Information is available to an unprecedented number of workers. b. Information on distributed computer networks is hard to control. c. Customers and suppliers have access to each other's systems and data. imageine the confidentiality problems as thesse vendors form alliances with competitors.

Which of the following is associated with the unique characteristics of an industry? a. Inherent risk b. Detection risk c. Control risk d. None of the above

a. Inherent risk

9. Identify the IT Controls used to safeguard processing integrity.

a. Input Stage ▪ Forms design • Sequentially prenumbering source documents • Turnaround documents ▪ Cancellation and storage of documents ▪ Authorization and segregation of duties controls ▪ Visual scanning ▪ Data entry controls b. Processing Stage ▪ Data matching ▪ File labels, ▪ batch totals, ▪ cross-footing and xero-balance tests, ▪ write-protection mechanisms, ▪ database processing integrity controls c. Output Stage ▪ Reviews and reconciliations, ▪ encryption and access controls, ▪ parity checks, ▪ message acknowledgement techniques

4. Identify security controls that DETECT intrusions.

a. Log Analysis b. Intrusion Detection System c. Penetration Testing (AKA Security Testing to find system vulnerabilities) d. Continuous Monitoring

5. Describe the components of an internal environment.

a. Management's philosophy, operating style, and risk appetite b. Commitment to integrity, ethical values, and competence c. Internal control oversight by the board of directors d. Organizational structure e. Methods of assigning authority and responsibility f. Human resource standards that attract, develop, and retain competent individuals g. External influences

3. Identify security controls that help PREVENT threats from occurring.

a. People ▪ Creation of a "security-aware" culture ▪ Training b. Processes: User access controls (authentication and authorization) c. IT solutions ▪ Anti-malware ▪ Network access controls (firewalls, intrusion prevention systems, etc.) ▪ Device and software hardening (configuration controls) ▪ Encryption d. Physical security: access controls (locks, guards, etc. to Prevent installation of hardware-based keystroke logging device on a computer) e. Change controls and change management

3. Describe key functions of internal controls.

a. Preventive controls deter problems before they arise. b. Detective controls discover problems that are not prevented. c. Corrective controls identify and correct problems as well as correct and recover from the resulting errors.

6. Explain how an AIS may be used for a given primary or support activity in the value chain.

a. Primary Activities ▪ Inbound logistics consists of receiving, storing, and distributing the materials an organization uses to create the services and products it sells. For example, an automobile manufacturer receives, handles, and stores steel, glass, and rubber. ▪ Operations activities transform inputs into final products or services. For example, assembly line activities convert raw materials into a finished car. ▪ Outbound logistics activities distribute finished products or services to customers. An example is shipping automobiles to car dealers. ▪ Marketing and sales activities help customers buy the organization's products or services. Advertising is an example of a marketing and sales activity. ▪ Service activities provide post-sale support to customers. Examples include repair and maintenance services. b. Support Activities ▪ Firm infrastructure is the accounting, finance, legal, and general administration activities that allow an organization to function. The AIS is part of the firm infrastructure. ▪ Human resources activities include recruiting, hiring, training, and compensating employees. ▪ Technology activities improve a product or service. Examples include research and development, investments in IT, and product design. ▪ Purchasing activities procure raw materials, supplies, machineries, and the buildings used to carry out the primary activities.

1. Describe the different categories of control activities.

a. Proper authorization of transactions and activities b. Segregation of duties c. Project development and acquisition controls Steering Committee Strategic master Plan Project Development Plan Data processing Schedule System Performance Measurements Postimplementation Review d. Change management controls e. Design and use of documents and records f. Safeguarding assets, records, and data g. Independent checks on performance

6. Describe approaches to assessing and managing risk within an organization.

a. Reduce. Reduce the likelihood and impact of risk by implementing an effective system of internal controls. b. Accept. Accept the likelihood and impact of the risk. c. Share. Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions. d. Avoid. Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.

Identify the traits of useful information

a. Relevant ▪ Reduces uncertainty, improves decision-making, or confirms/corrects prior expectations b. Reliable ▪ Free from error or bias, accurately represents organization events or activities c. Complete ▪ Does not omit important aspects of the events or activities it measures d. Timely ▪ provided in time for decision makers to make decisions e. Understandable ▪ Presented in a useful and intelligible format f. Verifiable ▪ Two independent, knowledgeable people produce the same information g. Accessible ▪ Available to users when they need it and a format they can use

7-3. Which of these would NOT be a good primary key for a file of employee records?

a. SSN b. last name* c. company employee number d. all of these would make equally good primary keys

2. Describe common reasons why data is not protected wisely.

a. Some companies view the loss of crucial information as a distant, unlikely threat. b. The control implications of moving from centralized computer systems to Internet-based systems are not fully understood. c. Many companies do not realize that information is a strategic resource and that protecting it must be a strategic requirement. d. Productivity and cost pressures motivate management to forgo time-consuming control measures.

6. Describe the steps of the production cycle.

a. Step 1 - *Product design* to create the product that meets customer requirements in terms of quality, durability, and functionality while simultaneously minimizing production costs ▪ Loss or destruction of data b. Step 2 - *Planning and Scheduling* to develop a production plan efficient enough to meet existing orders and anticipated short-term demand while minimizing inventories of both raw materials and finished goods ▪ over- and under-production c. Step 3 - *Production Operations* To actually manufacture the product ▪ Theft of inventory ▪ Theft of fixed assets ▪ Poor performance ▪ Suboptimal investment in fixed assets ▪ Loss of inventory or fixed assets due to fire or other disasters ▪ Disruption of operations d. Step 4 - *Cost Accounting* (1) to provide information for planning, controlling, and evaluating the performance of production operations (2) to provide accurate cost data about products for use in pricing and product mix decisions (3) to collect and process the information used to calculate the inventory and cost of goods sold values that appear in the company's financial statements. ▪ Inaccurate cost data ▪ Inappropriate allocation of overhead costs ▪ Misleading reports

2. Describe each step in the data input process.

a. Step 1 - Capture transaction data and enter them into the system. b. Step 2 - make sure captured data are accurate and complete. Source Data Automation - The collection of transaction data in machine-readable form at the time and place of origin (point-of-sale terminals and ATMs). Well-designed documents and screens improve accuracy and completeness by providing instructions or prompts about what data to collect, grouping logically related pieces of information, using checkoff boxes or pull-down menus to present the available options, and using shading and borders to clearly separate data items. Data input screens usually list all the data the user needs to enter. Sometimes these screens resemble source documents, and users fill out the screen similar to a paper source document. Users can improve control either by using prenumbered source documents or by having the system automatically assign a sequential number to each new transaction. This simplifies verification of documents, resulting in system accuracy. c. Step 3 - make sure company policies are followed, such as approving and verifying a transaction.

4. Describe the steps of the expenditure cycle.

a. Step 1 - The need to purchase has been identified (Identify What, When. And How Much?) b. Step 2 - The next step is to select a supplier c. Step 3 - Receipt of ordered items d. Step 4 - Storage of ordered items e. Step 5 - Supplier invoice is received and verifies the receiving of the order f. Step 6 - invoice is approved g. Step 7 - Paying suppliers

3. Describe the steps to implement an AIS.

a. Systems Analysis *Step 1: Determine User Needs* b. Conceptual Design *Step 2: create and Document a development Plan* A well-designed Computer Input Screen will ... - Organize the screen so data can be entered quickly, accurately, and completely. - Enter data in the same order as displayed on paper forms that capture the data. - Group logically related data together. - Design the screen so users can jump from one data entry location to another or use a single key to go directly to screen locations. - Make it easy to correct mistakes. Therefore, reducing data entry errors and omissions. - Restrict the data or the number of menu options on a screen to avoid clutter. c. Physical Design *Step 3: Write Program Instructions (computer code)* *Step 4: Test the Program. Debugging.* *Step 5: Document the Program* *Step 6: Train Program Users* - Employees must be trained on the hardware, software, and any new policies and procedures. Training options may include experimenting with the system under the guidance of experienced users. d. Systems Implementation and Conversion *Step 7: Install the System* - Implementation Planning - Prepare Site; Install and Test Hardware AND/OR Select and Train Personnel - Complete Documentation AND/OR Test System o Complete documentation includes: Development Documentation, Operations Documentation, and User Documentation - Conversion o Common forms of testing include: Walk-throughs, Processing test data, and Acceptance tests o Conversion approaches include: Direct conversion, Parallel conversion, Phase-in conversion, and Pilot conversion e. Operation and Maintenance *Step 8: Use and Modify the System* - User acceptance and Postimplementation Review Report

Which of the following is NOT a test for identifying application control errors? a. User acceptance tests b. Field tests c. All of these d. Range tests e. Access tests

a. User acceptance tests

13-9. separation of duties is an important control activity. if possible, managers should assign which of the following three functions to different employees?

a. analysis authorizing transactions b. custody monitoring, detecting c. recording authorizing custody * d. analysis recording transactions

8-6. to identify all those employees receiving payroll checks but who have no matching record in a payroll master file, you should use a(n):

a. auditor b. find unmatched records query * c. cross-tabs query d. update query

12-4. mid-level accounting software:

a. can only be deployed through a server networked with desktop computers b. may be purchased in modules that match various business processes * c. will not be appropriate for a multinational company because these programs cannot handle foreign currencies d. will not be appropriate for a multinational company operating in a specialized industry, such as retail or not-for-profit.

11-9. automated POS tech offers many advantages to retailers as well as customers. Which of the following is the most commonly used POS tech?

a. cell phones b. bar code scanners * c. RFID d. none of these

11-10. the concept of lean production manufacturing includes all of the following, except:

a. commitment to eliminate "waste" throughout the manufacturing process b. eliminate or reduce non-value-added waste c. improve overall customer value and the profitability of products or services d. there are 12 categories of waste that companies hope to reduce or eliminate

8. Define encryption, hashing, and virtual private networks (VPNs).

a. encryption - The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. b. Hashing -Transforming plaintext of any length into a short code called a hash. c. Virtual Private Network (VPN) - Using encryption and authentication to securely transfer information over the Internet, thereby creating a "virtual" private network.

3-5. which of these is not helpful in attempting to thwart computer crime and abuse?

a. enlist the support of top management *b. keep employees in the dark so that they cannot perpetrate them c. use strong passwords d. design and test disaster recovery programs

3-1. which of the following is NOTan example of computer fraud?

a. entering invoices in an AIS for services that were not provided and depositing the check in a private bank account. *b. sending an email to everyone in your address book asking for a $1 donation. c. programming a change to decrease the dividend payment to stockholders of a firm and issuing a check to your friend for the total change d. using a university computer to set up a c realistic looking virtual "store front" to sell toys, although you don't have any ...

11-3. which of the following outputs (reports) is common to all of the processes described in this chapter?

a. financial statement information * b. deduction reports c. supplier invoices d. budget reports

4-8. Video output can also be called:

a. hard copy output *b. soft copy output c. image output d. pixelated output

15-8. continuous auditing:

a. has been talked about for years will never catch on b. will become more necessary as investors demand more real-time information * c. does not include techniques such as embedded audit modules d. will never allow IT auditors to provide some types of assurance on a real-time basis

3-7. most computer criminals

a. have nontechnical backgrounds b. have noncriminal backgrounds c. have little college education d. are young and bright e. have probably not been caught, so we don't really know much about them*

14-4. A __________ site is a disaster recovery site that includes a computer system like the one the company regularly uses, software, and up=to=date data so the company can resume full data processing operations within seconds or minutes

a. hot b. cold c. flying start * d. backup

Which of the following is NOT a common type of through-the-computer tests of controls? a. inference tests b. redundancy tests c. completeness tests d. validity tests e. all of the above are through-the-computer tests

a. inference tests

2-2. Which of the following enables users to view data with a web browser?

a. intranet b. extranet c. internet *d. all of the above

6-9. which one of the four stages in the systems development life cycle is likely to be the most costly for a new system?

a. planning and investigation b. analysis c. design d. implementation, follow-up and maintenance *

12-1. low-end accounting software is increasingly complex and sophisticated. However, software costing only a few hundred dollars is not likely to:

a. provide information to multiple stores where a company operates more than one b. include a chart of accounts that users may customize to suit their industry c. provide all the information needed to optimize customer and supplier relationships * d. provide information for budgeting decisions

13-12. when management of the sales department has the opportunity to override the system of internal controls of the accounting department, a weakness exists in:

a. risk management b. information and communication c. monitoring d. the control environment *

1-2. Which of the following is likely to be information rather than data?

a. sales price b. customer number *c. net profit d. employee name

10-1. which of the following provides the organizational structure for the general ledger? `

a. special journals b. a source document c. general journals d. the chart of accounts *

computer fraud

any fraud that requires computer technology to perpetrate it -unauthorized use, access, modification, copying, destruction of software, hardware or date -theft of assests -obtaining info / IP

threat/event

any potential adverse occurrence/unwanted event that could injure the AIS or the organization

which is the long-range planning document that specifies what the system will consist of, how it will be developed, who will develop it, how needed resources will be acquired, and its overall vision? a) steering committee agenda b) master plan c) systems development life cycle d) project development plan

b) master plan

Recording & processing information about a transaction at the time it takes place is referred to as: a. Batch processing b. Online, real-time processing c. Captured transaction processing d. Chart of accounts processing

b) online, real-time processing

determining whether the organization has access to people who can design, implement, & operate the proposed system is referred to as.. ? a) technical feasibility b) operational feasibility c) legal feasibility d) scheduling feasibility d) economic feasibility

b) operational feasibility

a perpetrator attacks phone systems to obtain free phone line access or use telephone lines to transmit viruses & to access, steal, and destroy data. what is this compute fraud technique called? a) phishing b) phreaking c) pharming d) vishing

b) phreaking

All of the information (name, GPA, major, etc.) about a particular student is stored in the same X a. File (*designed to include info about many students) b. Record c. Attribute d. Field

b) record (*about a particular entity—specific student) *Note: file --designed to include info about many students

which is FALSE? a) the psychological profiles of white-collar criminals differ form those of violent criminals b) the psychological profiles of white-collar criminals are significantly different from those of the general public c) there is little difference between computer fraud perpetrators and other types of white-collar criminals d) some computer fraud perpetrators do not view themselves as criminals

b) the psychological profiles of white-collar criminals are significantly different from those of the general public

which type of computer attack takes place between the time a software vulnerability is discovered & the time software developers release a software patch that fixes the problem? a) posing b) zero-day attack c) evil twin d) software piracy

b) zero-day attack

Which of the following statements is true? a. Both the SEC and the PCAOB require the use of the COSO framework b. Any framework can be used that encompasses all of COCO's general themes. c. The SEC recommends COBIT and the PCAOB recommends COSO d. Both the SEC and the PCAOB require the COBIT framwork e. None of the above are true

b. Any framework can be used that encompasses all of COCO's general themes.

Which of the following is NOT a common type of through-the-computer test of controls? a. Validity tests b. Inference tests c. All of these d. Redundancy tests e. Completeness tests

b. Inference tests

Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is a. a DES message b. a denial of service attack c. the request-response technique d. a call-back device e. none of the above

b. a denial of service attack

batch VS online real processing

batch processing - Accumulat- ing transaction records into groups or batches for process- ing at a regular interval such as daily or weekly. the records are usually sorted into some sequence (such as numeri- cally or alphabetically) before processing. online, real-time processing - the computer system processes data immediately after capture and provides updated informa- tion to users on a timely basis.

Planning Phase of SDLC

begins with a business need for a new or better information system. This phase involves summarizing the business needs with a high-level view of the intended project. A feasibility study is often used to evaluate economic, operational and technical practicability

Which IS a following primary activity in the value chain? a. Purchasing b. Accounting c. Post-sales service d. HR management

c) Post-sales service

fraud perpetrators threaten to harm a company if it does not pay a specified amount of money. what is this computer fraud technique called? a) cyber-terrorism b) blackmailing c) cyber-extortion d) scareware

c) cyber-extortion

which is NOT an example of computer fraud? a) theft of money by altering computer records b) obtaining info illegally using a computer c) failure to perform preventive maintenance on a computer d) unauthorized modification of a software program

c) failure to perform preventive maintenance on a computer

All of the following are guidelines that should be following in naming DFD data elements EXCEPT a) process names should include action verbs such as update, edit, prepare, and record b) make sure the names describe all the data or the entire process c) name only the most impt DFD elements d) choose active & descriptive names

c) name only the most impt DFD elements (all data elements should be named, w/the exception of data flows into data stores, when the inflows and outflows make naming the data store redundant)

Which is LEAST likely to be a specialized journal? a. Sales journal b. Cash receipts journal c. Prepaid insurance journal d. Cash disbursements journal

c) ppd insurance journal

Which is most likely to be used in the expenditure cycle? a. Sales order b. Credit memo c. Receiving report d. Job time ticket

c) receiving report

which computer fraud technique involves a set of instructions hidden inside a calendar utility that copies itself each time the utility is enables until memory is filled & the system crashes? a) logic bomb b) trap door c) virus d) Trojan horse

c) virus

Which of the following is NOT a requirement in management's report on the effectiveness of internal controls over financial reporting? a. Describe the flow of transactions in sufficient detail to points at which misstatement could arise b. An evaluation of entity-wide controls that correspond to the COSO framework c. A statement that the organization's internal auditors have issued an attestation report on management's assessment of the company's internal controls d. An explicit written conclusion as the effectiveness of internal control over financial reporting e. All of the above are requirements

c. A statement that the organization's internal auditors have issued an attestation report on management's assessment of the company's internal controls

Which of the following is NOT a potential threat to computer hardware and peripherals? a. Low humidity b. High humidity c. Carbon dioxide fire extinguishers d. Water sprinkler fire extinguishers

c. Carbon dioxide fire extinguishers

Which of the following statements is NOT correct? a. EAMs have the potential to corrupt corporate databases b. EAMs support continuous monitoring of control c. EAMs capture transactions during processing without removing the application service d. EAMs decrease operational performance e. All f the above are correct statements

c. EAMs capture transactions during processing without removing the application service

Which is NOT a characteristic that makes info useful? a. It is reliable b. It is timely c. It is inexpensive d. It is relevant

c. It is inexpensive

Which of the following is NOT a network control objective? a. Preventing illegal access b. Correcting message loss due to equipment failure c. Maintaining the critical application list d. Rendering useless any data that a perpetrator successfully captures e. All the above are network control objectives

c. Maintaining the critical application list

Which of the following is not true about the SSAE 16 report? a. It is a third-party attestation report b. It replaced Statement on Auditing Standards No. (SAS 70) c. The service provider prepares a separate SSAE 16 report tailored to the needs of each of its client firms, which the client auditors rely upon d. When using the carve-out method, service provider management would exclude the sub-service organization's relevant controls e. All of the above are true

c. The service provider prepares a separate SSAE 16 report tailored to the needs of each of its client firms, which the client auditors rely upon

A program that attaches to another legitmate program but does NOT replicate itself is called a a. virus b. worm c. Trojan horse d. logic bomb e. none of the above

c. Trojan horse

Tracing is a technique that: a. reviews interest calculations to identify a salami fraud b. allows test data to be merged with production data and traces the effects in the database c. performs an electronic walk-through of computed logic d. none of the above

c. performs an electronic walk through of computed logic

which action is an example of a social engineering technique?

calling a newly hired assistant and pretending to be an employee who needs help obtaining files

a set of instructions to increase a programmer's pay rate by 10% is hidden inside an authorized program. it changes & updates the payroll file. what is this computer fraud technique called? a) virus b) worm c) trap door d) Trojan horse

d) Trojan horse

which is FALSE? a) a flow chart is an analytical technique used to describe some aspect of an info system in a clear, concise, and logical manner b) flowcharts use a standard set of symbols to describe pictorially the flow of documents and data thru a system c) flowcharts are easy to prepare & revise when the designer utilizes a flowcharting software package d) a system flowchart is a narrative representation of an info system

d) a system flowchart is a narrative representation of an info system

which is NOT one of the responsibilities of auditors in detecting fraud according to SAS No. 99? a) evaluating results of their audit tests b) incorporating a technology focus c) discussing risks of material fraudulent misstatements d) catching perpetrators in the act of committing the fraud

d) catching perpetrators in the act of committing the fraud

which of the following flowcharts illustrates the flow of data among areas of responsibility in an organization? a) program flowchart b) computer configuration chart c) system flowchart d) document flowchart

d) document flowchart

which is the correct order of the steps in systems analysis? a) initial investigation, determination of info needs & system requirements, feasibility study, system survey b) determination of info needs & system requirements, system survey, feasibility study, initial investigation c) system survey, initial investigation, determination of info needs & system requirements, feasibility study d) initial investigation, system survey, feasibility study, determination of info needs & system requirements

d) initial investigation, system survey, feasibility study, determination of info needs & system requirements

How does the chart of accounts list GL accounts? a. Alphabetical order b. Chronological order c. Size order d. Order in which they appear on the FS

d) order in which they appear on the FS

which of the following control procedures is most likely to deter lapping? a) encryption b) continual update of the access control matrix c) background check on employees d) periodic rotation of duties

d) periodic rotation of duties

purchasing dept is designing a new AIS. who is best able to determine departmental info requirements? a) steering committee b) controller c) top management d) purchasing department

d) purchasing department

what is each row in a relational database table called? a) relation b) attribute c) anomaly d) tuple

d) tuple

Which of the following is NOT a task performed in the audit planning phase? a. Reviewing an organization's policies and practices b. Planning substantive testing procedures c. Reviewing general controls d. Determining the degree of reliance on controls

d. Determining the degree of reliance on controls

Which of the following is the best example of an application control objective? a. Ensure that the computer operating system functions efficiently b. Provide backup facilities in the event of a disaster c. Prevent unauthorized access to corporate databases d. Ensure the validity, completeness, and accuracy of sales transactions

d. Ensure the validity, completeness, and accuracy of sales transactions

Which of the following is NOT an SDLC controllable activity? a. User test and acceptance procedures b. Systems authorization c. All are SDLC controls d. External audit participation e. User specification

d. External audit participation

Reviewing database authority tables is an example of a(n) a. Operating resource controls b. Organizational structure control c. Data resource control d. None of the above

d. None of the above

The database attributes that individual users have permission to access are defined in the a. Operating system b. User manual c. Database schema d. User view e. Application listing

d. User view

Which of the following statements is NOT correct? a. executing a production application requires that the source code be compiled and linked to a load module b. as a practical matter, programs in their compiled state are secure and free from the threat of unauthorized modification c. application logic changes may be made directly to the load module d. once the application is compiled, the source code is not needed to run the application e. all of the above are correct statements

d. once the application is compiled, the source code is not needed to run the application ?

information is data organized to provide meaning

data differ from information in what way?

advantages of databases

data integration data sharing minimal data redundancy/inconsistencies data independence cross-functional analysis

Business Continuity

refers to the activities required to keep a firm running during a period of interruption of normal operations DRP is key component Corrective control


Set pelajaran terkait

Ch. 11: Pricing Strategies: Additional Considerations

View Set

Psych 241 Exam 1 chapter Questions

View Set