Internal Controls And Risks In It | Verified Test Bank Ch.4

ACCOUNTING INFORMATION SYSTEMS/3e

TURNER / WEICKGENANNT/COPELAND

Test Bank: CHAPTER 4: Internal Controls and Risks in IT Systems

NOTE: New questions are identified by the letter A as part of the question number; adjusted questions are identified by the letter X as part of the question number.

End of Chapter Questions:

1. Internal controls that apply overall to the IT system are called:
2. Overall Controls
3. Technology Controls
4. Application Controls

D. General Controls

1. In entering client contact information in the computerized database of a telemarketing business, a clerk erroneously entered nonexistent area codes for a block of new clients. This error rendered the block of contacts useless to the company. Which of the following would most likely have led to discovery of this error into the company’s computerized system?
2. Limit check

B. Validity check

1. Sequence check
2. Record count
3. Which of the following is not a control intended to authenticate users?
4. User log–in
5. Security token

C. Encryption

1. Biometric devices
2. Management of an internet retail company is concerned about the possibility of computer data eavesdropping and wiretapping, and wants to maintain the confidentiality of its information as it is transmitted. The company should make use of:

A. Data encryption

1. Redundant servers
2. Input controls
3. Password codes
4. An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee?

A. Develop and maintain the database and ensure adequate controls over the database.

1. Develop, monitor, and review security policies.
2. Oversee and prioritize changes to IT systems.
3. Align IT investments to business strategy.
4. AICPA Trust Principles describe five categories of IT risks and controls. Which of these five categories would be described by the statement, “The system is protected against unauthorized access”?

A. Security

1. Confidentiality
2. Processing integrity
3. Availability
4. The risk that an unauthorized user would shut down systems within the IT system is a(n):
5. Security risk

B. Availability risk

1. Processing integrity risk
2. Confidentiality risk
3. The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas?
4. Telecommuting workers
5. Internet
6. Wireless networks

D. All of the above

1. Which programmed input validation check compares the value in a field with related fields which determine whether the value is appropriate?
2. Completeness check
3. Validity check

C. Reasonableness check

1. Field check
2. Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered?
3. Completeness check
4. Validity check
5. Reasonableness check

D. Field check

1. Which programmed input validation makes sure that a value was entered in all of the critical fields?

A. Completeness check

1. Validity check
2. Reasonableness check
3. Field check
4. Which control total is the total of field values that are added for control purposes, but not added for any other purpose?
5. Record count

B. Hash total

1. Batch total
2. Field total
3. A company has the following invoices in a batch:

Invoice No. Product ID Quantity Unit Price

401 H42 150 $30.00

402 K56 200 $25.00

403 H42 250 $10.00

404 L27 300 $ 5.00

Which of the following numbers represents a valid record count?

1. 1

B. 4

1. 70
2. 900

TEST BANK - CHAPTER 4 - MULTIPLE CHOICE

1. The average annual cost of cyber crime to U.S. companies is:

A. $3.8 million

1. $6.2 million
2. $1.1 billion
3. Not determinable
4. Unchecked risks and threats to the IT system could result in:
5. An interruption of the computer operations
6. Damage to an organization
7. Incorrect or incomplete accounting information

D. All of the above

1. In order to master risks and controls and how they fit together, which of the following is NOT one of the areas to fully understand?

A. The accounting information system.

1. The description of the general and application controls that should exist in IT system.
2. The type and nature of risks in IT systems.
3. The recognition of how controls can be used to reduce risk.
4. Internal controls that apply overall to the IT accounting system, that are not restricted to any particular accounting application, are referred to as a(n):
5. Specific Controls
6. Application Controls

C. General Controls

1. IT Controls
2. All of the following are General controls except for:
3. Passwords
4. Physical hardware controls
5. Software Controls

D. Inventory Controls

1. General controls are divided into five broad categories. Which of the following is not one of these categories?
2. Authentication of users and limiting unauthorized access
3. Hacking and other network break-ins

C. Fraud Prevention

1. Business Continuity
2. Hacking can be prevented by using which of the following?
3. Firewalls
4. Encryption
5. Virtual Private Networks

D. None of the Above

1. All of the above
2. Internal controls used specifically in accounting applications to control inputs, processing, and outputs are referred to as a(n):
3. Specific Controls

B. Application Controls

1. General Controls
2. IT Controls
3. General controls in IT systems are divided into five broad categories. Which of the following is NOT one of those categories?
4. Authentication of uses and limiting unauthorized access

B. Output controls

1. Organization structure
2. Physical environment and physical security of the system.
3. A process or procedure in an IT system to ensure that the person accessing the IT system is valid and authorized is called:
4. Hacking and other network break-ins
5. Physical environment and physical security

C. Authentication of users and limiting unauthorized access

1. Organizational structure
2. This term relates to making the computer recognize a user in order to create a connection at the beginning of the computer session.
3. User ID
4. Password
5. Smart card

D. Login

1. All of the following are environmental control issues for physical hardware except for:
2. High temperatures
3. Fires
4. Excessive Humidity

D. All of the Above

1. None of the Above
2. Which of the following is NOT one of the rules for the effective use of passwords?

A. Passwords should not be case sensitive.

1. Passwords should be at least 6 characters in length.
2. Passwords should contain at least one nonalphanumeric character.
3. Password should be changed every 90 days.
4. Which of the following is not a good example of an effective password?
5. ABC*$123

B. a1b2c3

1. A*1b?2C$3
2. MSU#Rules$
3. This item, that strengthens the use of passwords, is plugged into the computer’s card reader and helps authenticate that the use is valid; it has an integrated circuit that displays a constantly changing ID code. These statement describe:
4. Security token
5. USB control key

C. Smart card

1. Biometrics
2. A new technology that is used to authenticate users is one that plugs into the USB port and eliminates the need for a card reader. This item is called a:
3. Biometric reader
4. Smart card
5. USB smart key

D. Security token

1. The use of the smart card or security tokens is referred to as a two factor authorization because:

A. It is based on something the user has, the token or card, and something the user knows, the password.

1. It requires that the user is granted the card / token in a secure environment and that the user actually uses the card / token.
2. It requires that the user has two different authorizations: (1) to receive the card / token, and (2) to use the card / token.
3. It requires the use the card / token to (1) login to the system and (2) access the applications.
4. This type of authentication uses some unique physical characteristic of the user to identify the user and allow the appropriate access to the system.
5. Nonrepudiation card

B. Biometric device

1. Configuration table
2. Computer log
3. Which of the following is not an example of physical characteristics being used in biometric devices?
4. Retina scans
5. Fingerprint matching

C. Social security number

1. Voice verification
2. This complete records of all dates, times, and uses for each person is referred to as a(n):
3. User password

B. Computer log

1. User profile
2. Configuration table
3. This term means that a user cannot deny any particular act that he or she did on the IT system is referred to as:
4. Configuration
5. Proliferation
6. Verification

D. Nonrepudiation

1. There are a number of reasons that all access to an IT system be logged. Which of the following is not one of the reasons for the log to be maintained?
2. Any login or use abnormalities can be examined in more detail to determine any weaknesses in the login procedures.
3. A user cannot deny any particular act that he or she did on the system.
4. To establish nonrepudiation of sales transactions by a customer.

D. To establish a user profile.

1. This should be established for every authorized user and determines each user’s access level to hardware, software, and data according to the individual’s job responsibilities.

A. User profile

1. User password
2. User ID
3. User log
4. This table contains a list of valid, authorized users and the access level granted to each one.
5. User table

B. Authority table

1. Authentication table
2. Configuration table
3. The IT system includes this type of table for software, hardware, and application programs that contain the appropriate set-up and security settings.

A. Configuration table

1. Authentication table
2. User table
3. Authority table
4. Nonrepudiation means that:
5. A user is not authorized to change configuration settings.
6. A user is not allowed access to the authority tables.
7. A user can prevent the unauthorized flow of data in both directions.

D. A user cannot deny any particular act that he or she did on the IT system.

1. Hardware, software, or a combination of both that is designed to block unauthorized access to an IT system is called:
2. Computer log
3. Biometric device

C. Firewall

1. Security token
2. The process of converting data into secret codes referred to cipher text is called:
3. Deciphering

B. Encryption

1. Nonrepudiation
2. Enciphering
3. This form of encryption uses a single encryption key that must be used to encrypt data and also to decode the encrypted data.
4. Multiple encryption
5. Public key encryption
6. Wired encryption

D. Symmetric encryption

1. This form of encryption uses a public key, which is known by everyone, to encrypt data, and a private key, to decode the data.
2. Multiple encryption

B. Public key encryption

1. Wired encryption
2. Symmetric encryption
3. This encryption method, used with wireless network equipment, is symmetric in that both the sending and receiving network nodes must use the same encryption key. It has been proven to be susceptible to hacking.

A. Wired Equivalency Privacy (WEP)

1. Wired Encryption Policy (WEP)
2. Wireless Protection Access (WPA)
3. Wired Privacy Authentication (WPA)
4. This encryption method requests connection to the network via an access point and that point then requests the use identity and transmits that identity to an authentication server, substantially authenticating the computer and the user.
5. Wired Equivalency Privacy (WEP)
6. Wired Encryption Provider (WEP)
7. Wireless Provider Authentication (WPA)

D. Wireless Protection Access (WPA)

1. This security feature, used on wireless networks, is a password that is passed between the sending and receiving nodes of a wireless network.
2. Secure sockets layer

B. Service set identifier

1. Wired provided access
2. Virtual private network
3. Authorized employees may need to access the company IT system from locations outside the organization. These employees should connect to the IT system using this type of network.
4. Secure socket network
5. Service set identifier

C. Virtual private network

1. Wireless encryption portal
2. The type of network uses tunnels, authentication, and encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data.
3. Residential user network
4. Service internet parameter network

C. Virtual private network

1. Virtual public network
2. This communication protocol is built into web server and browser software that encrypts data transferred on that website. You can determine if a website uses this technology by looking at the URL.

A. Secure sockets layer

1. Service security line
2. Secure encryption network
3. Secure service layer
4. Which of the following URL’s would indicate that the site is using browser software that encrypts data transferred to the website?
5. shttp://misu

B. https://misu

1. http://smisus
2. https://smisus
3. A self-replicating piece of program code that can attach itself to other programs and data and perform malicious actions is referred to as a(n):
4. Worm
5. Encryption

C. Virus

1. Infection
2. A small piece of program code that attaches to the computer’s unused memory space and replicates itself until the system becomes overloaded and shuts down is called:
3. Infections
4. Virus
5. Serum

D. Worm

1. This type of software should be used to avoid destruction of data programs and to maintain operation of the IT system. It continually scans the system for viruses and worms and either deletes or quarantines them.
2. Penicillin Software

B. Antivirus Software

1. Infection Software
2. Internet Software
3. The process of proactively examining the IT system for weaknesses that can be exploited by hackers, viruses, or malicious employees is called:
4. Intrusion detection
5. Virus management

C. Vulnerability assessment

1. Penetration testing
2. This method of monitoring exposure can involve either manual testing or automated software tools. The method can identify weaknesses before they become network break-ins and attempt to fix these weaknesses before they are exploited.

A. Vulnerability assessment

1. Intrusion detection
2. Encryption examination
3. Penetration testing
4. Specific software tools that monitor data flow within a network and alert the IT staff to hacking attempts or other unauthorized access attempts is called:
5. Security detection
6. Vulnerability assessment
7. Penetration testing

D. Intrusion detection

1. The process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers is referred to as:
2. Vulnerability assessment
3. Intrusion detection
4. Penetration testing
5. Worm detection
6. The function of this committee is to govern the overall development and operation of IT systems.
7. IT Budget Committee
8. IT Audit Committee

C. IT Governance Committee

1. IT Oversight Committee
2. Which of the following would normally not be found on the IT Governance Committee?

A. Computer input operators

1. Chief Executive Officer
2. Chief Information Officer
3. Heads of business units
4. The IT Governance Committee has several important responsibilities. Which of the following is not normally one of those responsibilities?
5. Align IT investments to business strategies.
6. Oversee and prioritize changes to IT systems.
7. Develop, monitor, and review security procedures.

D. Investing excess IT funds in long-term investments.

1. The functional responsibilities within an IT system must include the proper segregation of duties. Which of the following positions is not one of the duties that is to be segregated from the others?
2. Systems analysts

B. Chief information officer

1. Database administrator
2. Operations personnel
3. The systematic steps undertaken to plan, prioritize, authorize, oversee, test, and implement large-scale changes to the IT system are called:
4. IT Governance System
5. Operations Governance

C. System Development Life Cycle

1. Systems Analysis
2. General controls for an IT system include:
3. Controls over the physical environment only.
4. Controls over the physical access only.

C. Controls over the physical environment and over the physical access.

1. None of the above.
2. A battery to maintain power in the event of a power outage meant to keep the computer running for several minutes after the power outage is an example of a(n):

A. Uninterruptible power supply

1. System power supply
2. Emergency power supply
3. Battery power supply
4. An alternative power supply that provides electrical power in the event that a main source is lost is called:
5. Uninterruptible power supply
6. System power supply

C. Emergency power supply

1. Battery power supply
2. Large-scale IT systems should be protected by physical access controls. Which of the following is not listed as one of those controls?
3. Limited access to computer rooms
4. Video surveillance equipment
5. Locked storage of backup data

D. Encryption of passwords.

1. A proactive program for considering risks to the business continuation and the development of plans and procedures to reduce those risks is referred to as:
2. Redundant business planning

B. Business continuity planning

1. Unnecessary in the current safe environments
2. Emergency backup power
3. Examples of Business Continuity include all of the following except:
4. Disaster Recovery Plan
5. Backup Data

C. Environmental Backup Recovery Plan

1. Offsite Backup
2. Two or more computer network or data servers that can run identical processes or maintain the same data are called:
3. Emergency power supply
4. Uninterruptible power source

C. Redundant servers

1. Business continuity planning
2. Many IT systems have redundant data storage such that two or more disks are exact mirror images. This is accomplished by the use of:

A. Redundant arrays of independent disks

1. Redundant mirror image disks
2. Mirror image independent disks
3. Redundant mirror image dependent disks
4. The AICPA Trust Services Principles categorizes IT controls and risks into categories. Which of the following is not one of those categories?
5. Confidentiality
6. Security

C. Recovery

1. Availability
2. The establishment of log-in procedures can help prevent or lessen security risks and are referred to as:
3. Reactive controls

B. Preventive controls

C. Availability controls

D. Confidentiality controls

1. Availability risks, related to the authentication of users would include:

A. Shutting down the system and shutting down programs

1. Altering data and repudiating transactions
2. Stealing data and recording nonexistent transactions
3. Sabotaging systems and destroying data
4. The accuracy, completeness, and timeliness of the process in IT systems is referred to as:
5. Availability Risks
6. Security Risks
7. Confidentiality Risks

D. Processing Integrity Risks

1. The software that controls the basic input and output activities of the computer are called:

A. Operating System

1. Application Software
2. Data Base Management System
3. Electronic Data Interchange
4. Unauthorized access to the operating system would allow the unauthorized user to:
5. Browse disk files for sensitive data or passwords.
6. Alter data through the operating system.
7. Alter application programs.

D. All of the above

1. A large disk storage for accounting and operating data is referred to as a(n):
2. Operating system
3. Application software

C. Database

1. Binary monetary system
2. A software system that manages the interface between many users and the database is called:
3. Database security system

B. Database management system

1. Database binary monetary system
2. Database assessment
3. A computer network covering a small geographic area, which, in most cases, are within a single building or a local group of buildings is called a:
4. Land area network
5. Local access network

C. Local area network

1. Locality arena network
2. A group of LANs connected to each other to cover a wider geographic area is called a:
3. Connected local network

B. Wide area network

1. Connected wide area
2. Wide geographic network
3. The work arrangement where employees work from home using some type of network connection to the office is referred to as:

A. Telecommuting

1. Telemarketing
2. Network Employment
3. Electronic working
4. The company-to-company transfer of standard business documents in electronic form is called:
5. Facsimile Transmission
6. PDF Interchange

C. Electronic Data Interchange

1. Tele-transmission
2. Companies who provide mobile devices for employees, normally has a policy that allows the company’s IT professional to remove company data and applications from the mobile device. This process is referred to as:
3. Cloud exchange
4. Operations removal
5. Data integrity

D. Remove wipe

1. Many companies use a public cloud computing model for software, data storage or both. Which of the following is an advantage to the public cloud computing model?
2. Expanded access
3. Cost savings
4. Scalability

D. All of the above are advantages

1. A company using public cloud computing has the ability to purchase new capacity from the cloud provider, instead of buyer servers or new data storage. This ability is referred to as:

A. Scalability

1. Expanded access
2. Infrastructure availability
3. Provider expansion
4. Risks associated with public cloud computing include all of the following, except:
5. Security
6. Availability
7. Processing Integrity

D. Scalability

1. To avoid the risks associated with a public cloud, many companies establish their own computing cloud structure. The cloud is developed, owned, maintained, and used by the user company. This cloud is referred to as:
2. Company cloud
3. User cloud

C. Private cloud

D. Internal cloud

1. The software that accomplishes end user tasks such as work processing, spreadsheets, and accounting functions is called:
2. Operating Software
3. Database Software

C. Application Software

1. Management Software
2. Internal controls over the input, processing, and output of accounting applications are called:
3. Accounting Controls
4. Application Controls
5. Network Controls
6. LAN Controls
7. This type of control is intended to ensure the accuracy and completeness of data input procedures and the resulting data:

A. Input Controls

1. Internal Controls
2. Processing Controls
3. Output Controls
4. This type of control is intended to ensure the accuracy and completeness of processing that occurs in accounting applications:
5. Input Controls
6. Internal Controls

C. Processing Controls

1. Output Controls
2. This type of control is intended to help ensure the accuracy, completeness, and security of outputs that result from application processing:
3. Input Controls
4. Internal Controls
5. Processing Controls

D. Output Controls

1. The process of converting data from human readable form to computer readable form is referred to as:
2. Transcription

B. Data Input

1. Keyboarding
2. Scanning
3. Which of the following is NOT one of the types of input controls?
4. Source document controls
5. Programmed edit checks

C. Confidentiality check

1. Control totals and reconciliation
2. The paper form used to capture and record the original data of an accounting transaction is called a(n):
3. Input control

B. Source document

1. Sales invoice
2. General ledger
3. Which of the following items is not one of the source document controls?

A. Validity check

1. Form design
2. Form authorization and control
3. Retention of source documents
4. The process where the details of individual transactions at each stage of the business process can be recreated in order to establish whether proper accounting procedures for the transaction were performed is called:
5. Source document reconciliation
6. Range check
7. Validity verification

D. Audit trail

1. The procedures to collect and prepare source documents are termed:
2. Input validation procedures
3. Form authorization procedures

C. Data preparation procedures

1. Document retention procedures
2. The data preparation procedures are to be well-defined so that employees will be sure of:
3. Which forms to use
4. When to use them
5. Where to route them

D. All of the above

1. Field check, limit check, range check and sequence check are all examples of:

A. Input Validation Checks

1. Source Document Controls
2. Control Reconciliation
3. Application Controls
4. This type of input validation check examines a field to ensure that the data entry in the field is valid compared with a preexisting list of acceptable values.
5. Field Check
6. Completeness Check

C. Validity Check

1. Range Check
2. This type of input validation check assesses the critical fields in an input screen to make sure that a value is in those fields.
3. Field Check

B. Completeness Check

1. Range Check
2. Limit Check
3. This type of input check ensures that the batch of transactions is sorted in order, but does not help to find the missing transactions.
4. Completeness Check
5. Range Check
6. Self-checking Digit Check

D. Sequence Check

1. An extra digit added to a coded identification number, determined by a mathematical algorithm is called a:
2. Coded Digit Check

B. Self-Checking Digit Check

1. Sequence Check
2. Run to Run Check
3. Which of the following is NOT one of the types of control totals?

A. Digit Count

1. Record Count
2. Batch Totals
3. Hash Totals
4. The totals of fields that have no apparent logical reason to be added are called:

A. Record Totals

B. Digit Totals

C. Batch Totals

D. Hash Totals

1. These controls are intended to prevent, detect, or correct errors that occur during the processing of an application.

A. Application Controls

B. Source Document Controls

C. Processing Controls

D. Input Controls

1. A primary objective of output controls would be:

A. Manage the safekeeping of source documents

B. Assure the accuracy and completeness of the output

C. Ensure that the input data is accurate

D. Prevention and detection of processing errors

1. The responsibility of management to safeguard assets and funds entrusted to them by the owners of an organization is referred to as:

A. Stewardship Responsibility

B. IT System Controls

C. Application Controls

D. Internal Controls

1. In addition to fraud, there are many kinds of unethical behaviors related to computers. Which of the following is one of those behaviors?

A. Misuse of confidential customer information

B. Theft of data, such as credit card information, by hackers

C. Employee use of the IT system hardware and software for personal use or personal gain

D. All of the above.

TEST BANK - CHAPTER 4 - TRUE /

1. If a company’s IT system fails, it would have little or no effect on the company’s operations.

IT systems have become so critical that a company would hardly be able to operate if the IT system failed.

1. It is necessary for students and accountants to understand the types of threats that may affect an accounting system, so that the threats can be avoided.

so that the threats can be minimized.

1. It is important for accountants to consider possible threats to the IT system and to know how to implement controls to try to prevent those threats from becoming reality.
2. General controls apply to the IT accounting system and are not restricted to any particular accounting application.
3. The use of passwords to allow only authorized users to log into an IT system is an example of an application control.

This is an example of a general control.

1. Application controls apply to the IT accounting system and are not restricted to any particular accounting application.

This describes the general controls.

1. The use of passwords to allow only authorized users to log into an IT system is an example of a general control.
2. General controls are used specifically in accounting applications to control inputs, processing, and outputs.

This is a description of application controls

1. Application controls are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed.
2. A validity check is an example of an input application control.
3. To increase the effectiveness of login restrictions, user Ids must be unique for each user.
4. To increase the effectiveness of login restrictions, passwords must be unique for each user.

The user ID is described by the sentence.

1. Biometric devises use unique physical characteristics to identify users. The most common method used is retina scans.

The most common method used is fingerprint matching.

1. There are a number of methods described that are intended to limit log-ins exclusively to authorized users. The only method that is foolproof is the biometric devices.

None of the methods is foolproof.

1. The user ID and password for a particular user should not allow access to the configuration tables unless that user is authorized to change the configuration settings.
2. It is necessary for an IT system to be networked to an external internet to be open to opportunities for unauthorized access.

If networked to an internal network it may be open to unauthorized access.

1. Unauthorized access is a concern when an IT system is networked to either internal networks or the Internet.
2. A firewall can prevent the unauthorized flow of data in both directions.
3. Deciphering renders data useless to those who do not have the correct encryption key.

Encryption ..... (not deciphering).

1. Discussing the strength of encryption refers to how difficult it would be to break the code.
2. The longer the encryption key is bits, the more difficult it will be to break the code.
3. The longest encryption keys are 128 bits.

256 bits.

1. Encryption is more important for dial-up networks than for wireless networks.
2. Using a unique service set identifier (SSID) makes it more difficult for an outsider to access the wireless network.
3. The VPN, virtual private network, uses the internet and is therefore not truly private – but is virtually private.
4. Once an organization has set up an effective system to prevent unauthorized access to the IT system, it is not necessary to continually monitor the vulnerability of that system.

continually monitoring and testing the vulnerability of the IT system is essential.

1. It is important to understand that the IT governance committee delegates many of its duties by the policies that it develops.
2. The most important factor in controlling IT systems is the maintenance of the vulnerability assessment activities.

the competence of the personnel.

1. In a properly segregated IT system, no single person or department should develop computer programs and also have access to data that is commensurate with operations personnel.
2. It is proper that the database administrator develop and write programs.
3. To the extent possible, IT systems should be installed in locations away from any location likely to be affected by natural disasters.
4. It is not necessary to control the humidity and temperature in the location where the computer system is housed.
5. Disaster recovery planning is a proactive plan to protect IT systems and the related data.

reactive plan ...

1. Each organization has to decide which combination of IT controls is most suitable for its IT system, making sure that the benefits of each control outweigh its costs.
2. Controls will help to reduce risks, but it is impossible to completely eliminate risks.
3. It is possible to completely eliminate risks with the proper controls.
4. The most popular type of type of unauthorized access is probably by a person known to the organization.
5. Employees who hack into computer networks are often more dangerous because of their knowledge of company operations.
6. It is necessary to identify the “entry points” in the IT system that make an organization susceptible to IT risks.
7. Access to the operating system will not allow hackers access to the application software or the database.
8. Controlling access to the operating system is critical because that access opens access to any data or program within the system.
9. A database is often less open to unauthorized access than the physical, paper records, because the database has fewer access points.
10. The workstations and the network cabling and connections represent spots were an intruder could tap into the network for unauthorized access.
11. In a wireless network, signals are transmitted through the air rather than over cables. Anyone who wants to gain access to the network would need to know the password to access these “air-borne” signals.
12. The use of dual firewalls - one between the internet and the web server and one between the web server and the organization’s network - can help prevent unauthorized from accessing the organization’s internal network of computers.
13. Telecommuting workers cause two sources of risk exposures for their organizations - the network equipment and cabling in addition to the teleworker’s computer - with only “entry-point” being teleworker’s computer.
14. Many IT systems do not use source documents; the input is automatic.
15. A computer network coving a small geographic area is referred to as a LAN.
16. One of the sources of risk exposure related to telecommuting workers is that the company’s network equipment and cabling becomes an entry point for hackers and unauthorized users.
17. The only risk related to the entry points of telecommuting workers is the interaction risk.

the risks are security, confidentiality, availability, and processing integrity.

1. If an employee’s personal smart phone or tablet is lost or stolen, the company has the right to apply a remote wipe, to remove any company data.

this would apply to company phones and tablets.

1. Many companies use a public cloud computing model for storage only.

software and storage are both part of the public cloud computing model.

1. Scalability, related to public cloud computing, refers to the fact that as a company can easily purchase new capacity from the cloud provider.
2. One of the advantages of private cloud computing is expanded access.
3. Public and Private cloud computing both have the benefits of reduced infrastructure and reduced costs.

only the public cloud computing has the benefits listed.

1. If no source documents are used by the IT system, then the general controls, such as computer logging of transactions, become less important.

more important.

1. The group of controls referred to as Source Document Controls does not include form design.
2. The closer the source document matches the input screen, the easier it will be for the data entry employee to complete the input screen without errors.
3. The form authorization and control includes the requirement that source documents should be prenumbered and are to be used in sequence.
4. Once the data from the source documents have been keyed into the computer, the source document can be destroyed.
5. With the proper training of employees and the adequate controls, it would be possible to eliminate all errors.
6. To verify the accuracy of application software, an organization should be sure the software is tested before it is implemented and must regularly test it after implementation.
7. An organization must maintain procedures to protect the output from unauthorized access in the form of written guidelines and procedures for output distribution.
8. Management must discourage illegal behavior by employees, such misuse of computers and theft through the computer systems.

Although unethical, the misuse of computers is not always considered to be illegal.

1. SO 2 Repudiation of sales

What does the term repudiation of sales transactions by the customer mean? Why should an organization be concerned about repudiation of sales transactions by the customer?

1. SO 2 Firewalls and Other Controls

The director of sales has asked the CIO of the company to remove the firewall where sales transactions occurred online as he believes that the firewall is restricting legitimate sales from occurring online. Is the director of sales correct? Is it is possible for a firewall to restrict legitimate data flow?.

Required:

Explain what a firewall is and what it is intended to accomplish. Identify if the director of sales correct. Is it is possible for a firewall to restrict legitimate data flow?

1. SO 3,4 Operating System Risk

Required:

Explain why accountants should be concerned about risks inherent in the operating system that runs the company’s accounting system.

1. SO 4 Cloud Computing

Provide and explain three reasons a company would want to employ cloud computing for its ERP system.

1. SO 4 Cloud Computing – Public verses Private

Define what is meant by (a) public and (b) private cloud computing for an ERP system. Is a private cloud less risky than a public cloud?

1. SO 2,5 General controls and Application controls

Identify for each control whether they are a general control or an application control:

1. SO 5 Input controls - Source document controls

Application controls include input, processing, and output controls. One type of input control is source document controls. List and briefly explain the role or importance of each of the source document controls listed in the text in chapter four.

1. SO 4 Input Validation Checks

Define each of the following input validation checks. Explain how each can prevent or detect errors.

Define each of the following input validation checks. Explain how each can prevent or detect errors.