To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com ACCOUNTING INFORMATION SYSTEMS CONTROLS AND PROCESSES TURNER / WEICKGENANNT CHAPTER 4: Internal Controls and Risks in IT Systems TEST BANK - CHAPTER - TRUE / FALSE If a company’s IT system fails, it would have little or no effect on the company’s operations It is necessary for students and accountants to understand the types of threats that may affect an accounting system, so that the threats can be avoided It is important for accountants to consider possible threats to the IT system and to know how to implement controls to try to prevent those threats from becoming reality General controls apply to the IT accounting system and are not restricted to any particular accounting application The use of passwords to allow only authorized users to log into an IT system is an example of an application control Application controls apply to the IT accounting system and are not restricted to any particular accounting application The use of passwords to allow only authorized users to log into an IT system is an example of a general control General controls are used specifically in accounting applications to control inputs, processing, and outputs Application controls are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed 10 A validity checks is an example of an input application control 11 To increase the effectiveness of login restrictions, user Ids must be unique for each user 12 To increase the effectiveness of login restrictions, passwords must be unique for each user 13 Biometric devises use unique physical characteristics to identify users The most common method used is retina scans 14 There are a number of methods described that are intended to limit log-ins exclusively to authorized users The only method that is foolproof is the biometric devices 15 The user ID and password for a particular user should not allow access to the configuration tables unless that user is authorized to change the configuration settings To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 16 It is necessary for an IT system to be networked to an external internet to be open to opportunities for unauthorized access 17 Unauthorized access is a concern when an IT system is networked to either internal networks or the Internet 18 A firewall can prevent the unauthorized flow of data in both directions 19 Deciphering renders data useless to those who not have the correct encryption key 20 Discussing the strength of encryption refers to how difficult it would be to break the code 21 The longer the encryption key is bits; the more difficult it will be to break the code 22 The longest encryption keys are 128 bits 23 Encryption is more important for dial-up networks than for wireless networks 24 Using a unique service set identifier (SSID) makes it more difficult for an outsider to access the wireless network 25 The VPN, virtual private network, uses the internet and is therefore not truly private – but is virtually private 26 Once an organization has set up an effective system to prevent unauthorized access to the IT system, it is not necessary to continually monitor the vulnerability of that system 27 It is important to understand that the IT governance committee delegates many of its duties by the policies that it develops 28 The most important factor in controlling IT systems is the maintenance of the vulnerability assessment activities 29 In a properly segregated IT system, no single person or department should develop computer programs and also have access to data that is commensurate with operations personnel 30 It is proper that the database administrator develop and write programs 31 To the extent possible, IT systems should be installed in locations away from any location likely to be affected by natural disasters 32 It is not necessary to control the humidity and temperature in the location where the computer system is housed 33 Disaster recovery planning is a proactive plan to protect IT systems and the related data 34 Each organization has to decide which combination of IT controls is most suitable for its IT system, making sure that the benefits of each control outweigh its costs To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 35 Controls will help to reduce risks, but it is impossible to completely eliminate risks 36 It is possible to completely eliminate risks with the proper controls 37 The most popular type of type of unauthorized access is probably by a person known to the organization 38 Employees who hack into computer networks are often more dangerous because of their knowledge of company operations 39 It is necessary to identify the “entry points” in the IT system that make an organization susceptible to IT risks 40 Access to the operating system will not allow hackers access to the application software or the database 41 Controlling access to the operating system is critical because that access opens access to any data or program within the system 42 A database is often less open to unauthorized access than the physical, paper records, because the database has fewer access points 43 The workstations and the network cabling and connections represent spots were an intruder could tap into the network for unauthorized access 44 In a wireless network, signals are transmitted through the air rather than over cables Anyone who wants to gain access to the network would need to know the password to access these “air-borne” signals FALSE 45 The use of dual firewalls - one between the internet and the web server and one between the web server and the organization’s network - can help prevent unauthorized from accessing the organization’s internal network of computers 46 Telecommuting workers cause two sources of risk exposures for their organizations - the network equipment and cabling in addition to the teleworker’s computer - with only “entrypoint” being teleworker’s computer 47 Many IT systems not use source documents; the input is automatic 48 If no source documents are used by the IT system, then the general controls, such as computer logging of transactions, become less important 49 The group of controls referred to as Source Document Controls does not include form design 50 The closer the source document matches the input screen, the easier it will be for the data entry employee to complete the input screen without errors To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 51 The form authorization and control includes the requirement that source documents should be prenumbered and are to be used in sequence 52 Once the data from the source documents have been keyed into the computer, the source document can be destroyed 53 With the proper training of employees and the adequate controls, it would be possible to eliminate all errors 54 To verify the accuracy of application software, an organization should be sure the software is tested before it is implemented and must regularly test it after implementation 55 An organization must maintain procedures to protect the output from unauthorized access in the form of written guidelines and procedures for output distribution 56 Management must discourage illegal behavior by employees, such as the misuse of computers and theft through the computer systems ANSWERS TO TEST BANK – CHAPTER F 11 T 21 F 12 F 22 T 13 F 23 T 14 F 24 F 15 T 25 F 16 F 26 T 17 T 27 F 18 T 28 T 19 F 29 10 T 20 T 30 – TRUE / FALSE: T 31 T F 32 F F 33 F T 34 T T 35 T F 36 F T 37 F F 38 T T 39 T F 40 F 41 42 43 44 45 46 47 48 49 50 T F T F T F T F F T 51 52 53 54 55 56 T F F T T F TEST BANK - CHAPTER - MULTIPLE CHOICE 57 Unchecked risks and threats to the IT could result in: A An interruption of the computer operations B Damage to an organization C Incorrect or incomplete accounting information D All of the above 58 In order to master risks and controls and how they fit together, which of the following is NOT one of the areas to fully understand? A The accounting information system B The description of the general and application controls that should exist in IT system C The type and nature of risks in IT systems D The recognition of how controls can be used to reduce risk To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 59 General controls in IT systems are divided into five broad categories Which of the following is NOT one of those categories? A Authentication of uses and limiting unauthorized access B Output controls C Organization structure D Physical environment and physical security of the system 60 A process or procedure in an IT system to ensure that the person accessing the IT system is value and authorized is called: A Hacking and other network break-ins B Physical environment and physical security C Authentication of users and limiting unauthorized access D Organizational structure 61 This term relates to making the computer recognize a user in order to create a connection at the beginning of the computer session A User ID B Password C Smart card D Login 62 Which of the following is NOT one of the rules for the effective use of passwords? A Passwords should not be case sensitive B Passwords should be at least characters in length C Passwords should contain at least one nonalphanumeric character D Password should be changed every 90 days 63 Which of the following is not a good example of an effective password? A Abc*$123 B a1b2c3 C A*1b?2C$3 D MSU#Rules$ 64 This item, that strengthens the use of passwords, is plugged into the computer’s card reader and helps authenticate that the use is valid; it has an integrated circuit that displays a constantly changing ID code These statements describe: A Security token B USB control key C Smart card D Biometrics 65 A new technology that is used to authenticate users is one that plugs into the USB port and eliminates the need for a card reader This item is called a: A Biometric reader B Smart card C USB smart key D Security token To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 66 The use of the smart card or security tokens is referred to as a two factor authorization because: A It is based on something the user has, the token or card, and something the user knows, the password B It requires that the user is granted the card / token in a secure environment and that the user actually uses the card / token C It requires that the user has two different authorizations: (1) to receive the card / token, and (2) to use the card / token D It requires the use the card / token to (1) login to the system and (2) access the applications 67 This type of authentication uses some unique physical characteristic of the user to identify the user and allow the appropriate access to the system A Nonrepudiation card B Biometric device C Configuration table D Computer log 68 Which of the following is not an example of physical characteristics being used in biometric devices? A Retina scans B Fingerprint matching C Social security number D Voice verification 69 There are a number of reasons that all access to the IT system be logged - which includes a computer log of all dates, times, and uses for each user Which of the following is not one of the reasons for the log to be maintained? A Any login or use abnormalities can be examined in more detail to determine any weaknesses in the login procedures B A user cannot deny any particular act that he or she did on the system C To establish nonrepudiation of sales transactions by a customer D To establish a user profile 70 This should be established for every authorized user and determines each user’s access level to hardware, software, and data according to the individual’s job responsibilities A User profile B User password C User ID D User log 71 This A B C D table contains a list of valid, authorized users and the access level granted to each one User table Authority table Authentication table Configuration table To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 72 The IT system includes this type of table for software, hardware, and application programs that contain the appropriate set-up and security settings A Configuration table B Authentication table C User table D Authority table 73 Nonrepudiation means that: A A user is not authorized to change configuration settings B A user is not allowed access to the authority tables C A user can prevent the unauthorized flow of data in both directions D A user cannot deny any particular act that he or she did on the IT system 74 Hardware, software, or a combination of both that is designed to block unauthorized access to an IT system is called: A Computer log B Biometric device C Firewall D Security token 75 The A B C D process of converting data into secret codes referred to cipher text is called: Deciphering Encryption Nonrepudiation Enciphering 76 This form of encryption uses a single encryption key that must be used to encrypt data and also to decode the encrypted data A Multiple encryptions B Public key encryption C Wired encryption D Symmetric encryption 77 This form of encryption uses a public key, which is known by everyone, to encrypt data, and a private key, to decode the data A Multiple encryptions B Public key encryption C Wired encryption D Symmetric encryption 78 This encryption method, used with wireless network equipment, is symmetric in that both the sending and receiving network nodes must use the same encryption key It has been proven to be susceptible to hacking A Wired Equivalency Privacy (WEP) B Wired Encryption Policy (WEP) C Wireless Protection Access (WPA) D Wired Privacy Authentication (WPA) To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 79 This encryption method requests connection to the network via an access point and that point then requests the use identity and transmits that identity to an authentication server, substantially authenticating the computer and the user A Wired Equivalency Privacy (WEP) B Wired Encryption Provider (WEP) C Wireless Provider Authentication (WPA) D Wireless Protection Access (WPA) 80 This security feature, used on wireless networks, is a password that is passed between the sending and receiving nodes of a wireless network A Secure sockets layer B Service set identifier C Wired provided access D Virtual private network 81 Authorized employees may need to access the company IT system from locations outside the organization These employees should connect to the IT system using this type of network A Secure socket network B Service set identifier C Virtual private network D Wireless encryption portal 82 The type of network uses tunnels, authentication, and encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data A Residential user network B Service internet parameter network C Virtual private network D Virtual public network 83 This communication protocol is built into web server and browser software that encrypts data transferred on that website You can determine if a website uses this technology by looking at the URL A Secure sockets layer B Service security line C Secure encryption network D Secure service layer 84 Which of the following URL’s would indicate that the site is using browser software that encrypts data transferred to the website? A shttp://misu B https://misu C http://smisus D https://smisus To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 85 A self-replicating piece of program code that can attach itself to other programs and data and perform malicious actions is referred to as a(n): A Worm B Encryption C Virus D Infection 86 A small piece of program code that attaches to the computer’s unused memory space and replicates itself until the system becomes overloaded and shuts down is called: A Infections B Virus C Serum D Worm 87 This type of software should be used to avoid destruction of data programs and to maintain operation of the IT system It continually scans the system for viruses and worms and either deletes or quarantines them A Penicillin Software B Antivirus Software C Infection Software D Internet Software 88 The process of proactively examining the IT system for weaknesses that can be exploited by hackers, viruses, or malicious employees is called: A Intrusion detection B Virus management C Vulnerability assessment D Penetration testing 89 This method of monitoring exposure can involve either manual testing or automated software tools The method can identify weaknesses before they become network break-ins and attempt to fix these weaknesses before they are exploited A Vulnerability assessment B Intrusion detection C Encryption examination D Penetration testing 90 Specific software tools that monitor data flow within a network and alert the IT staff to hacking attempts or other unauthorized access attempts is called: A Security detection B Vulnerability assessment C Penetration testing D Intrusion detection To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 91 The process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers is referred to as: A Vulnerability assessment B Intrusion detection C Penetration testing D Worm detection 92 The function of this committee is to govern the overall development and operation of IT systems A IT Budget Committee B IT Audit Committee C IT Governance Committee D IT Oversight Committee 93 Which of the following would normally not be found on the IT Governance Committee? A Computer input operators B Chief Executive Officer C Chief Information Officer D Heads of business units 94 The IT Governance Committee has several important responsibilities Which of the following is not normally one of those responsibilities? A Align IT investments to business strategies B Oversee and prioritize changes to IT systems C Develop, monitor, and review security procedures D Investing excess IT funds in long-term investments 95 The functional responsibilities within an IT system must include the proper segregation of duties Which of the following positions is not one of the duties that are to be segregated from the others? A Systems analysts B Chief information officer C Database administrator D Operations personnel 96 The systematic steps undertaken to plan, prioritize, authorize, oversee, test, and implement large-scale changes to the IT system are called: A IT Governance System B Operations Governance C System Development Life Cycle D Systems Analysis 97 General controls for an IT system include: A Controls over the physical environment only B Controls over the physical access only C Controls over the physical environment and over the physical access D None of the above To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 134 The A B C D totals of fields that have no apparent logical reason to be added are called: Record Totals Digit Totals Batch Totals Hash Totals 135 These controls are intended to prevent, detect, or correct errors that occur during the processing of an application A Application Controls B Source Document Controls C Processing Controls D Input Controls 136 A primary objective of output controls would be: A Manage the safekeeping of source documents B Assure the accuracy and completeness of the output C Ensure that the input data is accurate D Prevention and detection of processing errors 137 The responsibility of management to safeguard assets and funds entrusted to them by the owners of an organization is referred to as: A Stewardship Responsibility B IT System Controls C Application Controls D Internal Controls ANSWERS TO TEST BANK – CHAPTER 57 D 71 B 85 58 A 72 A 86 59 B 73 D 87 60 C 74 C 88 61 D 75 B 89 62 A 76 D 90 63 B 77 B 91 64 C 78 A 92 65 D 79 D 93 66 A 80 B 94 67 B 81 C 95 68 C 82 C 96 69 D 83 A 97 70 A 84 B 98 – MULTIPLE CHOICE: C 99 C D 100 D B 101 B C 102 C A 103 A D 104 C C 105 B C 106 A A 107 D D 108 A B 109 D C 110 B C 111 C A 112 B 113 114 115 116 117 118 119 120 121 122 123 124 125 126 D A C C B A C D B C B A D C 127 128 129 130 131 132 133 134 135 136 137 D A C B D B A D C B A To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com TEST BANK - CHAPTER – END OF CHAPTER QUESTIONS: 138 Internal controls that apply overall to the IT system are called: A Overall Controls B Technology Controls C Application Controls D General Controls 139 In entering client contact information in the computerized database of a telemarketing business, a clerk erroneously entered nonexistent area codes for a block of new clients This error rendered the block of contact useless to the company Which of the following would most likely have led to discovery of this error into the company’s computerized system? A Limit check B Validity check C Sequence check D Record count 140 Which of the following is not a control intended to authenticate users? A Use log–in B Security token C Encryption D Biometric devices 141 Management of an internet retail company is concerned about the possibility of computer data eavesdropping and wiretapping, and wants to maintain the confidentiality of its information as it is transmitted The company should make use of: A Data encryption B Redundant servers C Input controls D Password codes 142 An IT governance committee has several responsibilities Which of the following is least likely to be a responsibility of the IT governance committee? A Develop and maintain the database and ensure adequate controls over the database B Develop, monitor, and review security policies C Oversee and prioritize changes to IT systems D Align IT investments to business strategy 143 AICPA Trust Principles describe five categories of IT risks and controls Which of these five categories would be described by the statement, “The system is protected against unauthorized access”? A Security B Confidentiality C Processing integrity D Availability To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 144 The A B C D risk that an unauthorized user would shut down systems within the IT system is a(n): Security risk Availability risk Processing integrity risk Confidentiality risk 145 The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas? A Telecommuting workers B Internet C Wireless networks D All of the above 146 Which programmed input validation check compares the value in a field with related fields which determine whether the value is appropriate? A Completeness check B Validity check C Reasonableness check D Completeness check 147 Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered? A Completeness check B Validity check C Reasonableness check D Field check 148 Which programmed input validation makes sure t hat a value was entered in all of the critical fields? A Completeness check B Validity check C Reasonableness check D Field check 149 Which control total is the total of field values that are added for control purposes, but not added for any other purpose? A Record count B Hash total C Batch total D Field total To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 150 A company has the following invoices in a batch: Invoice No 401 402 403 404 Product ID H42 K56 H42 L27 Quantity 150 200 250 300 Unit Price $30.00 $25.00 $10.00 $ 5.00 Which of the following numbers represents a valid record count? A B C 70 D 900 ANSWERS TO TEST BANK - CHAPTER – END OF CHAPTER QUESTIONS: 138 D 143 A 148 A 139 B 144 B 149 B 140 C 145 D 150 B 141 A 146 D 142 A 147 D TEST BANK - CHAPTER – SHORT ANSWER QUESTIONS 151 What is the difference between general controls and application controls? Answer: General controls are internal controls that apply overall to the IT accounting systems; they are not restricted to any particular accounting application Application controls apply within accounting applications to control inputs, processing, and outputs They are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed 152 Is it necessary to have both general controls and application controls to have a strong system of internal controls? Answer: Yes, it is necessary to have both types of controls in a strong system of internal controls Since they cover different aspects of the IT accounting systems and serve different purposes, both are important and necessary An IT system would not have good internal control if it lacked either general or application controls 153 What kinds of risks or problems can occur if an organization does not authenticate users of its IT systems? Answer: If an organization does not authenticate users of its IT systems, a security breach may occur in which an unauthorized user may be able to gain access to the computer system If hackers or other unauthorized users gain access to information to which they are not entitled, the organization may suffer losses due to exposure of confidential information Unauthorized users may gain access to the system for the purpose of browsing, altering, or stealing company data They could also record unauthorized transactions, shut down systems, alter programs, sabotage systems, or repudiate existing transactions To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 154 Explain the general controls that can be used to authenticate users Answer: In order to authenticate users, organizations must limit system log-ins exclusively to authorized users This can be accomplished by requiring login procedures, including user IDs and passwords Stronger systems use biometric identification or security tokens to authenticate users In addition, once a user is logged in, the system should have established access levels and authority tables for each user These determine which parts of the IT system each user can access The IT system should also maintain a computer log to monitor log-ins and follow up on unusual patterns 155 What is two-factor authentication with regard to smart cards or security tokens? Answer: Two-factor authentication limits system log-ins to authorized users by requiring them to have possession of a security device such as a smart card or token, and also have knowledge of a user ID and/or password Both are needed to gain access to the system 156 Why should an organization be concerned about repudiation of sales transactions by the customer? Answer: Repudiation is the attempt to claim that the customer was not part of a sales transaction that has taken place Organizations may suffer losses if customers repudiate sales transactions If companies not have adequate controls to prevent repudiation, they may not be able to collect amounts due from customers However, organizations may reduce the risk of such losses if they require log-in of customers and if they maintain computer logs to establish undeniably which users take particular actions This can provide proof of online transactions 157 A firewall should inspect incoming and outgoing data to limit the passage of unauthorized data flow Is it possible for a firewall to restrict too much data flow? Answer: Yes, it is possible for a firewall to restrict legitimate data flow as well as unauthorized data flow This may occur if the firewall establishes limits on data flow that are too restrictive In order to prevent blocking legitimate network traffic, the firewall must examine data flow and attempt to determine which data is authorized or unauthorized The packets of information that pass through the firewall must have a proper ID to allow it to pass through the firewall 158 How does encryption assist in limiting unauthorized access to data? Answer: Encryption is the process of converting data into secret codes referred to as cipher text Encrypted data can only be decoded by those who possess the encryption key or password It therefore renders the data useless to any unauthorized user who does not possess the encryption key Encryption alone does not prevent access to data, but it does prevent an unauthorized user from reading or using the data 159 What kinds of risk exist in wireless networks that can be limited by WEP, WPA, and proper use of SSID? Answer: WEP, WPA, and SSIDs can limit the risk of unauthorized access to wireless networks, which transmit network data as high frequency radio signals through the air Since anyone within range of these radio signals can receive the data, protecting data is extremely important within a wireless network This can be accomplished through encryption via wired equivalency privacy (WEP), through encryption and user authentication via wireless protected access (WPA), and through password protection of the network sending and receiving nodes via service set identifiers (SSIDs) To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 160 Describe some recent news stories you have seen or heard regarding computer viruses Answer: Student responses will vary greatly depending upon the date this is discussed, but should describe situations of computer malfunctions caused by network break-ins where damaging actions were upon an organization’s programs and data As of April 2008, a report by Symantec (www.symantec.com) included the following statistics: The U.S accounted for 31% of all malicious activity and was the origin of attack in 24% of cases Symantec observed an average of 61,940 infected computers per day The US accounted for 56% of all denial of service attacks In the second half of 2007, Symantec reported that 499,811 new malicious code threats were reported 161 What is the difference between business continuity planning and disaster recovery planning? Answer: How are these two concepts related? Business continuity planning is a proactive program for considering risks to the continuation of business and developing plans and procedures to reduce those risks so that continuation of the IT system is always possible On the other hand, disaster recovery planning is a reactive program for restoring business operations, including IT operations, to normal after a catastrophe occurs These two concepts are related in that they are both focused on maintaining IT operations at all times in order to minimize business disruptions 162 How can a redundant array of independent disks (RAID) help protect the data of an organization? Answer: RAID accomplishes redundant data storage by setting up two or more disks as exact mirror images This provides an automatic backup of all data If one disk drive fails, the other (maintained on another disk drive) can serve in its place 163 What kinds of duties should be segregated in IT systems? Answer: In an IT system, the duties to be segregated are those of systems analysts who analyze and design the systems, programmers who write the software, operators who process data, and database administrators who maintain and control the database No single person should develop computer programs and also have access to data 164 Why you think the uppermost managers should serve on the IT governance committee? Answer: An IT governance committee should be comprised of top management in order to ensure that appropriate priority is assigned to the function of governing the overall development and operation of the organization’s IT systems Since the committee’s functions include aligning the IT systems to business strategy and to budget funds and personnel for the effective use of IT systems, it is important that high-ranking company officials be aware of these priorities and involved in their development Only top management has the power to undertake these responsibilities 165 Why should accountants be concerned about risks inherent in a complex software system such as the operating system? Answer: Accountants need to be concerned about the risks inherent in the organization’s software systems because all other software runs on top of the operating system These systems may have exposure areas that contain entry points for potential unauthorized access to software and/or data These entry points must be controlled by the proper combination of general controls and application controls To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 166 Why is it true that increasing the number of LANs or wireless networks within an organization increases risks? Answer: Increasing the number of LANs or wireless networks within an organization increases exposure areas, or entry points through which a user can gain access to the network Each LAN or wireless access point is another potential entry point for an unauthorized user The more entry points, the more security risk the organization faces 167 What kinds of risks are inherent when an organization stores its data in a database and database management system? Answer: Since a database management system involves multiple use groups accessing and sharing a database, there are multiple risks of unauthorized access Anyone who gains access to the database may be able to retrieve data that they should not have This multiples the number of people who potentially have access to the data In addition, availability, processing integrity, and business continuity risks are also important due to the fact that so many different users rely on the system Proper internal controls can help to reduce these inherent risks 168 How telecommuting workers pose IT system risk? Answer: The network equipment and cabling that enables telecommuting can be an entry point for hackers or other break-ins, and the teleworker’s computer is another potential access point that is not under the company’s direct control Therefore, it is difficult for the company to monitor whether telecommuters’ computers is properly protected from viruses and other threats These entry points pose security, confidentiality, availability, and processing integrity risks 169 What kinds of risks are inherent when an organization begins conducting business over the Internet? Answer: The Internet connection required to conduct web-based business can expose the company network to unauthorized use The sheer volume of users of the World Wide Web dramatically increases the potential number of unauthorized users who may attempt to access an organization’s network of computers An unauthorized user can compromise security and confidentiality, and affect availability and processing integrity by altering data or software or by inserting virus or worm programs In addition, the existence of e-commerce in an organization poses online privacy risks 170 Why is it true that the use of EDI means that trading partners may need to grant access to each other’s files? Answer: EDI involves transferring electronic business documents between companies Because EDI involves the use of a network or the Internet, risks of unauthorized access are prevalent In order to authenticate trading partner users to accomplish the transfer of business documents, other company data files may be at risk of unauthorized use 171 Why is it critical that source documents be easy to use and complete? Answer: Source documents should be easy to use and complete in order minimize the potential for errors, incomplete data, or unauthorized transactions are entered from those source documents into the company’s IT systems Since source documents represent the method of collecting data in a transaction, they need to be easy to use in order to reduce the risk of incorrect or missing data in the accounting system To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 172 Explain some examples of input validation checks that you have noticed when filling out forms on websites you have visited Answer: Student responses are likely to vary, but may include field checks, validity checks, limit checks, range checks, reasonableness checks, completeness checks, or sign checks Although sequence checks and self-checking digits are additional input validation checks, they are not likely to be cited because they are applicable to transactions processed in batches, which is not likely to apply to students’ web transactions 173 How can control totals serve as input, processing, and output controls? Answer: Control totals can be used as input controls when they are applied as record counts, batch totals, or hash totals to verify the accuracy and completeness of data that is being entered into the IT system These same control totals can be used as processing controls when they are reconciled during stages of processing to verify the accuracy and completeness of processing Finally, to ensure accuracy and completeness, the output from an IT system can be reconciled to control totals, thus serving as an output control Therefore, totals at any stage can be compared against the initial control total to help ensure the accuracy of input, processing, or output 174 What dangers exist related to computer output such as reports? Answer: Output reports contain data that should not fall into the wrong hands, as the information contained in reports is often confidential or proprietary and could help someone commit fraud Therefore, the risk of unauthorized access must be controlled through strict policies and procedures regarding report distribution, retention, and disposal TEST BANK - CHAPTER – SHORT ESSAY 175 Categorize each of the following as either a general control or an application control: a validity check b encryption c security token d batch total e output distribution f vulnerability assessment g firewall h antivirus software Answer: a validity check – application control (input) b encryption – general control c security token – general control d batch total – application control (input, processing, and output) e output distribution – application control (output) f vulnerability assessment – general control g firewall – general control h antivirus software – general control To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 176 Each of the given situations is independent of the other For each, list the programmed input validation check that would prevent or detect the error a The zip code field was left blank on an input screen requesting a mailing address b A state abbreviation of “NX” was entered in the state field c A number was accidentally entered in the last name field d For a weekly payroll, the hours entry in the “hours worked field was 400 e A pay rate of $50.00 per hour was entered for a new employee The job code indicates an entry-level receptionist Answer: a The zip code field was left blank on an input screen requesting a mailing address – Completeness check b A state abbreviation of “NX” was entered in the state field – Validity check c A number was accidentally entered in the last name field – Field check d For a weekly payroll, the hours entry in the “hours worked field was 400 – Limit check or range check e A pay rate of $50.00 per hour was entered for a new employee The job code indicates an entry-level receptionist – Reasonableness check 177 For each AICPA Trust Services Principles category shown, list a potential risk and a corresponding control that would lessen the risk An example is provided In a similar manner, list a risk and control in each of the following categories: Security, Availability, Processing Integrity, and Confidentiality Answer: a Security Risk: an unauthorized user could record an invalid transaction Control: security token to limit unauthorized users b Availability Risk: An unauthorized user may shut down a program Control: intrusion detection to find instances of unauthorized users c Processing Integrity Risk: environmental problems such as temperature can cause glitches in the system Control: temperature and humidity controls d Confidentiality Risk: an unauthorized user could browse data Control: encryption 178 For each of the following parts of an IT system of a company, write a one-sentence description of how unauthorized users could use this as an “entry point”: a A local area network (LAN) b A wireless network c A telecommuting worker d A company website to sell products Answer: a A local area network (LAN) Each workstation or the network wiring on the LAN are access points where someone could tap into the system b A wireless network The wireless signals broadcast into the air could be intercepted to gain access to the system c A telecommuting worker The telecommuter’s computer may be infected with a virus that allows a perpetrator to see the login ID and password d A company website to sell products A hacker may try to break through the web server firewall to gain access to company data To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 179 Application controls include input, processing, and output controls One type of input control is source document controls Briefly explain the importance of each of the following source document controls: Form design, Form authorization and control, and Retention of source documents ` Answer: a Form design A well-designed form will reduce the chance of erroneous or incomplete data It could also increase the speed at which the form is completed b Form authorization and control Forms should have a signature line to indicate that the underlying transaction was approved by the correct person Blank documents should be properly controlled to limit access to them c Retention of source documents Source documents should be maintained as part of the audit trail They also serve as a way to look up data when queries are raised 180 Explain how control totals such as record counts, batch totals, and hash totals serve as input controls, processing controls, and output controls Answer: Control totals serve as expected results after input, processing, or output has occurred At each stage, the current totals can be compared against the initial control total to help ensure the accuracy of input, processing, or output 181 Briefly explain a situation at your home, university, or job in which you think somebody used computers unethically Be sure to include an explanation of why you think it was unethical Answer: Student responses will vary significantly Some possibilities include copyrighted music or video downloading from an unauthorized source, viewing pornography on computers at work, shopping or other browsing while at work, using a work computer to store personal files or process personal work, using company e-mail systems for personal e-mail (some companies may not consider this as problematic as other potential unethical acts) To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com TEST BANK - CHAPTER – PROBLEMS 182 Explain why an organization should establish and enforce policies for its IT systems in the following areas regarding the use of passwords for log-in: a Length of password b The use of numbers or symbols in passwords c Using common words or names as passwords d Rotation of passwords e Writing passwords on paper or sticky notes Answer: a Length of password Passwords should be at least eight characters in length This would make it difficult for a hacker to guess the password in order to gain unauthorized access to the system b The use of numbers or symbols in passwords Passwords should contain a mix of alphanumeric digits as well as other symbols There may also be a mix of case sensitive letters This would make it difficult for a hacker to guess the password c Using common words or names as passwords Names, initials, and other common names should be avoided as passwords, as they tend to be easy to guess d Rotation of passwords Passwords should be changed periodically, approximately every 90 days This will limit the access of a hacker who has gained unauthorized access e Writing passwords on paper or sticky notes Passwords should be committed to the user’s memory and should not be written down If they are documented, this increases the likelihood that an unauthorized user may find the password and use it to gain access to the system 183 The use of smart cards or tokens is called two-factor authentication Answer the following questions, assuming that the company you work for uses smart cards or tokens for two-factor authentication a What you think the advantages and disadvantages would be for you as a user? b What you think the advantages and disadvantages would be for the company? Answer: a What you think the advantages and disadvantages would be for you as a user? As a user, the advantages of two-factor authentication would be the security of the information in the system that I am using I would know that it would be difficult for an unauthorized user to alter a system that uses two-factor authentication, so I have more confidence in the data within such a system In addition, it is relatively easy to remember a password and to transport a smart card or security token On the other hand, I might consider the use of two-factor authentication to be a disadvantage because it places more responsibility on me, the user For instance, in order to access the system, I have to remember my password and maintain control of a security device It might be considered an inconvenience to a user to maintain a smart card or security token and remember to keep it accessible at all times that I may need to access the system It might also be susceptible to loss, similar to a set of keys b What you think the advantages and disadvantages would be for the company? From the company’s perspective, the advantage of two-factor authentication is the strength of the extra level of security The company has additional protection against unauthorized access, which makes it difficult for a hacker to access the system The disadvantage is the cost of the additional authentication tools that comprise the dual layer of security To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 184 Many IT professionals feel that wireless networks pose the highest risks in a company’s network system Why you think this is true? Which general controls can help reduce these risks? Answer: Why you think this is true? Wireless networks pose the highest risks in a company’s network computer system because the network signals are transported through the air (rather than over cables) Therefore, anyone who can receive radio signals could potential intercept the company’s information and gain access to its network This exposure is considered greater than in traditional WANs and LANs Which general controls can help reduce these risks? A company can avoid its exposure to unauthorized wireless network traffic by implementing proper controls, such as wired equivalency privacy (WEP) ore wireless protected access (WPA), station set identifiers (SSIDs), and encrypted data 185 Control totals include batch totals, hash totals, and record counts Which of these totals would be useful in preventing or detecting IT system input and processing errors or fraud described as follows? a A payroll clerk accidentally entered the same time card twice b The accounts payable department overlooked an invoice and did not enter it into the system because it was stuck to another invoice c A systems analyst was conducting payroll fraud by electronically adding to his “hours worked” field during the payroll computer run d To create a fictitious employee, a payroll clerk removed a time card for a recently terminated employee and inserted a new time card with the same hours worked Answer: a A payroll clerk accidentally entered the same time card twice Any of the three control totals could be used: A batch total could detect that too many hours were entered; A hash total could detect that an employee number summation was overstated; A record count could detect that too many time cards were entered b The accounts payable department overlooked an invoice and did not enter it into the system because it was stuck to another invoice Any of the three control totals could be used: A batch total could detect the missing amount; A hash total could detect that the vendor number summation was misstated; A record count could detect that too few invoices were entered c A systems analyst was conducting payroll fraud by electronically adding to his “hours worked” field during the payroll computer run A batch total could detect this fraud by revealing that the hours worked on the inputs did not agree with the hours worked on the output reports d To create a fictitious employee, a payroll clerk removed a time card for a recently terminated employee and inserted a new time card with the same hours worked A record count could detect this fraud only if there was a control in place to compare the number of records processed with the number of active employees and the number of active employees had been updated to reflect a reduction for the recently terminated employee To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 186 Explain how each of the following input validation checks can prevent or detect errors: field, validity, limit, range, reasonableness, completeness, sign, and a self-checking digit Answer: a A field check examines a field to determine whether the appropriate type of data was entered This will detect mistakes in input, such as erroneous input of numeric information in an alpha field b A validity check examines a field to ensure that the data entry in the field is valid compared with a preexisting list of acceptable values This will detect mistakes in input, such as nonsense entries caused by the input personnel striking the wrong key c A limit check verifies field inputs by making sure that they not exceed a preestablished limit This prevents gross overstatements of the data beyond the acceptable limit d A range check verifies field inputs by making sure that they fall within a pre-established range limit This prevents gross overstatements and understatements of the data beyond the acceptable limits e A reasonableness check compares the value in a field with similar, related fields to determine whether the value seems reasonable This can detect possible errors by identifying “outliers” f A completeness check assesses the critical fields in an input screen to make sure that an entry has been input in those fields This detects possible omissions of critical information g A sign check examines a field to determine that it has the appropriate positive or negative sign This can prevent misstatements caused by misinterpretation of information h A sequence check ensures that a batch of transactions is sorted and processed in sequential order This ensures that a batch will be in the same order as the master file This may prevent errors in the master file by ensuring that the sequence is appropriate to facilitate an accurate update of the master file i A self-checking digit is an extra digit added to a coded identification number, determined by a mathematical algorithm This detects potential errors in input data 187 The IT governance committee should comprise top level managers Describe why you think that is important What problems are likely to arise with regard to IT systems if the top level managers are not involved in IT governance committees? Answer: It is important for an IT governance committee to be comprised of members of top management so it can appropriately align IT investments with the company’s overall business strategies If top level managers were not involved in this committee, it is likely that IT changes could be approved which not enhance the company’s overall goals and strategies In addition, it is possible that IT changes could be discussed and developed without receiving proper approval or funding To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 188 Using a search engine, look up the term “penetration testing.” Describe the software tools you find that are intended to achieve penetration testing Describe the types of systems that penetration testing is conducted upon Answer: Software tools that perform penetration tests must be able to replicate a successful unauthorized access attempt or recreate an attack on a company’s security, but it must be able to so without altering of damaging the systems upon which these tests are conducted This will reveal weaknesses in the system so that the company can implement controls to strengthen the security of its system Penetration testing is typically conducted upon network systems 189 Visit the AICPA website at www.aicpa.org Search for the terms “WebTrust” and “SysTrust.” Describe these services and the role of Trust Services Principles in these services Answer: WebTrust services are professional services that build trust and confidence among customers and businesses which operate on the Internet SysTrust services build trust and confidence between business partners who use and rely upon each other’s computer systems These services are built upon the Trust Services Principles of Security, Privacy, Availability, Confidentiality, and Processing Integrity to help companies create trustworthy systems Both of these services are represented by seal on the company’s Web site 190 Using a search site, look up the terms “disaster recovery,” along with “9/11.” The easiest way to search for both items together is to type into the search box the following: “disaster recovery” “9/11.” Find at least two examples of companies that have changed their disaster recovery planning since the terrorist attacks on the World Trade Center on September 11, 2001 Describe how these companies changed their disaster recovery plans after the terrorist attacks Answer: Students’ answers may vary greatly, as there are numerous examples of companies who operated in or near the World Trade Center or were otherwise affected by the events of September 11, 2001 and who have revised their business disaster recovery plans as a result A few examples are the financial services companies of Lehman Brothers, Merrill Lynch, and American Express An article at www.cio.com includes interviews with the IT executives at these companies as they look back to the events of 9/11 In particular, Lehman Brothers has worked hard to increase its redundant storage and real-time back-ups It also updated its phone systems so that all direct lines to customers would not terminate at the same place, as they did at the World Financial Center In addition, it has developed a new business continuity plan, with variations that are now tied to the Homeland Security Advisory System’s color-coded warning levels At Merrill Lynch, disaster recovery efforts focused on diversification of vendors to relieve the concentration from Lower Manhattan In addition, it outfitted its buildings used for recovery with wireless LANs; this allows for increased flexibility through the broadcast of signals to multiple access points For American Express, disaster recovery planning and business continuity planning have changed to a geography-based approach, recognizing that disasters are likely to affect large geographic areas The events of 9/11 proved that Amex’s previous building-based program was not effective To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com 191 Go to any website that sells goods Examples would be BestBuy, Staples, and J.Crew Pretend that you wish to place an order on the site you choose and complete the order screens for your pretend order Do not finalize the order; otherwise, you will have to pay for the goods As you complete the order screens, attempt to enter incorrect data for fields or blanks that you complete Describe the programmed input validation checks that you find that prevent or detect the incorrect data input Student’s responses are likely to vary significantly, as different Web sites have different input validation checks However, most Web sites have a warning message that will appear if invalid information is entered (For instance, the message “The billing city, state, zip code, and country entered not match up Please revise your selections below” was encountered on jcrew.com when bogus city and zip code information was entered.) The warning message will typically prevent the user from proceeding to the next step in the transaction until the error is corrected ... ebook, solutions and test bank, visit http://downloadslide.blogspot.com TEST BANK - CHAPTER – END OF CHAPTER QUESTIONS: 138 Internal controls that apply overall to the IT system are called: A... A B C 70 D 900 ANSWERS TO TEST BANK - CHAPTER – END OF CHAPTER QUESTIONS: 138 D 143 A 148 A 139 B 144 B 149 B 140 C 145 D 150 B 141 A 146 D 142 A 147 D TEST BANK - CHAPTER – SHORT ANSWER QUESTIONS... entrusted to them by the owners of an organization is referred to as: A Stewardship Responsibility B IT System Controls C Application Controls D Internal Controls ANSWERS TO TEST BANK – CHAPTER 57 D