Chapter 8—Controlling Information Systems: Introduction to Pervasive and General Controls TRUE/FALSE 1. IT governance leads to better organizational performance such as profitability. ANS: T 2. As an IT resource, information includes data in all their forms that are input, processed and output by information systems. ANS: T 3. As an IT resource, applications are automated systems and manual procedures that process information. ANS: T 4. The system of controls used in this text consists of the control environment, pervasive (and general controls, and IT general controls) control plans, and business process (and application) control plans. ANS: T 5. As used in the text, the information systems organization (function) is synonymous with the accounting function. ANS: F 6. The function composed of people, procedures, and equipment that is typically called the information systems department, IS department, or the IT department is the information systems organization. ANS: T 7. The IS function with the principal responsibilities of guiding and advising the information systems organization is the IT steering committee. ANS: T
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Chapter 8—Controlling Information Systems: Introduction to Pervasive and General Controls
TRUE/FALSE
1. IT governance leads to better organizational performance such as profitability.
ANS: T
2. As an IT resource, information includes data in all their forms that are input, processed and output by information systems.
ANS: T
3. As an IT resource, applications are automated systems and manual procedures that process information.
ANS: T
4. The system of controls used in this text consists of the control environment, pervasive (and general controls, and IT general controls) control plans, and business process (and application) control plans.
ANS: T
5. As used in the text, the information systems organization (function) is synonymous with the accounting function.
ANS: F
6. The function composed of people, procedures, and equipment that is typically called the information systems department, IS department, or the IT department is the information systems organization.
ANS: T
7. The IS function with the principal responsibilities of guiding and advising the information systems organization is the IT steering committee.
ANS: T
8. The IS function with the principal responsibilities of insuring the security of all information systems function resources is data control.
ANS: F
9. The IS function of quality assurance conducts reviews to determine adherence to IT standards and procedures and achievement of IT objectives.
ANS: T
10. The chief information officer (CIO) prioritizes and selects IT projects and resources.
ANS: F
11. Within the data center, the data control group is responsible for routing all work into and out of the data center, correcting errors, and monitoring error correction.
ANS: T
12. The IS function of systems development provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks, loading printer paper, and responding to computer messages.
ANS: F
13. Within the data center, the data librarian function grants access to programs, data, and documentation to authorized personnel only.
ANS: T
14. Combining the functions of authorizing and executing events is a violation of the organizational control plan known as segregation of duties.
ANS: T
15. Segregation of duties consists of separating the four functions of authorizing events, executing events, recording events, and safeguarding the resources resulting from consummating the events.
ANS: T
16. Embezzlement is a fraud committed by two or more individuals or departments.
ANS: F
17. A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resource controls.
ANS: F
18. The functions of the security officer commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans.
ANS: T
19. Individual departments coordinate the organizational and IT strategic planning processes and reviews and approves the strategic IT plan.
ANS: F
20. The policy of requiring an employee to alternate jobs periodically is known as mandatory vacations.
ANS: F
21. Forced vacations is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place.
ANS: T
22. A fidelity bond indemnifies a company in case it suffers losses from defalcations committed by its employees.
ANS: T
23. The product life cycle is a formal set of activities, or a process, used to develop and implement a new or modified information system.
ANS: F
24. Computer software that is used to facilitate the execution of a given business process is called database management software.
ANS: F
25. The systems documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports.
ANS: T
26. Program documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings.
ANS: T
27. The user run manual gives detailed instructions to computer operators and to data control about a particular application.
ANS: F
28. The operations run manual describes user procedures for an application and assists the user in preparing inputs and using outputs.
ANS: F
29. Training materials are documentation that helps users learn their jobs and perform consistently in those jobs.
ANS: T
30. Program change controls provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented.
ANS: T
31. The terms contingency planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the process that identifies events that may threaten an organization and provide a framework whereby the organization will continue to operate or resume operations with a minimum of disruption.
ANS: T
32. Continuity is the process of using backup measures to either reconstruct lost data, programs, or documentation, or to continue operations in alternative facilities.
ANS: F
33. With continuous data protection (CDP) all data changes are saved to secondary computer systems as changes are made on the primary system.
ANS: T
34. The disaster backup and recovery technique known as electronic vaulting is a service whereby changes being made on a computer are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party.
ANS: T
35. The disaster recovery strategy known as a cold site is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber fee.
ANS: F
36. A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a hot site.
ANS: F
37. In the case of a computer virus, a Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities.
ANS: F
38. Biometric identification systems identify authorized personnel through some unique physical trait such as fingers, hands, voice, eyes, face, or writing dynamics.
ANS: T
39. Antivirus is a technique to protect one network from another "untrusted" network.
ANS: F
40. The most common biometric devices perform retinal eye scans.
ANS: F
41. In an online computing environment, the operating system software generally includes a(n) security module designed to restrict access to programs and data.
ANS: T
42. In an online computing environment, the accumulation of access activity and its review by the security officer is called threat monitoring.
ANS: T
43. Application controls restrict access to data, programs, and documentation.
ANS: F
44. Intrusion-detection systems (IDS) monitor system and network resources and activities and “learn” how users typically behave on the system.
ANS: T
45. Intrusion-prevention systems (IPS) protect one network from another “untrusted” network.
ANS: F
46. Periodic cleaning, testing, and adjusting of computer equipment is referred to as preventative maintenance.
ANS: T
47. Computer hacking and cracking is the intentional, unauthorized access to an organization's computer system, accomplished by bypassing the system's access security controls.
ANS: T
MULTIPLE CHOICE
1. The use of IT resources for enterprise systems and e-businessa. magnifies the importance of protecting the resources both within and outside of the
organization from risksb. magnifies the importance of protecting the resources both within but not outside the of the
organization from risksc. makes it easier to provide internal control risk when IT resources are interlinkedd. none of the above
ANS: A
2. Top 10 management concerns about IT’s capability to support an organization’s vision and strategy include all except the following:a. IT and business alignmentb. security and privacyc. the Internetd. retaining IT professionals
ANS: C
3. Top 10 security concerns reported in “The Global State of Information Security 2005” as reported in CIO magazine include all the following except:a. disaster recovery/business continuityb. the Internetc. data backupd. overall information security strategy
ANS: B
4. Pervasive control plans:a. are unrelated to applications control plansb. are a subset of applications control plansc. influence the effectiveness of applications control plansd. increase the efficiency of applications control plans
ANS: C
5. COBIT was developed to:a. provide guidance to managers, users, and authors on the best practices for the management
of information technologyb. identify specific control plans that should be implemented to reduce the occurrence of
fraudc. specify the components of an information system that should be installed in an e-
commerce environmentd. suggest the type of information that should be made available for management decision
making
ANS: A
6. The department within a company that develops and operates the computer information systems is often called the:a. information systems organizationb. computer operations departmentc. controllerd. computer technology branch
ANS: A
7. In an information systems organization structure, the three functions that might logically report directly to the CIO would be:a. systems development, technical services, and data centerb. systems development, database administration, and data centerc. systems development, technical services, and data librariand. applications programming, technical services, and data center
ANS: A
8. Data in all their forms that are input, processed, and output by information system are called this IT resource:a. informationb. applicationsc. infrastructured. people
ANS: A
9. Automated systems and manual procedures that process information are called this IT resource:a. informationb. applicationsc. infrastructured. people
ANS: B
10. Which of the following IT resources includes hardware, operating systems, DBMSs, and networking?a. informationb. applicationsc. infrastructured. people
ANS: C
11. ____ can consist of many computers and related equipment connected together via a network.a. PCsb. Serversc. LANd. firewall
ANS: C
12. In an information systems organization, which of the following reporting relationships makes the least sense?a. the data center manager reports to the CIO.b. systems development manager reports to the data center manager.c. database administration reports to the technical services manager.d. data librarian reports to the data center manager.
ANS: B
13. In an information systems organization, all of the following functions might logically report to the data center manager except:a. data controlb. data preparationc. data librariand. quality assurance
ANS: D
14. Managing functional units such as telecommunications, systems programming, and database administration typically is a major duty of:a. data center managerb. systems developmentc. technical services managerd. database administrator
ANS: C
15. From the standpoint of achieving the operations system control goal of security of resources, which of the following segregation of duties possibilities is least important?a. between user departments and computer operationsb. between data control and data preparation personnelc. between systems development and computer operatorsd. between technical services and data center
ANS: B
16. A key control concern is that certain people within an organization have easy access to applications programs and data files. The people are:a. data librariansb. systems programmers
c. systems developmentd. data center managers
ANS: B
17. Which of the following has the major duties of prioritizing and selecting IT projects and resourcesa. steering committeeb. security officerc. CIOd. systems development manager
ANS: A
18. Which of the following has the responsibility to ensure security of all IT resources?a. steering committeeb. security officerc. CIOd. systems development manager
ANS: B
19. Which of the following has the responsibility of efficient and effective operation of the information systems functions?a. steering committeeb. security officerc. CIOd. systems development manager
ANS: C
20. In an information systems organizational structure, the function of ____ is a central point from which to control data and is a central point of vulnerability.a. data controlb. data preparation (data entry)c. data librariand. database administration
ANS: D
21. The control concern that there will be a high risk of data conversion errors relates primarily to which of the following information systems functions?a. data controlb. data preparation (data entry)c. data librariand. database administration
ANS: B
22. The controlled access to files, programs, and documentation is a principal responsibility of which of the following functions?a. data controlb. data preparation (data entry)c. data librariand. computer operator
ANS: C
23. Which of the following is not one of COBIT’s four broad IT control process domains?a. plan and organizeb. acquire and implementc. development of IT solutionsd. monitor and evaluate
ANS: C
24. Which of the following is not an important strategic planning process?a. IT-related requirements to comply with industry, regulatory, legal, and contractual
obligations, including privacy, transborder data flows, e-business, and insurance contractsb. an information architecture model encompassing the corporate data model and associated
information systemsc. The organization should adopt the systems development life cycle to ensure that
comprehensive documentation is developed for each applicationd. an inventory of current IT capabilities
ANS: C
25. Which one of the following is one of the two organization control plans that the book concentrates on?a. segregation of duties control planb. the information systems organizationc. selection and hiring control plansd. both a and b above
ANS: D
26. The segregation of duties control plan consists of separating all of the following event-processing functions except:a. planning eventsb. authorizing eventsc. executing eventsd. recording events
ANS: A
27. A warehouse clerk manually completing an order document and forwarding it to purchasing for approval is an example of:a. authorizing eventsb. executing eventsc. recording eventsd. safeguarding resources
ANS: B
28. The data entry clerk types data from an order form into an on-line computer through a pre-formatted screen. This is an example of:a. authorizing eventsb. executing eventsc. recording eventsd. safeguarding resources
ANS: B
29. Approving a customer credit purchase would be an example of which basic events processing function?a. authorizing eventsb. executing eventsc. recording eventsd. safeguarding resources
ANS: A
30. An employee of a warehouse is responsible for taking a computer-generated shipping list, pulling the items from the warehouse shelves and placing them in a bin which is transferred to shipping when the list is completely filled. This is an example of:a. authorizing eventsb. executing eventsc. recording eventsd. safeguarding resources
ANS: B
31. An outside auditing firm annually supervises a physical count of the items in a retail store's shelf inventory. This is an example of:a. authorizing eventsb. executing eventsc. recording eventsd. safeguarding resources
ANS: D
32. A warehouse supervisor prepares a sales order listing items to be shipped to a customer and then signs it authorizing the removal of the items from the warehouse. The supervisor is performing which functions?a. authorizing events and safeguarding of resourcesb. executing and recording eventsc. authorizing and executing eventsd. authorizing and recording events
ANS: C
33. A clerk receives checks and customer receipts in the mail. He endorses the checks, fills out the deposit slip, and posts the checks to the cash receipts events data. The clerk is exercising which functions?a. recording and executing eventsb. authorizing and executing eventsc. recording and authorizing eventsd. safeguarding of resources and authorizing events
ANS: A
34. When segregation of duties cannot be effectively implemented because the organization is too small, we may rely on a more intensive implementation of other control plans such as personnel control plans. This is called:a. collusion controlsb. compensatory controlsc. authorizing controlsd. inventory controls
ANS: B
35. A method of separating systems development and operations is to prevent programmers from a. performing technical servicesb. performing database administrationc. handling accounting operationsd. operating the computer
ANS: D
36. Which of the following control plans is not a retention control plan?a. creative and challenging work opportunitiesb. occasional performance evaluationsc. competitive reward structured. viable career paths
ANS: B
37. Personnel development control plans consist of each of the following except:a. checking employment referencesb. providing sufficient and timely trainingc. supporting employee educational interests and pursuitsd. performing scheduled evaluations
ANS: A
38. The primary reasons for performing regular employee performance reviews include all of the following except:a. determine whether an employee is satisfying the requirements indicated by a job
descriptionb. assess an employee's strengths and weaknessesc. assist management in determining salary adjustments, promotions, or terminationsd. develop a strategy for filling necessary positions
ANS: D
39. A policy that requires employees to alternate jobs periodically is called:a. segregation of dutiesb. forced vacationsc. rotation of dutiesd. personnel planning
ANS: C
40. A control plan that is designed to detect a fraud by having a second person periodically do the job of the perpetrator of the fraud is called:a. segregation of dutiesb. forced vacationsc. periodic auditsd. management control
ANS: B
41. A mechanism by which a company is reimbursed for any loss that occurs when an employee commits fraud is called a:a. segregation of dutiesb. fidelity bond
c. personnel planning controld. termination control plan
ANS: B
42. Which of the following personnel security control plans is corrective in nature as opposed to being a preventive or detective control plan?a. rotation of dutiesb. fidelity bondingc. forced vacationsd. performing scheduled evaluations
ANS: B
43. Personnel termination control plans might include all of the following except:a. require immediate separationb. identify the employee's reasons for leavingc. establish a policy of forced vacationsd. collect the employee's keys, badges, etc.
ANS: C
44. The term systems development life cycle (SDLC) can mean any of the following except:a. a formal set of activities or process used to develop and implement a new or modified
information systemb. the documentation that specifies the systems analysis processc. the documentation that specifies the systems development processd. the progressing of information systems through the systems development process, from
birth through ongoing use of the system
ANS: B
45. Instructions for computer setup, required data, restart procedures, and error messages are typically contained in a(n):a. systems development standards manualb. program documentation manualc. operations run manuald. application documentation manual
ANS: C
46. Application documentation that describes the application and contains instructions for preparing inputs and using outputs is a(n):a. operations run manualb. user manualc. program documentationd. systems documentation
ANS: B
47. The six stages reflected in a business continuity management life cycle are (in sequential order):a. establish a formal business continuity management program, understand your business,
create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management culture, maintain and audit the plan
b. understand your business, develop and implement a business continuity management
response, create business continuity strategies, build and embed a business continuity management culture, maintain and audit the plan, establish a formal business continuity management program
c. understand your business, build and embed a business continuity management culture, create business continuity strategies, develop and implement a business continuity management response, maintain and audit the plan, establish a formal business continuity management program
d. understand your business, establish a formal business continuity management program, create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management culture, maintain and audit the plan,
ANS: A
48. Alternative names for contingency planning include all of the following except:a. disaster recovery planningb. business interruption planningc. business disaster planningd. business continuity planning
ANS: C
49. Which backup approach is the one that involves running two processing sites that contain the application programs and updated master data throughout normal processing activities?a. mirror siteb. electronic vaultingc. continuous data protection (CDP)d. dumping
ANS: C
50. All of the following are components of a backup and recovery strategy except:a. echo checkingb. mirror sitec. electronic vaultingd. hot site
ANS: A
51. Which of the following statements related to denial of service attacks is false?a. Insurance is available to offset the losses suffered by denial of service attacks.b. A denial of service attack is designed to overwhelm a web site, making it incapable of
performing normal functions.c. Web sites can employ filters to detect multiple messages from a single site.d. The most effective attacks originate from a small cluster of computers in a remote
geographic region.
ANS: D
52. In an on-line computer system, restricting user access to programs and data files includes all of the following except:a. user identificationb. user authenticationc. determining user access rightsd. wearing identification badges
ANS: D
53. Security modules are examples of:a. department controlsb. preventive controlsc. corrective controlsd. management controls
ANS: B
54. Which of the following controls restrict access to programs, data, and documentation that are stored off-line in a physically controlled area?a. library controlsb. password controlsc. authentication controlsd. program change controls
ANS: A
55. A portion of the threat monitoring portion of the security module that profiles the typical behavior of users and can detect exceptional activity is known as:a. biometricsb. electronic vaultingc. intrusion detection systems (IDS)d. cost variance analysis
ANS: C
56. Protecting resources against environmental hazards might include all of the following control plans except:a. fire alarms and smoke detectorsb. automatic extinguisher systemsc. voltage regulatorsd. security modules
ANS: D
57. Which of the following statements regarding computer hacking is false?a. Some hackers use a sniffer programs that travel over telephone lines collecting passwords.b. Accountants can be engaged to test system security by attempting to hack into a system.c. Computer hacking is an intrusion into an information system from a person outside the
organization.d. Hackers can obtain user names and passwords by posing as a legitimate employee and
requesting sensitive information from another employee.
ANS: C
COMPLETION
1. ______________________________ consists of the leadership, organizational structures, and processes that ensure that the enterprises’s IT sustains and extends the organization’s strategies and objectives.
ANS: IT governance
2. Data in all their forms that are input, processed, and output by information systems is the IT resource ____________________.
ANS: information
3. IT resource that are automated systems and manual procedures that process information _________________________.
ANS: applications
4. The system of controls used in this text consists of the ______________________________, ____________________ control plans, and business process (and application) control plans.
ANS:control environmentpervasive (and general and IT general)
5. As used in the text, the information systems organization is synonymous with the ______________________________.
ANS: IT department
6. The function composed of people, procedures, and equipment that is typically called the information systems department, IS department, or IT department is the _____________________________________________.
ANS: information systems organization
7. The function with the principal responsibilities of guiding and advising the information systems function is the ______________________________.
ANS: IT steering committee
8. The function with the principal responsibilities of insuring the security of all information systems function resources is the ______________________________.
ANS: security officer
9. The information systems function ______________________________ conducts reviews to determine adherence to IT standards and procedures and achievement of IT objectives.
ANS: quality assurance
10. Within the data center, the ______________________________ group is responsible for routing all work in to and out of the data center, correcting errors, and monitoring all error correction.
ANS: data control
11. The information systems function ______________________________ provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes, disks, and other media and monitoring equipment operation.
ANS: computer operations
12. Within the data center, the ______________________________ function grants access to programs, data, and documentation to authorized personnel only.
ANS: data librarian
13. Combining the functions of authorizing and executing events is a violation of the organizational control plan known as ______________________________.
ANS: segregation of duties
14. Segregation of duties consists of separating the four functions of authorizing events, ____________________ events, ____________________ events, and safeguarding the resources resulting from consummating the events.
ANS: executing, recording
15. ____________________ is any fraud committed by two or more individuals or departments.
ANS: Collusion
16. A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called ___________________________________.
ANS: compensatory controls
17. The functions of the ______________________________ commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans.
ANS: security officer
18. The ___________________________________ coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan.
ANS:information technology steering committeeIT steering committee
19. The policy of requiring an employee to alternate jobs periodically is known as ______________________________.
ANS: rotation of duties
20. ______________________________ is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place.
ANS: Forced vacations
21. A(n) ______________________________ indemnifies a company in case it suffers losses from defalcations committed by its employees.
ANS: fidelity bond
22. The ______________________________ is a formal set of activities, or a process, used to develop and implement a new or modified information system.
ANS:system development life cycleSDLC
23. Computer software that is used to facilitate the execution of a given business process is called ___________________________________.
ANS: application software
24. The ____________________ documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports.
ANS: systems
25. ____________________ documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings.
ANS: Program
26. The ______________________________ gives detailed instructions to computer operators and to data control about a particular application.
ANS: operations run manual
27. The _________________________ describes user procedures for an application and assists the user in preparing inputs and using outputs.
ANS: user manual
28. ______________________________ are documentation that helps users learn their jobs and perform consistently in those jobs.
ANS: Training materials
29. ________________________________________ provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented.
ANS: Program change controls
30. The terms ____________________ planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the backup and recovery control plans designed to ensure that an organization can recover from a major calamity.
ANS: contingency
31. A technique known as ___________________________________ uses a service whereby data changes made on a computer are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party.
ANS: electronic vaulting
32. The data replication strategy known as ________________________________________ whereby all data changes are saved to secondary systems as the changes are happening on the primary system.
ANS:continuous data protectionCDP
33. The disaster recovery strategy known as a(n) ____________________ is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber's fee.
ANS: hot site
34. A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a(n) ____________________.
ANS: cold site
35. In a ___________________________________ a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities.
ANS: denial of service attack
36. ____________________ identification systems identify authorized personnel through some unique physical trait such as fingers, hands, voice, eyes, face, and writing dynamics.
ANS: Biometric
37. A(n) ____________________ is a technique to protect one network from another "untrusted" network.
ANS: firewall
38. The most common biometric devices read ____________________.
ANS:fingerprintsthumbprints
39. In an online environment, the operating system software generally includes a(n) ______________________________ designed to restrict access to programs and data.
ANS: security module
40. In an online computer environment, the accumulation of access activity and its review by the security officer is also called ______________________________.
ANS: threat monitoring
41. Periodic cleaning, testing, and adjusting of computer equipment is referred to as ______________________________.
ANS: preventive maintenance
42. ______________________________ is the intentional penetration of an organization's computer system, accomplished by bypassing the system's access security controls.
ANS:Computer hackingComputer cracking
43. We periodically make copies of important stored data, programs, and documentation. These copies are called ____________________.
ANS: backups
44. The process whereby we restore lost data and continue operations is called ____________________.
ANS: recovery
45. The computing site that maintains copies of a primary computing site’s programs and data is a ____________________ site.
ANS: mirror
46. In a ___________________________________ a Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages making it impossible for the attached site to engage in its normal activities.
ANS: denial-of-service attack
47. A _____________________________________________ uses many computers, called zombies, that unwittingly cooperate in a denial-of-service attack by sending messages to the target Web site.
ANS: distributed denial-of-service attack
48. A ____________________ is a technique to protect one network from another “untrusted” network by blocking certain kinds of traffic.
ANS: firewall
49. The ___________________________________ is the threat monitoring portion of the security module that monitors system and network resources and activities and “learns” how users typically behave on the system.
ANS:intrusion-detection systemIDS
50. The ___________________________________ actively blocks unauthorized traffic using rules specified by the organization.
ANS:intrusion-prevention systemIPS
PROBLEM
1. Below is an alphabetical list of ten functional titles for the information systems organization structure shown in Chapter 8. The second list contains descriptions (some partial) of the duties and responsibilities of ten of the functions.
Required:
On the blank line to the left of each numbered description, place the capital letter of the functional title that best matches the duties and responsibilities described. Do not use a letter more than once.
Functional TitleA. Quality assurance F. Systems programmingB. Data control G. Technical services managerC. Data librarian H. CIOD. Data preparation I. Steering committeeE. Systems development J. Security officer
Answers DUTIES AND RESPONSIBILITIES
_____ 1. Deliver cost-effective, bug-free applications.
_____ 2. Route work into and out of the data center, correct errors, monitor all error correction.
_____ 3. Plan IT acquisition and development.
_____ 4. Conduct reviews to determine adherence to IT standards and procedures and achievement of IT objectives.
_____ 5. Issue programs, files, and documentation to authorized users.
_____ 6. Manage functional units such as networks, CAD/CAM, systems programming, and program maintenance.
_____ 7. Modify and adapt operating systems software and various utility routines.
_____ 8. Enter (convert) data into machine-readable form.
_____ 9. Physical security
_____ 10. Prioritize and select IT projects and resources
ANS:
Duties andresponsibilities
Description Answer1 E2 B
3 H4 A5 C6 G7 F8 D9 J10 I
2. The four events-processing functions that constitute the segregation of duties control plan are:
A. Authorizing eventsB. Executing eventsC. Recording eventsD. Safeguarding resources resulting from consummating events
Required:
Below is a list of ten events-processing activities, five relating to the cycle of activities involved in processing a sales event and five relating to the cycle for a purchase event. Classify each of the ten activities into one of the four functional categories listed above by placing the letter A, B, C, or D on the answer line to the left of each number. You should use only one letter for each of the ten answers.
EVENT-PROCESSING ACTIVITIES
Answers (For a sales event)
_____ 1. The order entry department instructs the shipping department to ship goods to a customer by sending an approved document to the shipping department.
_____ 2. The shipping department keeps inventory items in a locked storeroom.
_____ 3. The billing department prepares and mails a bill to the customer.
_____ 4. The invoice in item 3 is added to the customer balance in the accounts receivable master data.
_____ 5. The general ledger bookkeeper enters a sales event in a data file.
(For a purchase event)
_____ 6. The purchasing department is requested to order goods
_____ 7. The purchasing department receives a signed request document from the
inventory control department.
_____ 8. The purchasing department manager reviews and signs all order documents in excess of $100.
_____ 9. The goods are received from the vendor
_____ 10. The receiving department completes the receiving report
_____ 11. The goods received in item 8 are placed into the locked inventory storeroom.
_____ 12. A payable is recognized by updating the accounts payable master data.
ANS:
TransactionActivity Answer
1 A2 D3 B4 C5 C6 B7 A8 A9 B10 C11 D12 C
3. Listed below are several pervasive control plans discussed in Chapter 8. On the blank line to the left of each control plan, insert a "P" (preventive), "D" (detective), or "C" (corrective) to best classify that control. If you think that more than one code could apply to a particular plan, insert all appropriate codes and briefly explain your answer:
CODE CONTROL PLAN
_____ 1. Hot site
_____ 2. Program change controls
_____ 3. Fire and water alarms
_____ 4. Adequate fire and water insurance
_____ 5. Install batteries for temporary loss in power
_____ 6. Continuous-data protection (CDP)
_____ 7. Intrusion-detection system (IDS)
_____ 8. IT steering committee
_____ 9. Security officer
_____ 10. Operations run manuals
_____ 11. Rotation of duties and forced vacations
_____ 12. Fidelity bonding
_____ 13. Personnel performance evaluations
_____ 14. Personnel termination procedures
_____ 15. Segregation of duties
_____ 16. Threat monitoring
_____ 17. Disaster recovery planning
_____ 18. Restrict entry to the computer facility through the use of security guards, locks, badges, and identification cards
_____ 19. Security module
_____ 20. Library controls
ANS:
CODE CONTROL PLAN
__P__ 1. Hot site
__P__ 2. Program change controls
__P__ 3. Fire and water alarms
__C__ 4. Adequate fire and water insurance
__C__ 5. Install batteries for temporary loss in power
__C__ 6. Continuous-data protection (CDP)
__D__ 7. Intrusion-detection system (IDS)
__P__ 8. IT steering committee
__P__ 9. Security officer
__P__ 10. Operations run manuals
P or D 11. Rotation of duties and forced vacations
__C__ 12. Fidelity bonding
P or D 13. Personnel performance evaluations
__P__ 14. Personnel termination procedures
P or D 15. Segregation of duties
__P__ 16. Threat monitoring
__C__ 17. Disaster recovery planning
__P__ 18. Restrict entry to the computer facility through the use of security guards, locks, badges, and identification cards
P or D 19. Security module
P or D 20. Library controls
4. The first list below contains 10 control plans discussed in Chapter 8. The second list describes 10 system failures that have control implications.
Required:
On the answer line to the left of each system failure, insert the capital letter from the first list of the best control plan to prevent the system failure from occurring. If you can't find a control that will prevent the failure, then choose a detective or a corrective plan. A letter should be used only once.
Control PlansA. Personnel development control plansB. Operations run manualsC. Disaster recovery plansD. Program change controlsE. Librarian controlsF. Segregation of systems development and programming from computer operationsG. Retention control plansH. Restriction of physical access to computer resourcesI. Segregation of recording events from safeguarding resourcesJ. Biometric identification system
Answers SYSTEM FAILURES
_____ 1. The controller at Infotech, Inc., has just completed an analysis of personnel costs and believes that the costs associated with training new personnel is too high. She attributes this high cost to the increasing rate at which employees are being hired to replace defections to Infotech's competitors.
_____ 2. Paul the programmer has modified the accounts receivable statement program so that the receivables from his cousin Peter will be eliminated from the accounts receivable master file upon printing of the monthly statements. Paul made these changes to the program while he was operating the computer on a Saturday morning.
_____ 3. When the hurricane hit the coast, Soggy Records Company lost the use of its flooded computer room. In such cases, plans called for using an alternate computer center 100 miles inland. However, Soggy was unable to operate in the alternate facility because the company's programs and files were lost in the flooded computer facility.
_____ 4. All the files were lost at the Stoughton Company when a visitor sat down at a computer terminal, signed on using one of the passwords posted on the computer terminals, and erased some of the data files.
_____ 5. Sally is the inventory control/warehouse clerk at Techtron Inc. She has been
stealing secret computer components from the warehouse, selling them to foreign agents, and covering up her thefts by altering the inventory records.
_____ 6. At Maralee Company, there seems to be a lack of progression from lower to middle management. Edward, the director of personnel, believes that the people being hired have great potential, but they are just not realizing their potential.
_____ 7. Roger, the night-shift computer operator, has had occasion several times in the last month to call his supervisor to receive assistance--over the telephone--to correct a problem that he was having in operating the computer.
_____ 8. Mary had become quite unhappy with her job at Funk, Inc. She knew that she was going to quit soon and decided to destroy some computer files. Using her own username and password, she found several disk packs on a table outside the computer room and proceeded to "erase" the data with a powerful magnet. After Mary's departure, Funk spent several months reconstructing the data that had been on the lost files.
_____ 9. One of the inventory control programs at Excess Company has been ordering more inventory than is required, causing an overstock condition on many items. During an investigation of the problem, it was discovered that the inventory ordering program had recently been changed. The changes were approved, but the new program was never tested.
_____ 10. Sydney, the computer operator, did not want to go to work one day because he wanted to go sailing. He gave his ID card to his cousin Vinny who went to work for him. Even though he was a computer operator, Vinny did not know how to operate this computer. He made mistakes and destroyed some data.
ANS:
SystemFailureNumber Answer
1 G2 F3 C4 H5 I6 A7 B8 E9 D10 J
5. The first list below contains 10 control plans discussed in Chapter 8. The second list describes 10 system failures that have control implications.
Required:
On the answer line to the left of each system failure, insert the capital letter from the first list of the best control plan to prevent the system failure from occurring. (If you can't find a control that will prevent the failure, then choose a detective plan or, as a last resort, a corrective control plan). A letter should be used only once.
Control PlansA. Selection and hiring control plansB. Documentation control plansC. Segregation of programmers from computer operationsD. Forced vacationsE. Biometric identification systemF. Fire-protection control plansG. IT steering committeeH. Off-site storage of back up computer filesI. Program change controlsJ. Continuous-data protection (CDP)
Answers SYSTEM FAILURES
_____ 1. While moving the new payroll program from testing status into production status, Peter the programmer made a change to the program and then go to computer operations so that each time payroll was run, his pay would be incremented by 10%.
_____ 2. Cary enters cash receipts into the computer at Kiting Inc. For the past year she has been pocketing customer payments. To keep herself from being discovered, she enters credit memos into the computer, which records them as reductions in the customers' accounts receivable records--as if the payment had been made.
_____ 3. Procedures for the approval of orders have been put in place at Overstock Company. Clyde, the new purchasing agent, was given a briefing on these procedures when he was hired and has been applying those procedures as best as he can remember them. Consequently, Clyde sometimes orders more inventory than is required.
_____ 4. The new sales reporting system includes a computer printout that was supposed to report daily sales to the V.P. of marketing. The report was never tested and contains erroneous sales figures and is not presented in the format required by the V.P.
_____ 5. There was a flood and all of the computers and all their data were destroyed.
_____ 6. Freida was just hired as a computer operator at Vertigo Inc. Just a few days after being hired, she discovered that she would not be allowed to spend some of her time writing computer programs. This was contrary to what she was told initially, and she is now quite unhappy with her circumstances.
_____ 7. After careful screening and selection of employees, an organization issues its employees name badges with magnetic strips that stores the employees' personal information. Employees in the IT function can scan the badges to gain entry into various rooms within the IT center. Recently management discovered that employees are sharing their badges to enable them to gain access to every room in the facility.
_____ 8. A fire at the Mitre Corporation caused the release of a poisonous gas which contaminated the entire building. While the computer files were not destroyed during the fire, they were contaminated and cannot be removed from the building and personnel cannot enter the building. It took several months to recreate the computer files.
_____ 9. Sandisfield, Inc. has many IT projects under consideration for development. The CFO has some political connections with the CIO and so financial applications are given a green light for development while projects for marketing and logistics are put on hold.
______ 10. Jet Red Airlines, a new, low-cost start-up airline, has decided to operate its own Web site and reservation system that is running on servers located at the headquarters. One day, the server room was flooded, the reservation system was not available for many hours, and many reservations were lost.
ANS:
SystemFailureNumber Answer
1 C2 D3 B4 I5 H6 A7 E8 F9 G10 J