Test bank accounting information system by turner 04 chapter

In a properly segregated IT system, no single person or department should develop computer programs and also have access to data that is commensurate with operations personnel.. If no so

ACCOUNTING INFORMATION SYSTEMS

CONTROLS AND PROCESSES

TURNER / WEICKGENANNT

CHAPTER 4: Internal Controls and Risks in IT Systems

TEST BANK - CHAPTER 4 - TRUE / FALSE

1 If a company’s IT system fails, it would have little or no effect on the company’s operations

2 It is necessary for students and accountants to understand the types of threats that may

affect an accounting system, so that the threats can be avoided

3 It is important for accountants to consider possible threats to the IT system and to know how

to implement controls to try to prevent those threats from becoming reality

9 Application controls are intended to ensure that inputs and processing are accurate and

complete and that outputs are properly distributed, controlled, and disposed

13 Biometric devises use unique physical characteristics to identify users The most common

method used is retina scans

14 There are a number of methods described that are intended to limit log-ins exclusively to

authorized users The only method that is foolproof is the biometric devices

15 The user ID and password for a particular user should not allow access to the configuration

tables unless that user is authorized to change the configuration settings

16 It is necessary for an IT system to be networked to an external internet to be open to

opportunities for unauthorized access

24 Using a unique service set identifier (SSID) makes it more difficult for an outsider to access

the wireless network

25 The VPN, virtual private network, uses the internet and is therefore not truly private – but is

virtually private

26 Once an organization has set up an effective system to prevent unauthorized access to the IT

system, it is not necessary to continually monitor the vulnerability of that system

27 It is important to understand that the IT governance committee delegates many of its duties

by the policies that it develops

28 The most important factor in controlling IT systems is the maintenance of the vulnerability

assessment activities

29 In a properly segregated IT system, no single person or department should develop computer

programs and also have access to data that is commensurate with operations personnel

30 It is proper that the database administrator develop and write programs

31 To the extent possible, IT systems should be installed in locations away from any location

likely to be affected by natural disasters

34 Each organization has to decide which combination of IT controls is most suitable for its IT

system, making sure that the benefits of each control outweigh its costs

35 Controls will help to reduce risks, but it is impossible to completely eliminate risks

38 Employees who hack into computer networks are often more dangerous because of their

knowledge of company operations

41 Controlling access to the operating system is critical because that access opens access to any

data or program within the system

42 A database is often less open to unauthorized access than the physical, paper records,

because the database has fewer access points

43 The workstations and the network cabling and connections represent spots were an intruder

could tap into the network for unauthorized access

44 In a wireless network, signals are transmitted through the air rather than over cables Anyone

who wants to gain access to the network would need to know the password to access these

“air-borne” signals

FALSE

45 The use of dual firewalls - one between the internet and the web server and one between the

web server and the organization’s network - can help prevent unauthorized from accessing the organization’s internal network of computers

46 Telecommuting workers cause two sources of risk exposures for their organizations - the

network equipment and cabling in addition to the teleworker’s computer - with only point” being teleworker’s computer

47 Many IT systems do not use source documents; the input is automatic

48 If no source documents are used by the IT system, then the general controls, such as

computer logging of transactions, become less important

49 The group of controls referred to as Source Document Controls does not include form design

50 The closer the source document matches the input screen, the easier it will be for the data

entry employee to complete the input screen without errors

51 The form authorization and control includes the requirement that source documents should be prenumbered and are to be used in sequence

52 Once the data from the source documents have been keyed into the computer, the source

document can be destroyed

53 With the proper training of employees and the adequate controls, it would be possible to

eliminate all errors

54 To verify the accuracy of application software, an organization should be sure the software is

tested before it is implemented and must regularly test it after implementation

55 An organization must maintain procedures to protect the output from unauthorized access in

the form of written guidelines and procedures for output distribution

56 Management must discourage illegal behavior by employees, such as the misuse of computers

and theft through the computer systems

TEST BANK - CHAPTER 4 - MULTIPLE CHOICE

57 Unchecked risks and threats to the IT could result in:

A An interruption of the computer operations

B Damage to an organization

C Incorrect or incomplete accounting information

D All of the above

58 In order to master risks and controls and how they fit together, which of the following is NOT one of the areas to fully understand?

A The accounting information system

B The description of the general and application controls that should exist in IT system

C The type and nature of risks in IT systems

D The recognition of how controls can be used to reduce risk

59 General controls in IT systems are divided into five broad categories Which of the following is NOT one of those categories?

A Authentication of uses and limiting unauthorized access

B Output controls

C Organization structure

D Physical environment and physical security of the system

60 A process or procedure in an IT system to ensure that the person accessing the IT system is value and authorized is called:

A Hacking and other network break-ins

B Physical environment and physical security

C Authentication of users and limiting unauthorized access

62 Which of the following is NOT one of the rules for the effective use of passwords?

A Passwords should not be case sensitive

B Passwords should be at least 6 characters in length

C Passwords should contain at least one nonalphanumeric character

D Password should be changed every 90 days

63 Which of the following is not a good example of an effective password?

66 The use of the smart card or security tokens is referred to as a two factor authorization

because:

A It is based on something the user has, the token or card, and something the user knows,

the password

B It requires that the user is granted the card / token in a secure environment and that the

user actually uses the card / token

C It requires that the user has two different authorizations: (1) to receive the card / token,

and (2) to use the card / token

D It requires the use the card / token to (1) login to the system and (2) access the

A Any login or use abnormalities can be examined in more detail to determine any

weaknesses in the login procedures

B A user cannot deny any particular act that he or she did on the system

C To establish nonrepudiation of sales transactions by a customer

D To establish a user profile

70 This should be established for every authorized user and determines each user’s access level to hardware, software, and data according to the individual’s job responsibilities

72 The IT system includes this type of table for software, hardware, and application programs that contain the appropriate set-up and security settings

A Configuration table

B Authentication table

C User table

D Authority table

73 Nonrepudiation means that:

A A user is not authorized to change configuration settings

B A user is not allowed access to the authority tables

C A user can prevent the unauthorized flow of data in both directions

D A user cannot deny any particular act that he or she did on the IT system

74 Hardware, software, or a combination of both that is designed to block unauthorized access to

76 This form of encryption uses a single encryption key that must be used to encrypt data and also

to decode the encrypted data

A Wired Equivalency Privacy (WEP)

B Wired Encryption Policy (WEP)

C Wireless Protection Access (WPA)

D Wired Privacy Authentication (WPA)

79 This encryption method requests connection to the network via an access point and that point then requests the use identity and transmits that identity to an authentication server,

substantially authenticating the computer and the user

A Wired Equivalency Privacy (WEP)

B Wired Encryption Provider (WEP)

C Wireless Provider Authentication (WPA)

D Wireless Protection Access (WPA)

80 This security feature, used on wireless networks, is a password that is passed between the sending and receiving nodes of a wireless network

A Secure sockets layer

B Service set identifier

C Wired provided access

D Virtual private network

81 Authorized employees may need to access the company IT system from locations outside the organization These employees should connect to the IT system using this type of network

A Secure socket network

B Service set identifier

C Virtual private network

D Wireless encryption portal

82 The type of network uses tunnels, authentication, and encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data

A Residential user network

B Service internet parameter network

C Virtual private network

D Virtual public network

83 This communication protocol is built into web server and browser software that encrypts data transferred on that website You can determine if a website uses this technology by looking at the URL

A Secure sockets layer

B Service security line

C Secure encryption network

D Secure service layer

84 Which of the following URL’s would indicate that the site is using browser software that encrypts data transferred to the website?

A shttp://misu

B https://misu

C http://smisus

D https://smisus

85 A self-replicating piece of program code that can attach itself to other programs and data and perform malicious actions is referred to as a(n):

91 The process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers is referred to as:

93 Which of the following would normally not be found on the IT Governance Committee?

A Computer input operators

B Chief Executive Officer

C Chief Information Officer

D Heads of business units

94 The IT Governance Committee has several important responsibilities Which of the following is not normally one of those responsibilities?

A Align IT investments to business strategies

B Oversee and prioritize changes to IT systems

C Develop, monitor, and review security procedures

D Investing excess IT funds in long-term investments

95 The functional responsibilities within an IT system must include the proper segregation of duties Which of the following positions is not one of the duties that are to be segregated from the others?

97 General controls for an IT system include:

A Controls over the physical environment only

B Controls over the physical access only

C Controls over the physical environment and over the physical access

D None of the above

98 A battery to maintain power in the event of a power outage meant to keep the computer

running for several minutes after the power outage is called:

A Uninterruptible power supply

B System power supply

C Emergency power supply

D Battery power supply

99 An alternative power supply that provides electrical power in the event that a main source is lost

is called:

A Uninterruptible power supply

B System power supply

C Emergency power supply

D Battery power supply

100 Large-scale IT systems should be protected by physical access controls Which of the following

is not listed as one of those controls?

A Limited access to computer rooms

B Video surveillance equipment

C Locked storage of backup data

D Encryption of passwords

101 A proactive program for considering risks to the business continuation and the development of plans and procedures to reduce those risks is referred to as:

A Redundant business planning

B Business continuity planning

C Unnecessary in the current safe environments

D Emergency backup power

102 Two or more computer network or data servers that can run identical processes or maintain the same data are called:

A Emergency power supply

B Uninterruptible power source

C Redundant servers

D Business continuity planning

103 Many IT systems have redundant data storage such that two or more disks are exact mirror images This is accomplished by the use of:

A Redundant arrays of independent disks

B Redundant mirror image disks

C Mirror image independent disks

D Redundant mirror image dependent disks

104 The AICPA Trust Principles categorizes IT controls and risks into categories Which of the

following is not one of those categories?

A Confidentiality

B Security

C Recovery

D Availability

105 The establishment of log-in procedures can help prevent or lessen security risks and are referred

106 Availability risks, related to the authentication of users would include:

A Shutting down the system and shutting down programs

B Altering data and repudiating transactions

C Stealing data and recording nonexistent transactions

D Sabotaging systems and destroying data

107 The accuracy, completeness, and timeliness of the process in IT systems are referred to as:

A Availability Risks

B Security Risks

C Confidentiality Risks

D Processing Integrity Risks

108 The software that controls the basic input and output activities of the computer are called:

A Operating System

B Application Software

C Data Base Management System

D Electronic Data Interchange

109 Unauthorized access to the operating system would allow the unauthorized user to:

A Browse disk files for sensitive data or passwords

B Alter data through the operating system

C Alter application programs

D All of the above

110 A software system that manages the interface between many users and the database is called:

A Database security system

B Database management system

C Database binary monetary system

D Database assessment

111 A computer network covering a small geographic area, which, in most cases, are within a single building or a local group of buildings is called a:

A Land area network

B Local access network

C Local area network

D Locality arena network

112 A group of LANs connected to each other to cover a wider geographic area is called a:

A Connected local network

B Wide area network

C Connected wide area

D Wide geographic network

113 A popular activity is to find a company whose network signal bleeds outside the building to the sidewalk around it Abusers of this network then make identifiable chalk marks on the sidewalks

so that others can find the network access This process is referred to as:

A Chalkwalking

B Netwalking

C Network Warring

D Warchalking

114 The work arrangement where employees work from home using some type of network

connection to the office is referred to as:

118 This type of control is intended to ensure the accuracy and completeness of data input

procedures and the resulting data:

120 This type of control is intended to help ensure the accuracy, completeness, and security of outputs that result from application processing:

122 Which of the following is NOT one of the types of input controls?

A Source document controls

B Programmed edit checks

C Confidentiality check

D Control totals and reconciliation

123 The paper form used to capture and record the original data of an accounting transaction is called a(n):

C Form authorization and control

D Retention of source documents

125 The process where the details of individual transactions at each stage of the business process can be recreated in order to establish whether proper accounting procedures for the transaction were performed is called:

A Source document reconciliation

B Range check

C Validity verification

D Audit trail

126 The procedures to collect and prepare source documents are termed:

A Input validation procedures

B Form authorization procedures

C Data preparation procedures

D Document retention procedures

127 The data preparation procedures are to be well-defined so that employees will be sure of:

A Which forms to use

B When to use them

C Where to route them

D All of the above

128 Field check, limit check, range check and sequence check are all examples of:

A Input Validation Checks

B Source Document Controls

A Coded Digit Check

B Self-Checking Digit Check

C Sequence Check

D Run to Run Check

133 Which of the following is NOT one of the types of control totals?

A Digit Count

B Record Count

C Batch Totals

D Hash Totals