4A - Understanding of Information Technology (IT). Questions from review

Engaging in traditional electronic data interchange (EDI) provides which of the following benefits?

- "Reduced likelihood of stockout costs" is correct because EDI should automatically initiate a purchase order to restock before a stockout occurs. The other answer choices are incorrect: "Enhanced audit trails" is incorrect because EDI is communication between computers, such as with suppliers and customers. Audit trails are part of internal entity records. "Guaranteed payments from customers" is incorrect because EDI generally involves orders and inventory levels, not reducing the risk that cash is not paid by customers. "Added flexibility to entice new partners" is incorrect because EDI is electronic communication between internal computers and with suppliers and customers, not with owners.

A SOC 1 reports on the:

- A Service Organization Control (SOC) 1 report is on the controls at a service organization relevant to user entities' internal control over financial reporting (ICFR). SOC 1 reports are based on Statement on Standards for Attestation Engagements (SSAE) 16. A SOC 1 report is generated by auditors for other auditors. Use of these reports is restricted to the management of the service organization, user entities, and user auditors. SOC 2 and SOC 3 reports are on the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

Which of the following is usually a benefit of transmitting transactions in an electronic data interchange (EDI) environment?

- A compressed business cycle with lower year-end receivables balances Electronic data interchange is basically a set of standardized electronic business documents that can be transmitted electronically between companies. EDI involves almost exclusively business-to-business transactions. It requires two or more trading partners, their banks, and often a third party to assist the communication between the partner's computer systems. The partner's computer systems are in constant contact, often without human intervention based on a variety of signed legal documents. Such a system can facilitate just-in-time inventory systems and also speed payment via electronic funds transfer after the transaction, resulting in lower year-end receivables balances.

Which of the following best describes what is contained in a data dictionary?

- A data dictionary is a repository of definitions of data contained in a database. - A source code application file definition describes the record layouts used by an application program. - The data control language describes the privileges and security rules governing database users. - A database recovery log file records the before and after images of updated records in a database.

The traditional manual procurement of direct and indirect resources used in manufacturing has been supplanted, in some cases significantly, by the use of which of the following?

- A recent development in the acquisition and sale of manufacturing resources is "business-to-business" (B2B) commerce. B2B uses the internet and electronic data interchange technology.

Which of the following statements is incorrect regarding artificial intelligence (AI)?

- AI is a current application of machine learning based on the idea that we should be able to give machines access to data and let them learn for themselves. Machine learning is one application of artificial intelligence (AI) (not vice versa), based on the idea that we should be able to give machines access to data and let them learn for themselves. Artificial intelligence is the science and engineering of simulating human intelligence processes by machines (i.e., making intelligent machines), especially intelligent computer programs. AI can perform tasks such as identifying patterns in the data more efficiently than humans, thus enabling businesses to gain more insight out of their data. AI is generally classified as either narrow/weak or general/strong.

Which of the following is an essential element of the audit trail in an electronic data interchange (EDI) system?

- Activity logs that indicate failed transactions An audit trail allows the auditor to follow a single transaction from inception to recording in the books of account. An activity log indicating failed transactions in an EDI system would allow the auditor to identify why a transaction was not recorded and at what stage the transaction failed. This information would allow the auditor to test controls over such transactions. While a disaster recovery plan, encrypted hash totals, and hardware security modules are important to the internal controls of an electronic data interchange, they are not elements of the audit trail.

Which of the following is a primary function of a database management system?

- Capability to create and modify the database A database management system (DBMS) is a specialized computer program that manages and controls data and the interface between data and the application programs. Such a system is designed to make it easier to develop new applications and allows users to change the way they view data without changing how the data are stored physically. The other answer choices (report customization, financial transactions input, and database access authorizations) are all performed by the system user rather than the DBMS.

Source data controls assure input data is authorized, accurate, and complete. Which of the following is not a characteristic of source data control?

- Closed-loop verification is an online data entry control, not a source data control. Characteristics of source data control include requiring all source documents to be properly authorized, restricting source document preparation, and prenumbering all documents.

Which of the following is not a type of customer relationship management (CRM) technology?

- Closed-source CRM systems The term "closed-source CRM systems" is not a real type of CRM technology. Companies purchase a license upfront for on-premises CRM systems. The software resides on the company's servers and the user assumes responsibility for the administration, control, security, and maintenance of the database and information, in addition to the cost of any upgrades. Cloud-based CRM (also known as SaaS (software as a service)) stores data on an external, remote network that employees can access anytime, anywhere via an internet connection. An open-source CRM system offers an alternative to proprietary platforms from Salesforce and Microsoft; source code is made available to the public, permitting businesses to customize their data links on social media channels.

Which of the following lists comprise all of the components of the data processing cycle?

- Collection, refinement, processing, maintenance, output The usual definition of the data processing cycle (DPC) is "input-processing-output." A listing of components of the DPC should include, as a minimum, these three components. The correct answer substitutes the term "collection" for "input." Refinement refers to classifying and/or batching. Maintenance refers to processing-related operations such as calculation and storage.

Which of the following allows customers to pay for goods or services from a website while maintaining financial privacy?

- Cryptocurrencies, such as bitcoins, are anonymous and allow payment for purchases from websites. A credit card, a sight draft (one that promises immediate payment to the holder of the draft), and an electronic check (such as created when a debit card is used for a purchase) are not anonymous.

The National Cyber Security Alliance (NCSA) guidelines for conducting cyber-risk assessment focus on several key areas. Which of the following is not a risk assessment area?

- Develop and implement a plan to mitigate cyber risk Developing and implementing a plan to mitigate cyber risk is a key step in providing cybersecurity; however, it is not part of the risk assessment stage. The assessment stage is designed to identify and/or quantify issues; implementation of a plan is designed to mitigate/resolve those issues (i.e., risks) identified in the assessment stage.

Which of the following characteristics distinguishes electronic data interchange (EDI) from other forms of electronic commerce?

- EDI transactions are formatted using standards that are uniform worldwide. Electronic data interchange allows exchanges between entities because they are based on a standard. EDI relates to the data and not to how the data is programmed. EDI is the direct computer-to-computer transfer of business transaction documents and information between two organizations. The format and content of the documents must be standardized so that both computers can accept and process them.

Which of the following is not an attribute of a relational database?

- Each column contains information about a specific item. In a relational database, each row (not column) contains information about a separate entity. Each column contains information about entity attributes. In a relational database, a primary key uniquely identifies a specific row in a table. Other non-key attributes in each table store important information about that entity. A foreign key is an attribute in one table and a primary key in another.

Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?

- Encryption performed by a physically secure hardware device is more secure than encryption performed by software. Electronic data interchange, or EDI, is the use of computerized communication to exchange business data electronically in order to process transactions. Encryption is transforming data into unreadable gibberish to be sent electronically. This data is then decrypted and read at its destination. When data is transferred electronically, security is an issue. Software applications that encrypt data are more vulnerable to security risks than a hardware device performing the same function.

A company has an online order processing system. The company is in the process of determining the dollar amount of loss from user error. The company estimates the probability of occurrence of user error to be 90%, with evenly distributed losses ranging from $1,000 to $30,000. What is the expected annual loss from user error?

- Errors are be evenly distributed between $1,000 and $30,000. The average of this range is ($30,000 + $1,000) ÷ 2, or $15,500. The probability of error is 90%, so the expected value of the annual loss is 90% × $15,500, or $13,950.

Which of the following is the primary advantage of using a value-added network (VAN)?

- It provides increased security for data transmissions. Value-added networks (VANs) are telecommunication networks providing communication facilities, enhancing basic telecommunication services by passing, storing, and converting messages using enhanced security techniques.

There are two types of "schema": conceptual-level schema and external-level schema. Which of the following refers to a conceptual-level schema?

- Lists all data elements and the relationships between them A database important to an individual user and databases that only certain users have access to refer to external-level schema. Each external-level schema is referred to as a subschema.

In building an electronic data interchange (EDI) system, what process is used to determine which elements in the entity's computer system correspond to the standard data elements?

- Mapping Electronic data interchange (EDI) is the exchange of documents in standardized electronic form between different entities in an automated manner directly from a computer application in one entity to an application in another. Advantages of an EDI system include reduced errors, costs, and processing time. Mapping is establishing correspondence between the system and standard data elements. Translation changes computer code from one language to another. Encryption is used to prevent interception of data and to store data so that others cannot read it. Decoding is converting encrypted data back to readable data.

Which of the following statements is correct regarding information technology (IT) governance?

- One of management's major responsibilities is to make sure a company's information resources are secure and adequately controlled (i.e., control risk). Additionally, IT governance needs to ensure that the entity's strategic planning is not hampered. Strategic planning is an organization's formal process of defining its future course or direction (i.e., reward). By devising appropriate strategies (i.e., balancing risk versus reward) and making decisions on allocating its resources (e.g., staff and capital) to pursue those strategies, an organization's IT governance can help ensure that the entity's overall goals will be achieved.

Which of the following can be discovered using a data-mining process?

- Previously unknown information Data-mining technology helps examine large amounts of data to discover previously unknown information and patterns. With data-mining software, companies can sift through all the chaotic and repetitive noise in data, pinpoint what is relevant, use that information to assess likely outcomes, and then accelerate the pace of making informed decisions. Data mining can identify trends and outcomes that are not easily identifiable by looking at higher-level or summary data.

The concept of a management information system (MIS) continues to evolve over time. Which of the following is generally understood to be a central element of an MIS?

- Processing of data items is based on decision models. The use of decision models to organize data is a central element of MIS. The management of data in an organized database is a central element of MIS. Users of an MIS do not have to be computer experts to realize benefits. The MIS concept is not based on computers, and consists of an organized federation of subsystems rather than a single, highly integrated system.

Which of the following is an example of a transaction file?

- Sales journal An example of a transaction file is a sales journal. Transaction files contain data about transactions over a specific period of time, unlike master files, which are permanent and may extend across multiple fiscal periods. Files containing organizational assets, customer and vendor information, and debt schedules would be considered master files.

The information provided by an information system for external reports exists to comply with legal requirements for all of the following except:

- Shareholder reports are internal reports and are not legally required as an external report to outside entities to fulfill legal requirements. Examples of information system (IS) external reports are income tax returns, SEC 10-K filings, and Operational Safety and Health Administration (OSHA) reports. These three reports are legally required to be produced.

Which of the following is not a role of information systems in the business process?

- The Association of Business Process Management Professionals defines a business process as "a defined set of activities or behaviors performed by humans or machines to achieve one or more goals. Processes are triggered by specific events and have one or more outcome(s) that may result in the termination of the process or a handoff to another process." The role of information systems in business processes revolves around activities and behaviors that are triggered by specific events, not part of the daily work environment.

The revenue cycle produces information that is used by the other accounting cycles. This includes all cycles except which one of the following?

- The financing/treasury cycle The revenue cycle is a recurring set of business and data processing activities associated with selling goods and services to customers in exchange for cash. The revenue cycle produces information that is used by other accounting cycles, including the expenditure, production/conversion, and payroll cycles, as well as the financial reporting cycle. The financing/treasury cycle is where companies obtain funds from investors and creditors. It is not a business activity associated with selling goods and services to customers.

Performance reports help to assess the efficiency and effectiveness of transaction cycle activities and to look for inefficient or ineffective performance. Which of the following is not an example of information that can be provided by performance reports?

- The function of a performance report, when examining transaction cycle activities, is to look for inefficient and/or ineffective performance. Sustaining a given level of inventory would typically not be part of a performance report; however, identifying slow-moving products so as to avoid excessive inventory levels would be reported. Additional items reported through performance reports include assessing sales force effectiveness by breaking sales down by salesperson, region, or product; assessing marketing performance by breaking down the marginal profit contribution of each territory, customer, distribution channel, salesperson, or product; evaluating the frequency and size of back orders to determine how well inventory management policies satisfy customer needs; preparing an accounts receivable aging schedule to monitor accounts receivables collections, estimate bad debts, and evaluate credit policies; preparing cash budgets to know when to borrow funds to meet short-term cash shortages and when to invest excess funds; and monitoring vendor performance using vendor performance reports.

Many entities use the internet as a network to transmit electronic data interchange (EDI) transactions. An advantage of using the internet for electronic commerce rather than a traditional value-added network (VAN) is that the internet:

- Value-added networks transmit data to trading partners with additional conversion and auditing steps. Using the internet directly allows a business to send transactions immediately to trading partners without the delay inherent in the additional VAN steps. "Automatically batches EDI transactions to multiple trading partners" is incorrect because the internet does not automatically batch transactions. "Possesses superior characteristics regarding disaster recovery" is incorrect because disaster recovery using a VAN is likely to be improved compared to the internet since the VAN designs disaster recovery into the network. "Converts EDI transactions to a standard format without translation software" is incorrect because the internet does not automatically use translation software.

A computer system that converts the inputs into data that allows management to make unstructured decisions concerning the company's future is:

- a strategic information system. provides information that may allow an organization to make strategic, competitive decisions. Transaction processing systems support basic routine business functions. An office automation system is used by clerical personnel to process existing information. Decision support systems process semi-structured and unstructured problems.

An internal version of the internet that can be accessed using conventional World Wide Web compatible hardware and software is called:

- an intranet. An intranet is an internal version of the internet. It can be accessed using conventional hardware and software that works with the World Wide Web (internet). The intranet is usually separated from the internet by a firewall. A higher level of hardware and software compatibility is required for local area networks (LANs) and wide area networks (WANs).

To develop and implement a systems reliability plan, an organization's IT governance should:

- assign plan responsibility and accountability to a top-level IT manager. - review and update the system reliability plan regularly. - require all employees to follow all security procedures (not only lower-level or new employees). - identify, document, and test the availability, security, maintainability, integrity, and user reliability requirements. - determine ownership, custody, access, and maintenance responsibility for information resources (hardware, software, data, infrastructure, and people). - develop a security awareness program and use it to train employees. - document and report all system reliability problems and analyze them, looking for causes and possible trends.

A database management system (DBMS) is a complex software package that allows all of the following except:

- be application dependent. A DBMS is application independent and does not actually run application programs. A DBMS allows concurrent use of data, provides access and identification security, and permits users to access information from the database.

If a database has integrity, this means that the:

- database has only consistent data. Integrity relates to the quality of a database. Among other considerations, data should be consistent and data inputs should conform to a predetermined standard of elements, size, and content.

The identification of users who have permission to access data elements in a database is found in the:

- database schema. A database schema is "a view of the entire structure of the database." It is "the organizational chart showing how the database is structured." The database schema shows all elements of the database and areas of responsibility of individuals.

The internet is made up of a series of networks that include:

- gateways to allow mainframe computers to connect to personal computers. Gateways connect internet computers of dissimilar networks. - Routers determine the best path for data. - Bridges connect physically separate LAN's. - Repeaters strengthen signal strength.

The Trust Services categories are aligned to the 17 principles presented in COSO's Internal Control—Integrated Framework. One of those categories is "logical and physical access controls," which is relevant to how the service organization:

- implements controls that serve to prevent unauthorized access and protect data assets. Logical and physical access controls relate to how the service organization implements logical and physical access controls that serve to prevent unauthorized access and protect data assets. System operations relate to how the service organization manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations. Change management relates to how service organizations evaluate and determine necessary changes in infrastructure, data, software, and procedures, which gives them the ability to securely make changes and prevent unauthorized changes. Risk mitigation relates to how the service organization identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.

A fundamental purpose of a database management system is to:

- reduce data redundancy. Reduction of data redundancy and associated costs is a prime objective of database utilization. Storage of data will occur in multiple files regardless of whether or not a database is used. Minimizing the occurrences of data elements within the files is the key to data organization. By using a logical view of data, access differences by application programs should be transparent to the programs and programmers. Utilization of a database will increase complexity of data processing.

Service Organization Control (SOC) 2 reports focus on a business's nonfinancial reporting controls as they relate to five Trust Services criteria (previous known as principles): security, availability, processing integrity, confidentiality, and privacy of a system. Availability refers to:

- security-related criteria such as network performance, site failover, and security incident handling. Availability refers to the system, product, or service being available for operation and used as committed or agreed to by a contract or service level agreement (SLA). This principle pertains to security-related criteria that may affect availability, monitoring such items as network performance and availability, site failover, and security incident handling. Addressing whether a system achieves its purpose (i.e., delivers the right data at the right price at the right time is processing integrity. Communicating defined policies to responsible parties and authorized users of the system and monitoring the system and taking action to maintain compliance with its defined policies are two of the four broad areas that Trust Services are organized into; they are not one of the five principles.

An issuer's board of directors would ordinarily participate in each of the following activities, except:

- supervising and monitoring the quality control testing upon the installation of a new information technology system. The board of directors is directly response for long-term strategy and strategic planning, including maintaining awareness of the technological needs and capabilities of the organization. The board of directors is charged with the responsibility of overseeing management's role in establishing and maintaining the organization's system of internal controls. Management would ordinarily be responsible for the supervision and quality control for the actual installation of new information technology systems.

Which of the following is not true? Relational databases:

- use trees to store data in a hierarchical structure. Hierarchical databases use tree structures to organize data; relational databases use tables. Relational databases are flexible and useful for unplanned, ad hoc queries, do store data in table form, and are maintained on direct access devices.

Which of the following statements is correct regarding the internet as a commercially viable network? I. Organizations must use firewalls if they wish to maintain security over internal data. II. Companies must apply to the internet to gain permission to create a home page to engage in electronic commerce. III. Companies that wish to engage in electronic commerce on the internet must meet required security standards established by the coalition of internet providers.

-I only Companies that wish to maintain adequate security must use firewalls to protect data from being accessed by unauthorized users. (Statement I) Anyone can establish a home page on the internet. (Statement II) There are no security standards for connecting to the internet, nor is there a coalition of internet providers which dictate such standards. The lack of such standards is a major problem with the internet. (Statement III)

A network of computers located throughout an organization's different facilities and linked to a centralized computer to fulfill information processing needs is called:

A network of computers located ("distributed") throughout an organization's different facilities and linked to a centralized computer to fulfill information ("data") processing needs is called distributed data processing. A local area network is a communication network, "locally" distributed, i.e., within a single office, and linked by cables which allows each unit to communicate with the others. Online processing is interactive real-time processing (compared to batch processing) in which the user is in direct communication with the computer, which processes transactions as soon as they are entered.

The Assurance Services Executive Committee of the AICPA has introduced Trust Services, including SysTrust and WebTrust, which are defined as a set of attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Which of the following is not in the core set of principles?

Although adequate controls are one of the keystones of IT governance, it is not one of the five principles developed by the AICPA, which include security, availability, processing integrity, confidentiality, and privacy.

Control Objectives for Information and Related Technology (COBIT) consolidates standards of different IT and security practices. Which of the following is a false statement relating to COBIT?

COBIT is unique in that it consolidates standards from 36 different sources into a single framework that is applicable to IT and security control practices. COBIT helps balance risk and controls information systems, provides assurance that security and IT controls are adequate, and guides auditors and internal controls. COBIT was not designed to physically safeguard assets.

Which of the following is not a true statement concerning customer relationship management (CRM) systems?

Customer relationship management (CRM) is preferably a cloud-based system that stores customer and prospect contact information, accounts, leads, and sales opportunities in one central database (not multiple locations and databases), available to all departments in a business, such as sales, customer service, accounting, marketing, and business development. CRM refers to practices, strategies, and technologies that businesses use to interact, analyze, forecast, and manage customer relationships, trends, and behaviors. Given that the company does not physically control the storage and maintenance in a cloud-based CRM system, their data could be compromised or lost if the cloud provider goes out of business or is acquired by another company. Additionally, the cost of subscription fees for cloud-based CRM software can be more costly over time than on-premises models.

Which of the following definitions describes data visualization?

Data visualization is any effort to help people understand the significance of data by placing it in a visual format, such as a graph or pie chart, to aid in the understanding and communication of difficult concepts and ideas. A digitized, decentralized, public ledger of all cryptocurrency transactions is a blockchain. Big data (not data visualization) is often defined by the three "V's": volume, velocity, and variety. Data analytics (not data visualization) rapidly examines large amounts of data to identify hidden patterns, correlations, and other insights.

Labels are used to protect data files from inadvertent misuse. Which of the following is not a protocol for labeling data files?

External labels do not require trailer labels; only internal labels require trailer labels. Protocols for labeling data files include external labels containing contents and dates processed, external labels requiring file names, and internal labels containing volume labels that identify the data recording medium.

Corporate intranets are typically characterized by ________ as compared to local and wide area networks.

Intranets are private networks that behave in much the same manner as the internet. They are subject to higher security risks but are less costly to operate than local or wide area networks.

Which of the following does properly match a Service Organization Control (SOC) report to its underlying professional standard?

SOC 1 report: SSAE 16, Reporting on Controls at a Service Center SOC 2 report: AICPA Guide, Reporting on Controls at a Service Center Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy SOC 2 report: AT 101, Attestation Engagements SOC 3 report: AT 101, Attestation Engagements

Who are the intended users of a Service Organization Control (SOC) 2 report?

SOC 1 reports are for management of the service organization, user entities, and user auditors. SOC 2 reports are restricted and are only for parties that are knowledgeable about the nature of the service provided by the service organization. SOC 3 reports have no restrictions and can be distributed to anyone.

An advantage of decentralizing data processing facilities is:

Some advantages of decentralized data processing facilities are: - decentralization increases direct access by users, - standalone capabilities are distributed to points of need, - participation is increased in designs and use, and - the ability to share computing power, which decreases the significance of system failure.

Which of the following information technology (IT) terms is matched with its appropriate definition?

Text-mining technology (not data mining) enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified. Text mining uses machine learning or natural language processing technology to comb through documents such as emails, blogs, and Twitter feeds to analyze large amounts of information and discover new topics and term relationships. Data mining technology helps examine large amounts of data to discover patterns. Hadoop: a free, open-source software framework that stores large amounts of data Predictive analytics technology: uses data, statistical algorithms, and machine-learning techniques to identify the likelihood of future outcomes based on historical data Big data: a term that describes the large volume of diverse and complex data available to businesses on a day-to-day basis

The increased use of database processing systems makes managing data and information a major information service function. Because the databases of an organization are used for many different applications, they are coordinated and controlled by a database administrator. The functions of a database administrator are:

The database administrator may be a single individual or a staff of individuals depending on the size of the organization. The functional responsibilities generally include planning the database, defining schemas and subschemas, selecting the appropriate database management system (DBMS) software, creating the database structure, establishing policy and procedures for database usage, teaching users how to work with the DBMS, and controlling database activity, i.e., database design, operation and security.

The accounting information system (AIS) is a subset of the management information system (MIS). The AIS is composed of both the human and capital resources within an organization that are responsible for all of the following except:

The accounting information system provides controls to safeguard the organization's assets but is not responsible for physically safeguarding its assets. The AIS team is responsible for the preparation of financial information, the information obtained from collecting and processing company transactions, the collection and storage of data about activities and business transactions, processing that data into information and the creation of reports useful for making decisions, and providing adequate system controls to safeguard the organization's assets.