Chapter 8Controlling Information Systems: Introduction to Pervasive and General Controls

TRUE/FALSE 1. IT governance leads to better organizational performance such as profitability. ANS: T 2. As an IT resource, information includes data in all their forms that are input, processed and output by information systems. ANS: T 3. As an IT resource, applications are automated systems and manual procedures that process information. ANS: T 4. The system of controls used in this text consists of the control environment, pervasive (and general controls, and IT general controls) control plans, and business process (and application) control plans. ANS: T 5. As used in the text, the information systems organization (function) is synonymous with the accounting function. ANS: F 6. The function composed of people, procedures, and equipment that is typically called the information systems department, IS department, or the IT department is the information systems organization. ANS: T 7. The IS function with the principal responsibilities of guiding and advising the information systems organization is the IT steering committee. ANS: T 8. The IS function with the principal responsibilities of insuring the security of all information systems function resources is data control. ANS: F 9. The IS function of quality assurance conducts reviews to determine adherence to IT standards and procedures and achievement of IT objectives. ANS: T 10. The chief information officer (CIO) prioritizes and selects IT projects and resources. ANS: F

11. Within the data center, the data control group is responsible for routing all work into and out of the data center, correcting errors, and monitoring error correction. ANS: T 12. The IS function of systems development provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks, loading printer paper, and responding to computer messages. ANS: F 13. Within the data center, the data librarian function grants access to programs, data, and documentation to authorized personnel only. ANS: T 14. Combining the functions of authorizing and executing events is a violation of the organizational control plan known as segregation of duties. ANS: T 15. Segregation of duties consists of separating the four functions of authorizing events, executing events, recording events, and safeguarding the resources resulting from consummating the events. ANS: T 16. Embezzlement is a fraud committed by two or more individuals or departments. ANS: F 17. A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resource controls. ANS: F 18. The functions of the security officer commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans. ANS: T 19. Individual departments coordinate the organizational and IT strategic planning processes and reviews and approves the strategic IT plan. ANS: F 20. The policy of requiring an employee to alternate jobs periodically is known as mandatory vacations. ANS: F 21. Forced vacations is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place.

ANS: T 22. A fidelity bond indemnifies a company in case it suffers losses from defalcations committed by its employees. ANS: T 23. The product life cycle is a formal set of activities, or a process, used to develop and implement a new or modified information system. ANS: F 24. Computer software that is used to facilitate the execution of a given business process is called database management software. ANS: F 25. The systems documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports. ANS: T 26. Program documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings. ANS: T 27. The user run manual gives detailed instructions to computer operators and to data control about a particular application. ANS: F 28. The operations run manual describes user procedures for an application and assists the user in preparing inputs and using outputs. ANS: F 29. Training materials are documentation that helps users learn their jobs and perform consistently in those jobs. ANS: T 30. Program change controls provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented. ANS: T 31. The terms contingency planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the process that identifies events that may threaten an organization and provide a framework whereby the organization will continue to operate or resume operations with a minimum of disruption. ANS: T

32. Continuity is the process of using backup measures to either reconstruct lost data, programs, or documentation, or to continue operations in alternative facilities. ANS: F 33. With continuous data protection (CDP) all data changes are saved to secondary computer systems as changes are made on the primary system. ANS: T 34. The disaster backup and recovery technique known as electronic vaulting is a service whereby changes being made on a computer are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. ANS: T 35. The disaster recovery strategy known as a cold site is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber fee. ANS: F 36. A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a hot site. ANS: F 37. In the case of a computer virus, a Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. ANS: F 38. Biometric identification systems identify authorized personnel through some unique physical trait such as fingers, hands, voice, eyes, face, or writing dynamics. ANS: T 39. Antivirus is a technique to protect one network from another "untrusted" network. ANS: F 40. The most common biometric devices perform retinal eye scans. ANS: F 41. In an online computing environment, the operating system software generally includes a(n) security module designed to restrict access to programs and data. ANS: T 42. In an online computing environment, the accumulation of access activity and its review by the security officer is called threat monitoring.

ANS: T 43. Application controls restrict access to data, programs, and documentation. ANS: F 44. Intrusion-detection systems (IDS) monitor system and network resources and activities and learn how users typically behave on the system. ANS: T 45. Intrusion-prevention systems (IPS) protect one network from another untrusted network. ANS: F 46. Periodic cleaning, testing, and adjusting of computer equipment is referred to as preventative maintenance. ANS: T 47. Computer hacking and cracking is the intentional, unauthorized access to an organization's computer system, accomplished by bypassing the system's access security controls. ANS: T MULTIPLE CHOICE 1. The use of IT resources for enterprise systems and e-business a. magnifies the importance of protecting the resources both within and outside of the organization from risks b. magnifies the importance of protecting the resources both within but not outside the of the organization from risks c. makes it easier to provide internal control risk when IT resources are interlinked d. none of the above ANS: A 2. Top 10 management concerns about ITs capability to support an organizations vision and strategy include all except the following: a. IT and business alignment b. security and privacy c. the Internet d. retaining IT professionals ANS: C 3. Top 10 security concerns reported in The Global State of Information Security 2005 as reported in CIO magazine include all the following except: a. disaster recovery/business continuity b. the Internet c. data backup d. overall information security strategy ANS: B

4. Pervasive control plans: a. are unrelated to applications control plans b. are a subset of applications control plans c. influence the effectiveness of applications control plans d. increase the efficiency of applications control plans ANS: C 5. COBIT was developed to: a. provide guidance to managers, users, and authors on the best practices for the management of information technology b. identify specific control plans that should be implemented to reduce the occurrence of fraud c. specify the components of an information system that should be installed in an ecommerce environment d. suggest the type of information that should be made available for management decision making ANS: A 6. The department within a company that develops and operates the computer information systems is often called the: a. information systems organization b. computer operations department c. controller d. computer technology branch ANS: A 7. In an information systems organization structure, the three functions that might logically report directly to the CIO would be: a. systems development, technical services, and data center b. systems development, database administration, and data center c. systems development, technical services, and data librarian d. applications programming, technical services, and data center ANS: A 8. Data in all their forms that are input, processed, and output by information system are called this IT resource: a. information b. applications c. infrastructure d. people ANS: A 9. Automated systems and manual procedures that process information are called this IT resource: a. information b. applications c. infrastructure d. people ANS: B

10. Which of the following IT resources includes hardware, operating systems, DBMSs, and networking? a. information b. applications c. infrastructure d. people ANS: C 11. ____ can consist of many computers and related equipment connected together via a network. a. PCs b. Servers c. LAN d. firewall ANS: C 12. In an information systems organization, which of the following reporting relationships makes the least sense? a. the data center manager reports to the CIO. b. systems development manager reports to the data center manager. c. database administration reports to the technical services manager. d. data librarian reports to the data center manager. ANS: B 13. In an information systems organization, all of the following functions might logically report to the data center manager except: a. data control b. data preparation c. data librarian d. quality assurance ANS: D 14. Managing functional units such as telecommunications, systems programming, and database administration typically is a major duty of: a. data center manager b. systems development c. technical services manager d. database administrator ANS: C 15. From the standpoint of achieving the operations system control goal of security of resources, which of the following segregation of duties possibilities is least important? a. between user departments and computer operations b. between data control and data preparation personnel c. between systems development and computer operators d. between technical services and data center ANS: B 16. A key control concern is that certain people within an organization have easy access to applications programs and data files. The people are: a. data librarians b. systems programmers

c. systems development d. data center managers ANS: B 17. Which of the following has the major duties of prioritizing and selecting IT projects and resources a. steering committee b. security officer c. CIO d. systems development manager ANS: A 18. Which of the following has the responsibility to ensure security of all IT resources? a. steering committee b. security officer c. CIO d. systems development manager ANS: B 19. Which of the following has the responsibility of efficient and effective operation of the information systems functions? a. steering committee b. security officer c. CIO d. systems development manager ANS: C 20. In an information systems organizational structure, the function of ____ is a central point from which to control data and is a central point of vulnerability. a. data control b. data preparation (data entry) c. data librarian d. database administration ANS: D 21. The control concern that there will be a high risk of data conversion errors relates primarily to which of the following information systems functions? a. data control b. data preparation (data entry) c. data librarian d. database administration ANS: B 22. The controlled access to files, programs, and documentation is a principal responsibility of which of the following functions? a. data control b. data preparation (data entry) c. data librarian d. computer operator ANS: C

23. Which of the following is not one of COBITs four broad IT control process domains? a. plan and organize b. acquire and implement c. development of IT solutions d. monitor and evaluate ANS: C 24. Which of the following is not an important strategic planning process? a. IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including privacy, transborder data flows, e-business, and insurance contracts b. an information architecture model encompassing the corporate data model and associated information systems c. The organization should adopt the systems development life cycle to ensure that comprehensive documentation is developed for each application d. an inventory of current IT capabilities ANS: C 25. Which one of the following is one of the two organization control plans that the book concentrates on? a. segregation of duties control plan b. the information systems organization c. selection and hiring control plans d. both a and b above ANS: D 26. The segregation of duties control plan consists of separating all of the following event-processing functions except: a. planning events b. authorizing events c. executing events d. recording events ANS: A 27. A warehouse clerk manually completing an order document and forwarding it to purchasing for approval is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: B 28. The data entry clerk types data from an order form into an on-line computer through a pre-formatted screen. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: B

29. Approving a customer credit purchase would be an example of which basic events processing function? a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: A 30. An employee of a warehouse is responsible for taking a computer-generated shipping list, pulling the items from the warehouse shelves and placing them in a bin which is transferred to shipping when the list is completely filled. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: B 31. An outside auditing firm annually supervises a physical count of the items in a retail store's shelf inventory. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: D 32. A warehouse supervisor prepares a sales order listing items to be shipped to a customer and then signs it authorizing the removal of the items from the warehouse. The supervisor is performing which functions? a. authorizing events and safeguarding of resources b. executing and recording events c. authorizing and executing events d. authorizing and recording events ANS: C 33. A clerk receives checks and customer receipts in the mail. He endorses the checks, fills out the deposit slip, and posts the checks to the cash receipts events data. The clerk is exercising which functions? a. recording and executing events b. authorizing and executing events c. recording and authorizing events d. safeguarding of resources and authorizing events ANS: A 34. When segregation of duties cannot be effectively implemented because the organization is too small, we may rely on a more intensive implementation of other control plans such as personnel control plans. This is called: a. collusion controls b. compensatory controls c. authorizing controls d. inventory controls ANS: B

35. A method of separating systems development and operations is to prevent programmers from a. performing technical services b. performing database administration c. handling accounting operations d. operating the computer ANS: D 36. Which of the following control plans is not a retention control plan? a. creative and challenging work opportunities b. occasional performance evaluations c. competitive reward structure d. viable career paths ANS: B 37. Personnel development control plans consist of each of the following except: a. checking employment references b. providing sufficient and timely training c. supporting employee educational interests and pursuits d. performing scheduled evaluations ANS: A 38. The primary reasons for performing regular employee performance reviews include all of the following except: a. determine whether an employee is satisfying the requirements indicated by a job description b. assess an employee's strengths and weaknesses c. assist management in determining salary adjustments, promotions, or terminations d. develop a strategy for filling necessary positions ANS: D 39. A policy that requires employees to alternate jobs periodically is called: a. segregation of duties b. forced vacations c. rotation of duties d. personnel planning ANS: C 40. A control plan that is designed to detect a fraud by having a second person periodically do the job of the perpetrator of the fraud is called: a. segregation of duties b. forced vacations c. periodic audits d. management control ANS: B 41. A mechanism by which a company is reimbursed for any loss that occurs when an employee commits fraud is called a: a. segregation of duties b. fidelity bond

c. personnel planning control d. termination control plan ANS: B 42. Which of the following personnel security control plans is corrective in nature as opposed to being a preventive or detective control plan? a. rotation of duties b. fidelity bonding c. forced vacations d. performing scheduled evaluations ANS: B 43. Personnel termination control plans might include all of the following except: a. require immediate separation b. identify the employee's reasons for leaving c. establish a policy of forced vacations d. collect the employee's keys, badges, etc. ANS: C 44. The term systems development life cycle (SDLC) can mean any of the following except: a. a formal set of activities or process used to develop and implement a new or modified information system b. the documentation that specifies the systems analysis process c. the documentation that specifies the systems development process d. the progressing of information systems through the systems development process, from birth through ongoing use of the system ANS: B 45. Instructions for computer setup, required data, restart procedures, and error messages are typically contained in a(n): a. systems development standards manual b. program documentation manual c. operations run manual d. application documentation manual ANS: C 46. Application documentation that describes the application and contains instructions for preparing inputs and using outputs is a(n): a. operations run manual b. user manual c. program documentation d. systems documentation ANS: B 47. The six stages reflected in a business continuity management life cycle are (in sequential order): a. establish a formal business continuity management program, understand your business, create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management culture, maintain and audit the plan b. understand your business, develop and implement a business continuity management

response, create business continuity strategies, build and embed a business continuity management culture, maintain and audit the plan, establish a formal business continuity management program c. understand your business, build and embed a business continuity management culture, create business continuity strategies, develop and implement a business continuity management response, maintain and audit the plan, establish a formal business continuity management program d. understand your business, establish a formal business continuity management program, create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management culture, maintain and audit the plan, ANS: A 48. Alternative names for contingency planning include all of the following except: a. disaster recovery planning b. business interruption planning c. business disaster planning d. business continuity planning ANS: C 49. Which backup approach is the one that involves running two processing sites that contain the application programs and updated master data throughout normal processing activities? a. mirror site b. electronic vaulting c. continuous data protection (CDP) d. dumping ANS: C 50. All of the following are components of a backup and recovery strategy except: a. echo checking b. mirror site c. electronic vaulting d. hot site ANS: A 51. Which of the following statements related to denial of service attacks is false? a. Insurance is available to offset the losses suffered by denial of service attacks. b. A denial of service attack is designed to overwhelm a web site, making it incapable of performing normal functions. c. Web sites can employ filters to detect multiple messages from a single site. d. The most effective attacks originate from a small cluster of computers in a remote geographic region. ANS: D 52. In an on-line computer system, restricting user access to programs and data files includes all of the following except: a. user identification b. user authentication c. determining user access rights d. wearing identification badges

ANS: D 53. Security modules are examples of: a. department controls b. preventive controls c. corrective controls d. management controls ANS: B 54. Which of the following controls restrict access to programs, data, and documentation that are stored off-line in a physically controlled area? a. library controls b. password controls c. authentication controls d. program change controls ANS: A 55. A portion of the threat monitoring portion of the security module that profiles the typical behavior of users and can detect exceptional activity is known as: a. biometrics b. electronic vaulting c. intrusion detection systems (IDS) d. cost variance analysis ANS: C 56. Protecting resources against environmental hazards might include all of the following control plans except: a. fire alarms and smoke detectors b. automatic extinguisher systems c. voltage regulators d. security modules ANS: D 57. Which of the following statements regarding computer hacking is false? a. Some hackers use a sniffer programs that travel over telephone lines collecting passwords. b. Accountants can be engaged to test system security by attempting to hack into a system. c. Computer hacking is an intrusion into an information system from a person outside the organization. d. Hackers can obtain user names and passwords by posing as a legitimate employee and requesting sensitive information from another employee. ANS: C COMPLETION 1. ______________________________ consists of the leadership, organizational structures, and processes that ensure that the enterprisess IT sustains and extends the organizations strategies and objectives. ANS: IT governance

2. Data in all their forms that are input, processed, and output by information systems is the IT resource ____________________. ANS: information 3. IT resource that are automated systems and manual procedures that process information _________________________. ANS: applications 4. The system of controls used in this text consists of the ______________________________, ____________________ control plans, and business process (and application) control plans. ANS: control environment pervasive (and general and IT general) 5. As used in the text, the information systems organization is synonymous with the ______________________________. ANS: IT department 6. The function composed of people, procedures, and equipment that is typically called the information systems department, IS department, or IT department is the _____________________________________________. ANS: information systems organization 7. The function with the principal responsibilities of guiding and advising the information systems function is the ______________________________. ANS: IT steering committee 8. The function with the principal responsibilities of insuring the security of all information systems function resources is the ______________________________. ANS: security officer 9. The information systems function ______________________________ conducts reviews to determine adherence to IT standards and procedures and achievement of IT objectives. ANS: quality assurance 10. Within the data center, the ______________________________ group is responsible for routing all work in to and out of the data center, correcting errors, and monitoring all error correction. ANS: data control 11. The information systems function ______________________________ provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes, disks, and other media and monitoring equipment operation. ANS: computer operations

12. Within the data center, the ______________________________ function grants access to programs, data, and documentation to authorized personnel only. ANS: data librarian 13. Combining the functions of authorizing and executing events is a violation of the organizational control plan known as ______________________________. ANS: segregation of duties 14. Segregation of duties consists of separating the four functions of authorizing events, ____________________ events, ____________________ events, and safeguarding the resources resulting from consummating the events. ANS: executing, recording 15. ____________________ is any fraud committed by two or more individuals or departments. ANS: Collusion 16. A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called ___________________________________. ANS: compensatory controls 17. The functions of the ______________________________ commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans. ANS: security officer 18. The ___________________________________ coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan. ANS: information technology steering committee IT steering committee 19. The policy of requiring an employee to alternate jobs periodically is known as ______________________________. ANS: rotation of duties 20. ______________________________ is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place. ANS: Forced vacations 21. A(n) ______________________________ indemnifies a company in case it suffers losses from defalcations committed by its employees. ANS: fidelity bond

22. The ______________________________ is a formal set of activities, or a process, used to develop and implement a new or modified information system. ANS: system development life cycle SDLC 23. Computer software that is used to facilitate the execution of a given business process is called ___________________________________. ANS: application software 24. The ____________________ documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports. ANS: systems 25. ____________________ documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings. ANS: Program 26. The ______________________________ gives detailed instructions to computer operators and to data control about a particular application. ANS: operations run manual 27. The _________________________ describes user procedures for an application and assists the user in preparing inputs and using outputs. ANS: user manual 28. ______________________________ are documentation that helps users learn their jobs and perform consistently in those jobs. ANS: Training materials 29. ________________________________________ provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented. ANS: Program change controls 30. The terms ____________________ planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the backup and recovery control plans designed to ensure that an organization can recover from a major calamity. ANS: contingency 31. A technique known as ___________________________________ uses a service whereby data changes made on a computer are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. ANS: electronic vaulting

32. The data replication strategy known as ________________________________________ whereby all data changes are saved to secondary systems as the changes are happening on the primary system. ANS: continuous data protection CDP 33. The disaster recovery strategy known as a(n) ____________________ is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber's fee. ANS: hot site 34. A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a(n) ____________________. ANS: cold site 35. In a ___________________________________ a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. ANS: denial of service attack 36. ____________________ identification systems identify authorized personnel through some unique physical trait such as fingers, hands, voice, eyes, face, and writing dynamics. ANS: Biometric 37. A(n) ____________________ is a technique to protect one network from another "untrusted" network. ANS: firewall 38. The most common biometric devices read ____________________. ANS: fingerprints thumbprints 39. In an online environment, the operating system software generally includes a(n) ______________________________ designed to restrict access to programs and data. ANS: security module 40. In an online computer environment, the accumulation of access activity and its review by the security officer is also called ______________________________. ANS: threat monitoring 41. Periodic cleaning, testing, and adjusting of computer equipment is referred to as ______________________________. ANS: preventive maintenance

42. ______________________________ is the intentional penetration of an organization's computer system, accomplished by bypassing the system's access security controls. ANS: Computer hacking Computer cracking 43. We periodically make copies of important stored data, programs, and documentation. These copies are called ____________________. ANS: backups 44. The process whereby we restore lost data and continue operations is called ____________________. ANS: recovery 45. The computing site that maintains copies of a primary computing sites programs and data is a ____________________ site. ANS: mirror 46. In a ___________________________________ a Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages making it impossible for the attached site to engage in its normal activities. ANS: denial-of-service attack 47. A _____________________________________________ uses many computers, called zombies, that unwittingly cooperate in a denial-of-service attack by sending messages to the target Web site. ANS: distributed denial-of-service attack 48. A ____________________ is a technique to protect one network from another untrusted network by blocking certain kinds of traffic. ANS: firewall 49. The ___________________________________ is the threat monitoring portion of the security module that monitors system and network resources and activities and learns how users typically behave on the system. ANS: intrusion-detection system IDS 50. The ___________________________________ actively blocks unauthorized traffic using rules specified by the organization. ANS: intrusion-prevention system IPS

PROBLEM 1. Below is an alphabetical list of ten functional titles for the information systems organization structure shown in Chapter 8. The second list contains descriptions (some partial) of the duties and responsibilities of ten of the functions. Required: On the blank line to the left of each numbered description, place the capital letter of the functional title that best matches the duties and responsibilities described. Do not use a letter more than once. Functional Title F. Systems programming G. Technical services manager H. CIO I. Steering committee J. Security officer DUTIES AND RESPONSIBILITIES 1. 2. Deliver cost-effective, bug-free applications. Route work into and out of the data center, correct errors, monitor all error correction. Plan IT acquisition and development. Conduct reviews to determine adherence to IT standards and procedures and achievement of IT objectives. Issue programs, files, and documentation to authorized users. Manage functional units such as networks, CAD/CAM, systems programming, and program maintenance. Modify and adapt operating systems software and various utility routines. Enter (convert) data into machine-readable form. Physical security Prioritize and select IT projects and resources

A. B. C. D. E.

Quality assurance Data control Data librarian Data preparation Systems development

Answers _____ _____

_____ _____

3. 4.

_____ _____

5. 6.

_____ _____ _____ _____

7. 8. 9. 10.

ANS: Duties and responsibilities Description 1 2 3 4

Answer E B H A

5 6 7 8 9 10

C G F D J I

2. The four events-processing functions that constitute the segregation of duties control plan are: A. B. C. D. Authorizing events Executing events Recording events Safeguarding resources resulting from consummating events

Required: Below is a list of ten events-processing activities, five relating to the cycle of activities involved in processing a sales event and five relating to the cycle for a purchase event. Classify each of the ten activities into one of the four functional categories listed above by placing the letter A, B, C, or D on the answer line to the left of each number. You should use only one letter for each of the ten answers. EVENT-PROCESSING ACTIVITIES Answers _____ 1. (For a sales event) The order entry department instructs the shipping department to ship goods to a customer by sending an approved document to the shipping department. The shipping department keeps inventory items in a locked storeroom. The billing department prepares and mails a bill to the customer. The invoice in item 3 is added to the customer balance in the accounts receivable master data. The general ledger bookkeeper enters a sales event in a data file. (For a purchase event) _____ 6. 7. _____ _____ 8. The purchasing department is requested to order goods The purchasing department receives a signed request document from the inventory control department. The purchasing department manager reviews and signs all order documents in excess of $100. The goods are received from the vendor The receiving department completes the receiving report The goods received in item 8 are placed into the locked inventory storeroom.

_____ _____ _____

2. 3. 4.

_____

5.

_____ _____ _____

9. 10. 11.

_____ ANS:

12.

A payable is recognized by updating the accounts payable master data.

Transaction Activity 1 2 3 4 5 6 7 8 9 10 11 12

Answer A D B C C B A A B C D C

3. Listed below are several pervasive control plans discussed in Chapter 8. On the blank line to the left of each control plan, insert a "P" (preventive), "D" (detective), or "C" (corrective) to best classify that control. If you think that more than one code could apply to a particular plan, insert all appropriate codes and briefly explain your answer: CODE _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. CONTROL PLAN Hot site Program change controls Fire and water alarms Adequate fire and water insurance Install batteries for temporary loss in power Continuous-data protection (CDP) Intrusion-detection system (IDS) IT steering committee Security officer Operations run manuals Rotation of duties and forced vacations Fidelity bonding Personnel performance evaluations Personnel termination procedures

_____ _____ _____ _____

15. 16. 17. 18.

Segregation of duties Threat monitoring Disaster recovery planning Restrict entry to the computer facility through the use of security guards, locks, badges, and identification cards Security module Library controls

_____ _____ ANS: CODE __P__ __P__ __P__ __C__ __C__ __C__ __D__ __P__ __P__ __P__ P or D __C__ P or D __P__ P or D __P__ __C__ __P__

19. 20.

CONTROL PLAN 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. Hot site Program change controls Fire and water alarms Adequate fire and water insurance Install batteries for temporary loss in power Continuous-data protection (CDP) Intrusion-detection system (IDS) IT steering committee Security officer Operations run manuals Rotation of duties and forced vacations Fidelity bonding Personnel performance evaluations Personnel termination procedures Segregation of duties Threat monitoring Disaster recovery planning Restrict entry to the computer facility through the use of security guards,

locks, badges, and identification cards P or D P or D 19. 20. Security module Library controls

4. The first list below contains 10 control plans discussed in Chapter 8. The second list describes 10 system failures that have control implications. Required: On the answer line to the left of each system failure, insert the capital letter from the first list of the best control plan to prevent the system failure from occurring. If you can't find a control that will prevent the failure, then choose a detective or a corrective plan. A letter should be used only once. Control Plans Personnel development control plans Operations run manuals Disaster recovery plans Program change controls Librarian controls Segregation of systems development and programming from computer operations Retention control plans Restriction of physical access to computer resources Segregation of recording events from safeguarding resources Biometric identification system SYSTEM FAILURES 1. The controller at Infotech, Inc., has just completed an analysis of personnel costs and believes that the costs associated with training new personnel is too high. She attributes this high cost to the increasing rate at which employees are being hired to replace defections to Infotech's competitors. Paul the programmer has modified the accounts receivable statement program so that the receivables from his cousin Peter will be eliminated from the accounts receivable master file upon printing of the monthly statements. Paul made these changes to the program while he was operating the computer on a Saturday morning. When the hurricane hit the coast, Soggy Records Company lost the use of its flooded computer room. In such cases, plans called for using an alternate computer center 100 miles inland. However, Soggy was unable to operate in the alternate facility because the company's programs and files were lost in the flooded computer facility. All the files were lost at the Stoughton Company when a visitor sat down at a computer terminal, signed on using one of the passwords posted on the computer terminals, and erased some of the data files. Sally is the inventory control/warehouse clerk at Techtron Inc. She has been stealing secret computer components from the warehouse, selling them to foreign agents, and covering up her thefts by altering the inventory records.

A. B. C. D. E. F. G. H. I. J.

Answers _____

_____

2.

_____

3.

_____

4.

_____

5.

_____

6.

At Maralee Company, there seems to be a lack of progression from lower to middle management. Edward, the director of personnel, believes that the people being hired have great potential, but they are just not realizing their potential. Roger, the night-shift computer operator, has had occasion several times in the last month to call his supervisor to receive assistance--over the telephone--to correct a problem that he was having in operating the computer. Mary had become quite unhappy with her job at Funk, Inc. She knew that she was going to quit soon and decided to destroy some computer files. Using her own username and password, she found several disk packs on a table outside the computer room and proceeded to "erase" the data with a powerful magnet. After Mary's departure, Funk spent several months reconstructing the data that had been on the lost files. One of the inventory control programs at Excess Company has been ordering more inventory than is required, causing an overstock condition on many items. During an investigation of the problem, it was discovered that the inventory ordering program had recently been changed. The changes were approved, but the new program was never tested. Sydney, the computer operator, did not want to go to work one day because he wanted to go sailing. He gave his ID card to his cousin Vinny who went to work for him. Even though he was a computer operator, Vinny did not know how to operate this computer. He made mistakes and destroyed some data.

_____

7.

_____

8.

_____

9.

_____

10.

ANS: System Failure Number 1 2 3 4 5 6 7 8 9 10

Answer G F C H I A B E D J

5. The first list below contains 10 control plans discussed in Chapter 8. The second list describes 10 system failures that have control implications. Required: On the answer line to the left of each system failure, insert the capital letter from the first list of the best control plan to prevent the system failure from occurring. (If you can't find a control that will prevent the failure, then choose a detective plan or, as a last resort, a corrective control plan). A letter should be used only once.

A. B. C. D. E. F. G. H. I. J.

Control Plans Selection and hiring control plans Documentation control plans Segregation of programmers from computer operations Forced vacations Biometric identification system Fire-protection control plans IT steering committee Off-site storage of back up computer files Program change controls Continuous-data protection (CDP) SYSTEM FAILURES 1. While moving the new payroll program from testing status into production status, Peter the programmer made a change to the program and then go to computer operations so that each time payroll was run, his pay would be incremented by 10%. 2. Cary enters cash receipts into the computer at Kiting Inc. For the past year she has been pocketing customer payments. To keep herself from being discovered, she enters credit memos into the computer, which records them as reductions in the customers' accounts receivable records--as if the payment had been made. 3. Procedures for the approval of orders have been put in place at Overstock Company. Clyde, the new purchasing agent, was given a briefing on these procedures when he was hired and has been applying those procedures as best as he can remember them. Consequently, Clyde sometimes orders more inventory than is required. 4. The new sales reporting system includes a computer printout that was supposed to report daily sales to the V.P. of marketing. The report was never tested and contains erroneous sales figures and is not presented in the format required by the V.P. 5. There was a flood and all of the computers and all their data were destroyed. 6. Freida was just hired as a computer operator at Vertigo Inc. Just a few days after being hired, she discovered that she would not be allowed to spend some of her time writing computer programs. This was contrary to what she was told initially, and she is now quite unhappy with her circumstances. 7. After careful screening and selection of employees, an organization issues its employees name badges with magnetic strips that stores the employees' personal information. Employees in the IT function can scan the badges to gain entry into various rooms within the IT center. Recently management discovered that employees are sharing their badges to enable them to gain access to every room in the facility. 8. A fire at the Mitre Corporation caused the release of a poisonous gas which contaminated the entire building. While the computer files were not destroyed during the fire, they were contaminated and cannot be removed from the building and personnel cannot enter the building. It took several months to

Answers _____

_____

_____

_____

_____ _____

_____

_____

recreate the computer files. _____ 9. Sandisfield, Inc. has many IT projects under consideration for development. The CFO has some political connections with the CIO and so financial applications are given a green light for development while projects for marketing and logistics are put on hold. 10. Jet Red Airlines, a new, low-cost start-up airline, has decided to operate its own Web site and reservation system that is running on servers located at the headquarters. One day, the server room was flooded, the reservation system was not available for many hours, and many reservations were lost.

______

ANS: System Failure Number 1 2 3 4 5 6 7 8 9 10

Answer C D B I H A E F G J