Accounting Information Systems 10th Edition

Gelinas Test Bank

Full download link at; https://testbankpack.com/p/test-bank-for-
accounting-information-systems-10th-edition-gelinas-dull-wheeler-
113393594x-9781133935940/

Chapter 8—Controlling Information Systems: Introduction to Pervasive Controls

TRUE/FALSE

1. IT governance is a process that ensures that the organization's IT sustains and extends the
organization's strategies and objectives.

ANS: T PTS: 1

2. According to COBIT, IT resources include applications, information, infrastructure, and people.

ANS: T PTS: 1

3. According to COBIT, IT resources must be managed by IT control processes to ensure that an

organization has the information it needs to achieve its objectives.

ANS: T PTS: 1

4. The system of controls used in this text consists of the control environment, pervasive control plans, IT
general controls, and business process and application control plans.

ANS: T PTS: 1

5. The information systems function is synonymous with the accounting function.

ANS: F PTS: 1

6. The function composed of people, procedures, and equipment and is typically called the information
systems department, IS department, or the IT department is the information systems organization.

ANS: T PTS: 1

7. The IS function with the responsibility of guiding the IT organization in establishing and meeting user
information requirements is the IT steering committee.
 ANS: T PTS: 1

8. The IS function with the principal responsibilities of ensuring the security of all IT resources is data
control.

ANS: F PTS: 1

9. The IS function of quality assurance conducts reviews to ensure the attainment of IT objectives.

ANS: T PTS: 1

10. The chief information officer (CIO) prioritizes and selects IT projects and resources.

ANS: F PTS: 1

11. Within the data center, the data control group is responsible for routing all work into and out of the
data center, correcting errors, and monitoring error correction.

ANS: T PTS: 1

12. The systems development function provides efficient and effective operation of the computer
equipment.

ANS: F PTS: 1

13. Within the data center, the data librarian function grants access to programs, data, and documentation.

ANS: T PTS: 1

14. Combining the functions of authorizing and executing events is a violation of the organizational
control plan known as segregation of duties.

ANS: T PTS: 1

15. Segregation of duties consists of separating the four functions of authorizing events, executing events,
recording events, and safeguarding the resources resulting from consummating the events.

ANS: T PTS: 1

16. Embezzlement is a fraud committed by two or more individuals or departments.

ANS: F PTS: 1

17. A small organization that does not have enough personnel to adequately segregate duties must rely on
alternative controls, commonly called resource controls.

ANS: F PTS: 1

18. The functions of the security officer commonly include assigning passwords and working with human
resources to ensure proper interview practices are conducted during the hiring process.

ANS: T PTS: 1
19. Individual departments coordinate the organizational and IT strategic planning processes and reviews
and approves the strategic IT plan.

ANS: F PTS: 1

20. The policy of requiring an employee to alternate jobs periodically is known as forced vacations.

ANS: F PTS: 1

21. Forced vacations is a policy of requiring an employee to take leave from the job and substitute another
employee in his or her place.

ANS: T PTS: 1

22. A fidelity bond indemnifies a company in case it suffers losses from defalcations committed by its
employees.

ANS: T PTS: 1

23. The WebTrust family of services offers best practices and e-business solutions related exclusively to
B2B electronic commerce.

ANS: F PTS: 1

24. Data encryption is a process that codes data to make it readable to human eye.

ANS: F PTS: 1

25. Systems documentation provides an overall description of the application, including the system's
purpose; an overview of system procedures; and sample source documents, outputs, and reports.

ANS: T PTS: 1

26. Program documentation provides a description of an application program and usually includes the
program's purpose, program flowcharts, and source code listings.

ANS: T PTS: 1

27. The user manual gives detailed instructions to computer operators and to data control about a
particular application.

ANS: F PTS: 1

28. The operations run manual describes user procedures for an application and assists the user in
preparing inputs and using outputs.

ANS: F PTS: 1

29. Training materials help users learn their jobs and perform consistently in those jobs.

ANS: T PTS: 1

30. Program change controls provide assurance that all modifications to programs are authorized and
documented, and that the changes are completed, tested, and properly implemented.
 ANS: T PTS: 1

31. Business continuity planning is the process that identifies events that may threaten an organization and
provide a framework whereby the organization will continue to operate when the threatened event
occurs or resume operations with a minimum of disruption.

ANS: T PTS: 1

32. COBIT 5 is more procedure-based than COBIT 4.1

ANS: F PTS: 1

33. With continuous data protection (CDP) all data changes are data stamped and saved to secondary
systems as the changes are happening.

ANS: T PTS: 1

34. The disaster backup and recovery technique known as electronic vaulting is a service whereby data
changes are automatically transmitted over the Internet on a continuous basis to an off-site server
maintained by a third party.

ANS: T PTS: 1

35. The disaster recovery strategy known as a cold site is a fully equipped data center that is made
available to client companies for a monthly subscriber fee.

ANS: F PTS: 1

36. A facility usually comprised of air-conditioned space with a raised floor, telephone connections, and
computer ports, into which a subscriber can move equipment, is called a hot site.

ANS: F PTS: 1

37. In a logic bomb attack, a Web site is overwhelmed by an intentional onslaught of thousands of
simultaneous messages, making it impossible for the attacked site to engage in its normal activities.

ANS: F PTS: 1

38. Biometric identification systems identify authorized personnel through some unique physical trait such
as fingers, hands, voice, eyes, face, or writing dynamics.

ANS: T PTS: 1

39. Antivirus is a technique to protect one network from another "untrusted" network.

ANS: F PTS: 1

40. The most common biometric devices perform retinal eye scans.

ANS: F PTS: 1

41. Access control software ensures that only authorized users gain access to a system through a process
of identification and authentication.
 ANS: T PTS: 1

42. Threat monitoring is a technique to protect one network from another "untrusted" network.

ANS: F PTS: 1

43. Application controls restrict access to data, programs, and documentation.

ANS: F PTS: 1

44. An intrusion-detection systems (IDS) logs and monitors who is on or trying to access the network.

ANS: T PTS: 1

45. Intrusion-prevention systems (IPS) actively block unauthorized traffic using rules specified by the
organization.

ANS: T PTS: 1

46. Periodic cleaning, testing, and adjusting of computer equipment is referred to as preventative
maintenance.

ANS: T PTS: 1

47. Computer hacking and cracking is the intentional, unauthorized access to an organization's computer
system, accomplished by bypassing the system's access security controls.

ANS: T PTS: 1

MULTIPLE CHOICE

1. The use of IT resources for enterprise systems and e-business:

a. magnifies the importance of protecting the resources both within and outside of the
organization from risks
b. magnifies the importance of protecting the resources both within but not outside the of the
organization from risks
c. makes it easier to provide internal control risk when IT resources are interlinked
d. none of the above
ANS: A PTS: 1

2. Top 10 management concerns about IT's capability to support an organization's vision and strategy
include all except the following:
a. decline in IT investments during recession
b. overall security of IT assets
c. the Internet
d. need for project management leadership
ANS: C PTS: 1

3. Top security concerns reported by IT security professionals include all the following except:
a. data breaches
b. cyber crimes and cyber attacks
 c. data backup
d. workforce mobility
ANS: C PTS: 1

4. Pervasive control plans:

a. are unrelated to applications control plans
b. are a subset of applications control plans
c. influence the effectiveness of applications control plans
d. increase the efficiency of applications control plans
ANS: C PTS: 1

5. COBIT was developed to:

a. provide guidance to managers, users, and auditors on the best practices for the
management of information technology
b. identify specific control plans that should be implemented to reduce the occurrence of
fraud
c. specify the components of an information system that should be installed in an e-
commerce environment
d. suggest the type of information that should be made available for management decision
making
ANS: A PTS: 1

6. The department or function that develops and operates an organization's information systems is often
called the:
a. information systems organization
b. computer operations department
c. controller's office
d. computer technology branch
ANS: A PTS: 1

7. A policy:
a. is a plan or process put in place to guide actions and achieve goals.
b. can compel behavior and enforce penalties for failure to follow.
c. can be used to prevent fraud in an organization.
d. all of the above.
ANS: A PTS: 1

8. COBIT was developed by:

a. COSO
b. IT Governance Institute
c. PCAOB
d. AICPA
ANS: B PTS: 1

9. Quality assurance function:

a. modifies and adapts application software
b. conducts reviews to determine adherence to IT standards
c. analyzes existing applications and proposes solutions
d. supervises applications systems development
 ANS: B PTS: 1

10. This IT function's key control concern is that organization and IT strategic objectives are misaligned:
a. CIO
b. quality assurance
c. IT steering committee
d. systems development manager
ANS: C PTS: 1

11. ____ can consist of many computers and related equipment connected together via a network.
a. PCs
b. Servers
c. LAN
d. Firewall
ANS: C PTS: 1

12. In an information systems organization, which of the following reporting relationships makes the least
sense?
a. The data center manager reports to the CIO.
b. The systems development manager reports to the data center manager.
c. Database administration reports to the technical services manager.
d. The data librarian reports to the data center manager.
ANS: B PTS: 1

13. In an information systems organization, all of the following functions might logically report to the data
center manager except:
a. data control
b. computer operations
c. data librarian
d. quality assurance
ANS: D PTS: 1

14. Managing functional units such as networks, CAD/CAM and systems programming typically is a
major duty of:
a. data center manager
b. systems development
c. technical services manager
d. database administrator
ANS: C PTS: 1

15. From the standpoint of achieving the operations system control goal of security of resources, which of
the following segregation of duties possibilities is least important?
a. between systems programming and computer operations
b. between data control and data preparation personnel
c. between systems development and computer operators
d. between technical services and data center
ANS: B PTS: 1

16. A key control concern is that certain people within an organization have easy access to applications
programs and data files. The people are:
 a. data librarians
b. systems programmers
c. systems development
d. data center managers
ANS: B PTS: 1

17. Which of the following has the major duties of prioritizing and selecting IT projects and resources?
a. steering committee
b. security officer
c. CIO
d. systems development manager
ANS: A PTS: 1

18. Which of the following has the responsibility to ensure the security of all IT resources?
a. steering committee
b. security officer
c. CIO
d. systems development manager
ANS: B PTS: 1

19. Which of the following has the responsibility of efficient and effective operation of IT?
a. steering committee
b. security officer
c. CIO
d. systems development manager
ANS: C PTS: 1

20. In an information systems organizational structure, the function of ____ is the central point from
which to control data and is a central point of vulnerability.
a. data control
b. data entry
c. data librarian
d. database administration
ANS: D PTS: 1

21. The control concern that there will be a high risk of data conversion errors relates primarily to which
of the following information systems functions?
a. data control
b. data entry
c. data librarian
d. database administration
ANS: B PTS: 1

22. The controlled access to data, programs, and documentation is a principal responsibility of which of
the following functions?
a. data control
b. data preparation (data entry)
c. data librarian
d. computer operator
 ANS: C PTS: 1

23. Which of the following is not one of COBIT's four broad IT control process domains?
a. plan and organize
b. acquire and implement
c. repair and replace
d. monitor and evaluate
ANS: C PTS: 1

24. Which of the following is not a strategic planning process?

a. IT-related requirements to comply with industry, regulatory, legal, and contractual
obligations, including privacy, transborder data flows, e-business, and insurance contracts.
b. Acquisition and development schedules for hardware, software, and application systems
and for personnel and financial requirements.
c. Systems development life cycle adoption to ensure that comprehensive documentation is
developed for each application.
d. An inventory of current IT capabilities.
ANS: C PTS: 1

25. Which one of the following personnel is not involved in safeguarding resources resulting from
consummating events?
a. security officer
b. technical service manager
c. database administrator
d. CIO
ANS: D PTS: 1

26. The segregation of duties control plan consists of separating all of the following event-processing
functions except:
a. planning events
b. authorizing events
c. executing events
d. recording events
ANS: A PTS: 1

27. A warehouse clerk manually completing an order document and forwarding it to purchasing for
approval is an example of:
a. authorizing events
b. executing events
c. recording events
d. safeguarding resources
ANS: B PTS: 1

28. Specifications for availability, reliability, performance, capacity for growth, levels of user support,
disaster recovery, security, minimal system functionality, and service charges are included in:
a. application documentation
b. service-level requirements
c. business continuity plan
d. security plan
ANS: B PTS: 1
29. Approving a customer credit purchase would be an example of which basic events processing
function?
a. authorizing events
b. executing events
c. recording events
d. safeguarding resources
ANS: A PTS: 1

30. Which of the following statements is true?

a. Management has a legal responsibility to protect an organization’s informational assets.
b. Proper protection of organizational information from unauthorized use required both
physical and logical controls.
c. The unauthorized disclosure of financial information is a violation of federal securities
laws.
d. All of the above.
ANS: D PTS: 1

31. An outside auditing firm annually supervises a physical count of the items in a retail store's shelf
inventory. This is an example of:
a. authorizing events
b. executing events
c. recording events
d. safeguarding resources
ANS: D PTS: 1

32. A warehouse supervisor prepares a sales order listing items to be shipped to a customer and then signs
it approving the removal of the items from the warehouse. The supervisor is performing which
functions?
a. authorizing events and safeguarding of resources
b. executing and recording events
c. authorizing and executing events
d. authorizing and recording events
ANS: C PTS: 1

33. A clerk receives checks and customer receipts in the mail. He endorses the checks, fills out the deposit
slip, and posts the checks to the cash receipts events data. The clerk is exercising which functions?
a. recording and executing events
b. authorizing and executing events
c. recording and authorizing events
d. safeguarding of resources and authorizing events
ANS: A PTS: 1

34. When segregation of duties cannot be effectively implemented because the organization is too small,
we may rely on a more intensive implementation of other control plans such as personnel control
plans. This is called:
a. collusion controls
b. compensatory controls
c. authorizing controls
d. inventory controls
 ANS: B PTS: 1

35. COBIT 5:
a. shifts the center of attention from IT to governance.
b. can be implemented by updating from COBIT 4.1.
c. does not have the enablers used in COBIT 4.1
d. all of the above.
ANS: A PTS: 1

36. Which of the following control plans is not a retention control plan?
a. creative and challenging work opportunities
b. occasional performance evaluations
c. competitive reward structure
d. viable career paths
ANS: B PTS: 1

37. Personnel development control plans consist of each of the following except:
a. checking employment references
b. providing sufficient and timely training
c. supporting employee educational interests and pursuits
d. performing scheduled evaluations
ANS: A PTS: 1

38. The primary reasons for performing regular employee performance reviews include all of the
following except:
a. determine whether an employee is satisfying the requirements indicated by a job
description
b. assess an employee's strengths and weaknesses
c. assist management in determining salary adjustments, promotions, or terminations
d. develop a strategy for filling necessary positions
ANS: D PTS: 1

39. A policy that requires employees to alternate jobs periodically is called:

a. segregation of duties
b. forced vacations
c. rotation of duties
d. personnel planning
ANS: C PTS: 1

40. A control plan that is designed to detect a fraud by having one employee periodically do the job of
another employee is called:
a. segregation of duties
b. forced vacations
c. periodic audits
d. management control
ANS: B PTS: 1

41. A mechanism by which a company is reimbursed for any loss that occurs when an employee commits
fraud is called a:
a. segregation of duties
 b. fidelity bond
c. personnel planning control
d. termination control plan
ANS: B PTS: 1

42. Which of the following personnel security control plans is corrective in nature as opposed to being a
preventive or detective control plan?
a. rotation of duties
b. fidelity bonding
c. forced vacations
d. performing scheduled evaluations
ANS: B PTS: 1

43. Personnel termination control plans might include all of the following except:
a. require immediate separation
b. identify the employee's reasons for leaving
c. establish a policy of forced vacations
d. collect the employee's keys, badges, etc.
ANS: C PTS: 1

44. Instructions for computer setup, required data, restart procedures, and error messages are typically
contained in a(n):
a. systems development standards manual
b. program documentation manual
c. operations run manual
d. application documentation manual
ANS: C PTS: 1

45. Application documentation that describes the application and contains instructions for preparing inputs
and using outputs is a(n):
a. operations run manual
b. user manual
c. program documentation
d. systems documentation
ANS: B PTS: 1

46. Alternative names for contingency planning include all of the following except:
a. disaster recovery planning
b. business interruption planning
c. business disaster planning
d. business continuity planning
ANS: C PTS: 1

47. A data replication strategy where all data changes are data stamped and saved to secondary systems as
the changes are happening is called:
a. mirror site
b. electronic vaulting
c. continuous data protection (CDP)
d. Dumping
 ANS: C PTS: 1

48. All of the following are components of a backup and recovery strategy except:
a. echo checking
b. mirror site
c. electronic vaulting
d. hot site
ANS: A PTS: 1

49. Which of the following statements related to denial of service attacks is false?
a. Insurance is available to offset the losses suffered by denial of service attacks.
b. A denial of service attack is designed to overwhelm a Web site, making it incapable of
performing normal functions.
c. Web sites can employ filters to sense multiple messages from a single site.
d. The most effective attacks originate from a small cluster of computers in a remote
geographic region.
ANS: D PTS: 1

50. In an on-line computer system, restricting user access to programs and data files includes all of the
following except:
a. user identification
b. user authentication
c. determining user access rights
d. wearing identification badges
ANS: D PTS: 1

51. Sending out an e-mail pretending to be a legitimate business asking for information about a person's
account is called:
a. dumpster diving
b. phishing
c. smoozing
d. shoulder surfing
ANS: B PTS: 1

52. Which of the following controls restrict access to programs, data, and documentation?
a. library controls
b. password controls
c. authentication controls
d. program change controls
ANS: A PTS: 1

53. This logs and monitors who is on or trying to access an organization's network.
a. biometrics
b. electronic vaulting
c. intrusion detection systems (IDS)
d. firewall
ANS: C PTS: 1

54. Protecting resources against environmental hazards might include all of the following control plans
except:
 a. fire alarms and smoke detectors
b. waterproof ceilings
c. voltage regulators
d. rotation of duties
ANS: D PTS: 1

55. Searching through rubbish for system information such as passwords is called:
a. scavenging
b. phishing
c. smoozing
d. shoulder surfing
ANS: A PTS: 1

COMPLETION

1. ______________________________ is a process that ensures that the enterprise's IT sustains and

extends the organization's strategies and objectives.

ANS: IT governance

PTS: 1

2. ______________________________ controls provide assurance that all modifications to programs are

authorized and documented, and that the changes are completed, tested, and properly implemented.

ANS: Program change

PTS: 1

3. ______________________________ is a process that employs mathematical algorithms and

encryption keys to encode data (i.e., change un-encoded data, called plaintext, to a coded text form,
called ciphertext) so that it is unintelligible.

ANS: Data encryption

PTS: 1

4. ______________________________ are particularly important because they operate across all

business processes and affect a company's capability to meet a multitude of control goals.

ANS: Pervasive controls

PTS: 1

5. ______________________________ in an internal control system means assessment by management

to determine whether the control plans in place are continuing to function appropriately over time.

ANS: Monitoring

PTS: 1
 6. The function composed of people, procedures, and equipment and is typically called the information
systems department, IS department, or IT department is the ______________________________.

ANS:
information systems organization
IS organization

PTS: 1

7. The ______________________________ coordinates the organizational and IT strategic planning

processes and reviews and approves the strategic IT plan.

ANS: IT steering committee

PTS: 1

8. The ______________________________ is charged with safeguarding the IT organization.

ANS: security officer

PTS: 1

9. Management should establish a(n) ______________________________ plan and implement related

activities, including reviews, audits, and inspections, to ensure the attainment of IT customer
requirements.

ANS:
quality assurance
quality assurance (QA)
QA

PTS: 1

10. The ______________________________ group is responsible for routing all work in to and out of the
data center, correcting errors, and monitoring all error correction.

ANS: data control

PTS: 1

11. The ______________________________ function provides efficient and effective operation of the
computer equipment by performing tasks such as mounting tapes, disks, and other media and
monitoring equipment operation.

ANS: computer operations

PTS: 1

12. The ______________________________ maintains custody of and controls access to programs, files,
and documentation.

ANS: data librarian

PTS: 1
13. Combining the functions of authorizing and executing events is a violation of the organizational
control plan known as ______________________________.

ANS: segregation of duties

PTS: 1

14. Segregation of duties consists of separating the four functions of authorizing events,
______________________________ events, ______________________________ events, and
safeguarding the resources resulting from consummating the events.

ANS:
executing, recording
recording, executing

PTS: 1

15. One method for circumventing segregation of duties is ______________________________ between

one or more persons (or departments) to exploit a system and conceal an abuse such as fraud.

ANS: collusion

PTS: 1

16. A small organization that does not have enough personnel to adequately segregate duties must rely on
alternative controls, commonly called ______________________________.

ANS: compensatory controls

PTS: 1

17. The functions of the ______________________________ commonly include assigning passwords and
making sure the IT organization is secure from physical threats.

ANS: security officer

PTS: 1

18. The trust service principle of processing ______________________________ determines whether

processing is complete, accurate, timely and authorized.

ANS: integrity

PTS: 1

19. The policy of requiring an employee to alternate jobs periodically is known as

______________________________.

ANS: rotation of duties

PTS: 1
20. ______________________________ is a policy of requiring an employee to take leave from the job
and substituting another employee in his or her place.

ANS: Forced vacations

PTS: 1

21. A(n) ______________________________ indemnifies a company in case it suffers losses from

defalcations committed by its employees.

ANS: fidelity bond

PTS: 1

22. The ______________________________ covers the progression of information systems through the
systems development process, from birth, through implementation, to ongoing use and modification.

ANS:
system development life cycle (SDLC)
system development life cycle
SDLC

PTS: 1

23. Computer software that is used to facilitate the execution of a given business process is called
______________________________.

ANS: application software

PTS: 1

24. The ______________________________ documentation portion of application documentation

provides an overall description of the application, including the system's purpose; an overview of
system procedures; and sample source documents, outputs, and reports.

ANS:
systems
system

PTS: 1

25. ______________________________ documentation provides a description of an application computer

program and usually includes the program's purpose, program flowcharts, and source code listings.

ANS: Program

PTS: 1

26. The ______________________________ gives detailed instructions to computer operators and to data
control about a particular application.

ANS: operations run manual

PTS: 1
27. The ______________________________ describes user procedures for an application and assists the
user in preparing inputs and using outputs.

ANS: user manual

PTS: 1

28. ______________________________ are documents that help users learn their jobs and perform
consistently in those jobs.

ANS: Training materials

PTS: 1

29. ______________________________ controls restrict access to data, programs and documentation.

ANS: Library

PTS: 1

30. The terms ______________________________ planning, disaster recovery planning, business

interruption planning, and business continuity planning have all been used to describe the backup and
recovery control plans designed to ensure that an organization can recover from a major calamity.

ANS: contingency

PTS: 1

31. ______________________________ is a service whereby data changes are automatically transmitted

over the Internet on a continuous basis to an off-site server maintained by a third party.

ANS: Electronic vaulting

PTS: 1

32. With the data replication strategy known as ______________________________ all data changes are
data stamped and saved to secondary systems as the changes are happening.

ANS:
continuous data protection (CDP)
continuous data protection
CDP

PTS: 1

33. The disaster recovery strategy known as a(n) ______________________________ is a fully equipped
data center that is made available on a standby basis to client companies for a monthly subscriber's fee.

ANS: hot site

PTS: 1
34. A facility usually comprised of air-conditioned space with a raised floor, telephone connections, and
computer ports, into which a subscriber can move equipment, is called a(n)
______________________________.

ANS: cold site

PTS: 1

35. In a(n) ______________________________ a Web site is overwhelmed by an intentional onslaught of

thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal
activities.

ANS: denial of service attack

PTS: 1

36. ______________________________ identification systems identify authorized personnel through

some unique physical trait such as fingers, hands, voice, eyes, face, and writing dynamics.

ANS: Biometric

PTS: 1

37. A(n) ______________________________ is a technique to protect one network from another

"untrusted" network.

ANS: firewall

PTS: 1

38. The most common biometric devices read ______________________________.

ANS: fingerprints

PTS: 1

39. In an online environment, ______________________________ ensures that only authorized users

gain access to a system through a process of identification (e.g., a unique account number for each
user) and authentication.

ANS: access control software

PTS: 1

40. COBIT 5 has two main components: five _____________ and seven ________________.

ANS:
GEIT principles, enablers
governance of enterprise IT principles, enablers

PTS: 1

41. Periodic cleaning, testing, and adjusting of computer equipment is referred to as

______________________________.
 ANS: preventive maintenance

PTS: 1

42. ______________________________ is the intentional unauthorized access of an organization's

computer system, accomplished by bypassing the system's access security controls.

ANS:
Computer hacking and cracking
Computer hacking
Computer cracking

PTS: 1

43. Copies of important stored data, programs, and documentation made periodically are called
______________________________.

ANS: backups

PTS: 1

44. The process whereby lost data is restored and operations are continued is called
______________________________.

ANS: recovery

PTS: 1

45. The site that maintains copies of a primary computing site's programs and data is a(n)
______________________________ site.

ANS: mirror

PTS: 1

46. A(n) ______________________________ uses many computers, called zombies, that unwittingly
cooperate in a denial-of-service attack by sending messages to the target Web site.

ANS: distributed denial-of-service attack

PTS: 1

47. The ______________________________ logs and monitors who is on or is trying to access the
network.

ANS:
intrusion-detection system (IDS)
intrusion-detection system
IDS

PTS: 1
 48. The ______________________________ actively blocks unauthorized traffic using rules specified by
an organization.

ANS:
intrusion-prevention system (IPS)
intrusion-prevention system
IPS

PTS: 1

49. Watching a user type in passwords or user IDs or listening as they give account information over the
phone is called ______________________________.

ANS: shoulder surfing

PTS: 1

50. ______________________________ is when a hacker calls and requests a password based on some
pretext.

ANS: Smoozing

PTS: 1

51. ______________________________ helps to solve the problem posed by single key cryptography by
employing a pair of matched keys for each system user, one private (i.e., known only to the party who
possesses it) and one public.

ANS: Public-key cryptography

PTS: 1

52. ______________________________ is when an e-mail is sent pretending to be a legitimate business

asking for information about your account.

ANS: Phishing

PTS: 1

PROBLEM

1. Below is a list of ten functional titles for the information systems organization structure shown in
Chapter 8. The second list contains descriptions (some partial) of the duties and responsibilities of ten
of the functions.

Required:
On the blank line to the left of each numbered description, place the capital letter of the functional title
that best matches the duties and responsibilities described. Do not use a letter more than once.

Functional Title
A. Quality assurance F. Systems programming
B. Data control G. Technical services manager
C. Data librarian H. CIO
 D. Data entry I. IT Steering committee
E. Systems development manager J. Security officer

Answers DUTIES AND RESPONSIBILITIES

1. Delivers cost-effective, bug-free applications.

2. Routes all work into and out of the data center, correct errors, and monitor all
error correction.

3. Plans IT acquisition and development.

4. Conducts reviews to determine adherence to IT standards and procedures and

achievement of IT objectives.

5. Issues programs, data, and documentation to authorized users.

6. Manages functional units such as networks, CAD/CAM and systems

programming.

7. Modifies and adapts systems software including operating systems and

various utility routines.

8. Prepares input for computer processing.

9. Manages physical security and logical security.

10. Prioritizes and selects IT projects and resources.

ANS:

Duties and
Responsibilities Answer
1 E
2 B
3 H
4 A
5 C
6 G
7 F
8 D
9 J
10 I

PTS: 1

2. The four events-processing functions that constitute the segregation of duties control plan are:
A. Authorizing events
B. Executing events
C. Recording events
D. Safeguarding resources

Required:
Below is a list of ten events-processing activities, five relating to the cycle of activities involved in
processing a sales event and seven relating to the cycle for a purchase event. Classify each of the
twelve activities into one of the four functional categories listed above by placing the letter A, B, C, or
D on the answer line to the left of each number. You should use only one letter for each of the
answers.

EVENT-PROCESSING ACTIVITIES

Answers (For a sales event)

1. The order entry department instructs the shipping department to ship goods to
a customer by sending an approved document to the shipping department.

2. The shipping department keeps inventory items in a locked storeroom.

3. The billing department prepares and mails a bill to the customer.

4. The invoice in item 3 is added to the customer balance in the accounts

receivable master data.

5. The general ledger bookkeeper enters a sales event in a data file.

(For a purchase event)

6. The purchasing department order goods.

7. The inventory control department signs a document requesting that goods be

purchased.

8. The purchasing department manager reviews and signs all purchase order
documents in excess of $100.

9. The receiving department processes goods received from the vendor.

10. The receiving department completes the receiving report.

11. After being received goods are placed into the locked inventory storeroom.

12. A payable is recognized by updating the accounts payable master data.

ANS:

Event-Processing
Activity Answer
1 A
2 D
3 B
4 C
5 C
6 B
7 A
8 A
9 B
 10 B
11 D
12 C

PTS: 1

3. Listed below are several pervasive control plans discussed in Chapter 8. On the blank line to the left of
each control plan, insert a "P" (preventive), "D" (detective), or "C" (corrective) to best classify that
control. If applicable, more than one code may be inserted for each plan.

CODE CONTROL PLAN

1. Service level agreements

2. Program change controls

3. Fire and water alarms

4. Adequate fire and water insurance

5. Install batteries for temporary loss in power

6. Continuous-data protection (CDP)

7. Intrusion-detection system (IDS)

8. IT steering committee

9. Security officer

10. Operations run manuals

11. Rotation of duties and forced vacations

12. Fidelity bonding

13. Personnel performance evaluations

14. Personnel termination procedures

15. Segregation of duties

16. Strategic IT plan

17. Disaster recovery planning

18. Restrict entry to the computer facility through the use of security guards,
locks, badges, and identification cards

19. Personnel management (supervision)

20. Library controls

 ANS:

CODE CONTROL PLAN

P&C 1. Service level agreements

P 2. Program change controls

D 3. Fire and water alarms

C 4. Adequate fire and water insurance

C 5. Install batteries for temporary loss in power

C 6. Continuous-data protection (CDP)

D 7. Intrusion-detection system (IDS)

P 8. IT steering committee

P&D 9. Security officer

P 10. Operations run manuals

P&D 11. Rotation of duties and forced vacations

C 12. Fidelity bonding

P&D 13. Personnel performance evaluations

P 14. Personnel termination procedures

P&D 15. Segregation of duties

P 16. Strategic IT plan

C 17. Disaster recovery planning

P 18. Restrict entry to the computer facility through the use of security guards,
locks, badges, and identification cards

P&D 19. Personnel management (supervision)

P&D 20. Library controls

PTS: 1

4. The first list below contains 10 control plans discussed in Chapter 8. The second list describes 10
system failures that have control implications.

Required:
On the answer line to the left of each system failure, insert the capital letter from the first list of the
best control plan to prevent the system failure from occurring. If you can't find a control that will
prevent the failure, then choose a detective or a corrective plan. A letter should be used only once.

Control Plans
A. Personnel development control plans
B. Operations run manuals
C. Disaster recovery plans
D. Program change controls
E. Librarian controls
F. Segregation of systems development and programming from computer operations
G. Retention control plans
H. Restriction of physical access to computer resources
I. Segregation of recording events from safeguarding resources
J. Biometric identification system

Answers SYSTEM FAILURES

1. The controller at Infotech, Inc. has just completed an analysis of personnel

costs and believes that the cost associated with training new personnel is too
high. She attributes this high cost to the increasing rate at which employees
are being hired to replace defections to Infotech's competitors.

2. Paul the programmer has modified the accounts receivable statement program
so that the receivables from his cousin Peter will be eliminated from the
accounts receivable master file upon printing of the monthly statements. Paul
made these changes to the program while he was operating the computer on a
Saturday morning.

3. When the hurricane hit the coast, Soggy Records Company lost the use of its
flooded computer room. In such cases, plans called for using an alternate
computer center 100 miles inland. However, Soggy was unable to operate in
the alternate facility because the company's programs and files were lost in
the flooded computer facility.

4. All the files were lost at the Stoughton Company when a visitor sat down at a
computer terminal, signed on using one of the passwords posted on the
computer terminals, and erased some of the data files.

5. Sally is the inventory control/warehouse clerk at Techtron Inc. She has been
stealing secret computer components from the warehouse, selling them to
foreign agents, and covering up her thefts by altering the inventory records.

6. At Maralee Company, there seems to be a lack of progression from lower to

middle management. Edward, the director of personnel, believes that the
people being hired have great potential, but they are just not realizing their
potential.

7. Roger, the night-shift computer operator, has had occasion several times in
the last month to call his supervisor to receive assistance⎯over the
telephone⎯to correct a problem that he was having in operating the
computer.
 8. Mary had become quite unhappy with her job at Funk, Inc. She knew that she
was going to quit soon and decided to destroy some computer files. Using her
own username and password, she found several disk packs on a table outside
the computer room and proceeded to "erase" the data with a powerful magnet.
After Mary's departure, Funk spent several months reconstructing the data
that had been on the lost files.

9. One of the inventory control programs at Excess Company has been ordering
more inventory than is required, causing an overstock condition on many
items. During an investigation of the problem, it was discovered that the
inventory ordering program had recently been changed. The changes were
approved, but the new program was never tested.

10. Sydney, the computer operator, did not want to go to work one day because
he wanted to go sailing. He gave his ID card to his cousin Vinny who went to
work for him. Even though he was a computer operator, Vinny did not know
how to operate this computer. He made mistakes and destroyed some data.

ANS:

System
Failure
Number Answer
1 G
2 F
3 C
4 H
5 I
6 A
7 B
8 E
9 D
10 J

PTS: 1

5. The first list below contains 10 control plans discussed in Chapter 8. The second list describes 10
system failures that have control implications.

Required:
On the answer line to the left of each system failure, insert the capital letter from the first list of the
best control plan to prevent the system failure from occurring. (If you can't find a control that will
prevent the failure, then choose a detective or corrective control plan). A letter should be used only
once.

Control Plans
A. Selection and hiring control plans
B. Documentation control plans
C. Personnel termination control plans
D. Segregation of duties
E. Biometric identification system
F. Fire-protection control plans
G. IT steering committee
H. Off-site storage of back up computer files
I. Program change controls
J. Continuous-data protection (CDP)

Answers SYSTEM FAILURES

1. Peter the programmer asked for a substantial increase in salary and benefits.
When turned down, he submitted his two week notice. During those two
weeks he infected the program he was working on with a damaging computer
virus.

2. Cary enters cash receipts into the computer at Kiting Inc. For the past year she
has been pocketing customer payments. To keep herself from being
discovered, she enters credit memos into the computer, which records them as
reductions in the customers' accounts receivable records⎯as if the payment
had been made.

3. Procedures for the approval of orders have been put in place at Overstock
Company. Clyde, the new purchasing agent, was given a briefing on these
procedures when he was hired and has been applying those procedures as best
as he can remember them. Consequently, Clyde sometimes orders more
inventory than is required.

4. The new sales reporting system includes a computer printout that was
supposed to report daily sales to the V.P. of marketing. The report was never
tested and contains erroneous sales figures and is not presented in the format
required by the V.P.

5. There was a flood and all of the computers and all their data were destroyed.

6. Freida was just hired as a computer operator at Vertigo Inc. Just a few days
after being hired, she discovered that she would not be allowed to spend some
of her time writing computer programs. This was contrary to what she was
told initially, and she is now quite unhappy with her circumstances.

7. After careful screening and selection of employees, an organization issues its

employees name badges with magnetic strips that stores the employees'
personal information. Employees in the IT function can scan the badges to
gain entry into various rooms within the IT center. Recently management
discovered that employees are sharing their badges to enable them to gain
access to every room in the facility.

8. A fire at the Mitre Corporation caused the release of a poisonous gas which
contaminated the entire building. While the computer files were not destroyed
during the fire, they were contaminated and cannot be removed from the
building and personnel cannot enter the building. It took several months to
recreate the computer files.

9. Sandisfield, Inc. has many IT projects under consideration for development.

The CFO has some political connections with the CIO and so financial
applications are given a green light for development while projects for
marketing and logistics are put on hold.
 10. Jet Red Airlines, a new, low-cost start-up airline, has decided to operate its
own Web site and reservation system that is running on servers located at the
headquarters. One day, the server room was flooded, the reservation system
was not available for many hours, and many reservations were lost.

ANS:

System
Failure
Number Answer
1 C
2 D
3 B
4 I
5 H
6 A
7 E
8 F
9 G
10 J

PTS: 1