Chapter 8Controlling Information Systems: IT Processes

TRUE/FALSE 1. The Computer Crime and Security Survey works each year with Computer Intrusion Squad of the FBI. ANS: T 2. Data are objects in their widest sense. ANS: T 3. IT resources that are the sum of only programmed procedures reflecting business processes are called application systems. ANS: F 4. The system of controls used in this text consists of the control environment pervasive control plans, and business process control plans. ANS: T 5. As used in the text, the information systems function is synonymous with the accounting function. ANS: F 6. The function composed of people, procedures, and equipment that is typically called the information services department, IT department, or data processing department is the information systems function or ISF. ANS: T 7. The type of structure that places the information systems function under the line authority of the vice president of information systems is called a decentralized information systems structure. ANS: F 8. A functional organization assigns personnel to skills-based units, such as programming and systems analysis, and is used only centralized. ANS: F 9. A matrix organization assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader. ANS: T

153

154

Chapter 8

10. The functional title with the principal responsibilities of guiding and advising the information systems function is the steering committee. ANS: T 11. The functional title with the principal responsibilities of insuring the security of all information systems function resources is the systems analysis. ANS: F 12. The functional title with the principal responsibilities of studying information related problems and proposing solutions is security officer. ANS: F 13. The information systems function of quality assurance conducts reviews to determine adherence to ISF standards and procedures and achievement of ISF objectives. ANS: T 14. Within the data center, the data control group is responsible for logging input and output batches, checking batches for authorization and completeness, and distributing output. ANS: T 15. The information systems function of systems analysis provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks, loading printer paper, and responding to computer messages. ANS: F 16. Within the data center, the data librarian function grants access to programs, data, and documentation to authorized personnel only. ANS: T 17. Combining the functions of authorizing and executing events related to that asset is a violation of the organizational control plan known as segregation of duties. ANS: T 18. Segregation of duties consists of separating the four functions of authorizing events, executing events, recording events, and safeguarding the resources resulting from consummating the events. ANS: T 19. Embezzlement is a fraud committed by two or more individuals or departments. ANS: F

Controlling Information Systems: IT Process

155

20. A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resource controls. ANS: F 21. The functions of the security officer commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans. ANS: T 22. Individual departments coordinate the organizational and IT strategic planning processes and reviews and approves the strategic IT plan. ANS: F 23. The policy of requiring an employee to alternate jobs periodically is known as mandatory vacations. ANS: F 24. Forced vacations is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place. ANS: T 25. A fidelity bond indemnifies a company in case it suffers losses from defalcations committed by its employees. ANS: T 26. The product life cycle is a formal set of activities, or a process, used to develop and implement a new or modified information system. ANS: F 27. Actual computer software that is used to facilitate the execution of a given business process is called database management software. ANS: F 28. The systems documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports. ANS: T 29. Program documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings. ANS: T

156

Chapter 8

30. The user run manual gives detailed instructions to computer operators and to data control about a particular application. ANS: F 31. The operations run manual describes user procedures for an application and assists the user in preparing inputs and using outputs. ANS: F 32. Training materials are documentation that helps users learn their jobs and perform consistently in those jobs. ANS: T 33. Program change controls provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented. ANS: T 34. The terms contingency planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the backup and recovery control plans designed to ensure that an organization can recover from a major calamity. ANS: T 35. Continuity is the process of using the backup measures to either reconstruct the lost data, programs, or documentation, or to continue operations in alternative facilities. ANS: F 36. Server clustering is now more cost effective and is used to disperse the processing load among servers so that if one server fails, another can continue process event data. ANS: T 37. The disaster backup and recovery technique known as electronic vaulting (shadowing or replication) uses a process that automatically transmits event-related data or actual master data changes on a continuous basis to an off-site electronic vault. ANS: T 38. The disaster recovery strategy known as a cold site is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber's fee. ANS: F 39. A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a hot site. ANS: F

Controlling Information Systems: IT Process

157

40. In the case of a computer virus, a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. ANS: F 41. Biometric security systems identify authorized personnel through some unique physical trait--a fingerprint, voiceprint, retina image, or the like. ANS: T 42. Antivirus is a technique to protect one network from another "untrusted" network. ANS: F 43. The most common biometric devices perform retinal eye scans.. ANS: F 44. In an online environment, the operating system software generally includes a(n) security module designed to restrict access to programs and data. ANS: T 45. In an online computer environment, the accumulation of access activity and its review by the security officer is also called threat monitoring. ANS: T 46. Application controls restrict access to data, programs, and documentation. ANS: F 47. Protection tabs, doors, and rings are used to prevent accidental erasures or overwriting of magnetic disk and tape files. ANS: T 48. An internal label is attached to the outside casings of a file to indicate the file's identification number, contents, and other information. ANS: F 49. External labels are read by application programs or systems software to ensure that the correct data source is being used for processing, that the data source is read in its entirety, and that no records are lost or inadvertently added. ANS: F 50. Periodic cleaning, testing, and adjusting of computer equipment is referred to as preventative maintenance. ANS: T

158

Chapter 8

51. Computer hacking is the intentional penetration of an organization's computer system, accomplished by bypassing the system's access security controls. ANS: T MULTIPLE CHOICE 1. The use of IT resources for enterprise systems and e-business a. magnifies the importance of protecting the resources both within and outside of the organization from risks b. magnifies the importance of protecting the resources both within but not outside the of the organization from risks c. makes it easier to provide internal control risk when IT resources are interlinked d. none of the above ANS: A 2. Most system security breaches arise from a. internal employees b. Management c. the Internet d. none of the above ANS: C 3. According to the Computer Crime and Security Survey for 2003, when asked if they had detected computer security breaches, approximately _____ reported that they detected computer security breaches in the last 12 months. a. 90% b. 75% c. 50% d. 25% ANS: A 4. Pervasive control plans: a. are unrelated to applications control plans b. are a subset of applications control plans c. influence the effectiveness of applications control plans d. increase the efficiency of applications control plans ANS: C 5. COBIT was developed to: a. provide guidance to managers, users, and authors on the best practices for the management of information technology b. identify specific control plans that should be implemented to reduce the occurrence of fraud c. specify the components of an information system that should be installed in an e-commerce environment d. suggest the type of information that should be made available for management decision making ANS: A

Controlling Information Systems: IT Process

159

6. The department within a company that develops and operates the computer information systems is often called the: a. information systems function b. computer operations department c. Controller d. computer technology branch ANS: A 7. In a centralized information services (IS) structure, the three functions that might logically report directly to the vice president of information services would be: a. systems development, technical services, and data center operations b. systems development, database administration, and data center operations c. systems development, technical services, and data librarian d. applications programming, technical services, and data center operations ANS: A 8. Objects in their widest sense are called a. Data b. application systems c. Technology d. Facilities ANS: A 9. The sum of manual and programmed procedures for business operations is (are) a. Data b. application systems c. Technology d. Facilities ANS: B 10. Which of the following includes hardware, DBM systems, operating systems, networking, multimedia, etc? a. Data b. application systems c. Technology d. Facilities ANS: C 11. ___________ can consist of many computers connected together via a network. a. PCs b. Servers c. An LAN d. A firewall ANS: C

160

Chapter 8

12. In a centralized information services (IS) structure, which of the following reporting relationships makes the least sense? a. The data center manager reports to the V.P. of information systems. b. Application programmers report to the data center manager. c. Database administration reports to the technical services manager. d. The data librarian reports to the data center manager. ANS: B 13. In a centralized information services (IS) structure, all of the following functions might logically report to the data center manager except: a. data control b. data preparation c. data librarian d. program maintenance ANS: D 14. Managing functional units such as telecommunications, systems programming, and database administration typically is a major duty of: a. systems analysts b. applications programmers c. the technical services manager d. the database administrator ANS: C 15. From the standpoint of achieving the operations system control goal of security of resources, which of the following segregation of duties possibilities is least important? a. between user departments and computer operations b. between data control and data preparation personnel c. between computer programmers and computer operators d. between systems analysts and application programmers ANS: B 16. The process of analyzing an existing information system and writing specification for a new system is the responsibility of personnel having this functional title. a. profile analysis b. systems analysis c. systems design d. application programming ANS: B 17. A key control concern is that certain people within an organization have easy access to applications programs and data files. The people are: a. Librarians b. systems programmers c. systems analysts d. data center managers ANS: B

Controlling Information Systems: IT Process

161

18. Which of the following has the major duties of prioritizing and selecting ISF projects and resources a. steering committee b. security officer c. VP of information systems d. systems development manager ANS: A 19. Which of the following has the responsibility to ensure security of all ISF resources? a. steering committee b. security officer c. VP of information systems d. systems development manager ANS: B 20. Which of the following has the responsibility of efficient and effective operation of the information systems functions? a. steering committee b. security officer c. VP of information systems d. systems development manager ANS: C 21. In a centralized information systems organizational structure, the function of ___________ is a central point from which to control data and is a central point of vulnerability. a. data control b. data preparation (data entry) c. data librarian d. database administration ANS: D 22. The control concern that there will be a high risk of data conversion errors relates primarily to which of the following information systems functions? a. data control b. data preparation (data entry) c. data librarian d. database administration ANS: B 23. The controlled access to files, programs, and documentation is a principal responsibility of which of the following functions? a. data control b. data preparation (data entry) c. data librarian d. Scheduler ANS: C

162

Chapter 8

24. Which of the following is not one of the four broad IT control process domains as discussed in the text? a. planning and organization b. acquisition and implementation c. development of IT solutions d. Monitoring ANS: C 25. Which of the following is not an important strategic planning process? a. The organizations IT related requirements must comply with industry, regulatory, legal, and contractual obligations, including privacy, trasborder data flows, e-Business, and insurance contracts. b. The organization should have an information architecture model encompassing the corporate data model and associated information systems c. The organization should adopt the systems development life cycle to ensure that comprehensive documentation is developed for each application. d. The organization should have an inventory of current information systems capabilities ANS: C 26. Which one of the following is one of the two organization control plans that the book concentrates on? a. segregation of duties control plan b. the information systems function c. selection and hiring control plans d. both a and b above ANS: D 27. The segregation of duties control plan consists of separating all of the following event-processing functions except: a. planning events b. authorizing events c. executing events d. recording events ANS: A 28. A warehouse clerk manually completing an order document and forwarding it to purchasing for approval is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: B

Controlling Information Systems: IT Process

163

29. The data entry clerk types data from an order form into an on-line computer through a pre-formatted screen, adding the data into a business event data. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: C 30. Approving a customer credit purchase would be an example of which basic events processing function? a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: A 31. An employee of a warehouse is responsible for taking a computer-generated shipping list, pulling the items from the warehouse shelves and placing them in a bin which is transferred to shipping when the list is completely filled. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: B 32. An outside auditing firm annually supervises a physical count of the items in a retail store's shelf inventory. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: D 33. A warehouse supervisor prepares a sales order listing items to be shipped to a customer and then signs it authorizing the removal of the items from the warehouse. The supervisor is performing which functions? a. authorizing events and safeguarding of resources b. executing and recording events c. authorizing and executing events d. authorizing and recording events ANS: C 34. A clerk receives checks and customer receipts in the mail. He endorses the checks, fills out the deposit slip, and posts the checks to the cash receipts events data. The clerk is exercising which functions? a. recording and executing events b. authorizing and executing events c. recording and authorizing events d. safeguarding of resources and authorizing events ANS: A

164

Chapter 8

35. When segregation of duties cannot be effectively implemented because the organization is too small, we may rely on a more intensive implementation of other control plans such as personnel control plans. This is called: a. collusion controls b. compensatory controls c. authorizing controls d. inventory controls ANS: B 36. A method of separating systems development and operations is to prevent programmers from a. performing technical services b. performing database administration c. handling accounting operations d. operating the computer ANS: D 37. Which of the following control plans is not a retention control plan? a. creative and challenging work opportunities b. occasional performance evaluations c. competitive reward structure d. viable career paths ANS: B 38. Personnel development control plans consist of each of the following except: a. checking employment references b. providing sufficient and timely training c. supporting employee educational interests and pursuits d. performing scheduled evaluations ANS: A 39. The primary reasons for performing regular employee performance reviews include all of the following except: a. determine whether an employee is satisfying the requirements indicated by a job description b. assess an employee's strengths and weaknesses c. assist management in determining salary adjustments, promotions, or terminations d. develop a strategy for filling necessary positions ANS: D 40. A policy that requires employees to alternate jobs periodically is called: a. segregation of duties b. forced vacations c. rotation of duties d. personnel planning ANS: C

Controlling Information Systems: IT Process

165

41. A control plan that is designed to detect a fraud by having a second person do the job of the perpetrator of the fraud is called: a. segregation of duties b. forced vacations c. periodic audits d. management control ANS: B 42. A mechanism by which a company is reimbursed for any loss that occurs when an employee commits fraud is called a: a. segregation of duties b. fidelity bond c. personnel planning control d. termination control plan ANS: B 43. Which of the following personnel security control plans is corrective in nature as opposed to being a preventive or detective control plan? a. rotation of duties b. fidelity bonding c. forced vacations d. performing scheduled evaluations ANS: B 44. Personnel termination control plans might include all of the following except: a. require immediate separation b. identify the employee's reasons for leaving c. establish a policy of forced vacations d. collect the employee's keys, badges, etc. ANS: C 45. The term systems development life cycle can mean any of the following except: a. a formal set of activities or process used to develop and implement a new or modified information system b. the documentation that specifies the systems analysis process c. the documentation that specifies the systems development process d. the programming of information systems through the systems development process, from birth through ongoing use of the system ANS: B 46. Instructions for computer setup, required data, restart procedures, and error messages are typically contained in a(n): a. systems development standards manual b. program documentation manual c. operations run manual d. application documentation manual ANS: C

166

Chapter 8

47. Application documentation that describes the application and contains instructions for preparing inputs and using outputs is a(n): a. operations run manual b. user manual c. program documentation d. systems documentation ANS: B 48. The six stages reflected in a business continuity management life cycle are (in sequential order): a. understand your business, create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management culture, maintain and audit the plan, establish a formal business continuity management program b. understand your business, develop and implement a business continuity management response, create business continuity strategies, build and embed a business continuity management culture, maintain and audit the plan, establish a formal business continuity management program c. understand your business, build and embed a business continuity management culture, create business continuity strategies, develop and implement a business continuity management response, maintain and audit the plan, establish a formal business continuity management program d. understand your business, establish a formal business continuity management program, create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management culture, maintain and audit the plan, ANS: A 49. Alternative names for contingency planning include all of the following except: a. disaster recovery planning b. business interruption planning c. business disaster planning d. business continuity planning ANS: C 50. Which backup approach is the one that involves running two processing sites that contain the application programs and updated master data throughout normal processing activities? a. mirror site b. electronic vaulting c. server clustering d. Dumping ANS: A 51. All of the following are components of a backup and recovery strategy except: a. echo checking b. mirror site c. electronic vaulting d. Shadowing ANS: A

Controlling Information Systems: IT Process

167

52. The accounts receivable master data was inadvertently destroyed when it was mistakenly substituted for the accounts payable master data in a processing run. For this situation, which of the following control plans is a corrective rather than a preventive control? a. backup recovery achieved through shadowing b. adequate documentation in the form of an operations run manual c. segregation of duties achieved through a librarian function d. use of file protection rings ANS: A 53. Which of the following statements related to denial of service attacks is false? a. Insurance is available to offset the losses suffered by denial of service attacks. b. A denial of service attack is designed to overwhelm a web site, making it incapable of performing normal functions. c. Web sites can employ filters to detect multiple messages from a single site. d. The most effective attacks originate from a small cluster of computers in a remote geographic region. ANS: D 54. In an on-line computer system, restricting user access to programs and data files includes all of the following except: a. user identification b. user authentication c. determining user access rights d. wearing identification badges ANS: D 55. Security modules are examples of: a. department controls b. detective controls c. corrective controls d. management controls ANS: B 56. Which of the following controls restrict access to programs, data, and documentation that are stored off-line in a physically controlled area? a. library controls b. password controls c. authentication controls d. program change controls ANS: A 57. A portion of the threat monitoring portion of the security module that profiles the typical behavior of users and can detect exceptional activity is known as: a. Biometrics b. electronic vaulting c. intrusion detection software d. cost variance analysis ANS: C

168

Chapter 8

58. For which of the following controls does a storage medium such as a disk have to be read before the control can be used? a. program change controls b. internal labels c. read-only switches d. external labels ANS: B 59. Protecting resources against environmental hazards might include all of the following control plans except: a. fire alarms and smoke detectors b. automatic extinguisher systems c. voltage regulators d. security modules ANS: D 60. Which of the following statements regarding computer hacking is false? a. Some hackers use a sniffer programs that travel over telephone lines collecting passwords. b. Accountants can be engaged to test system security by attempting to hack into a system. c. Computer hacking is an intrusion into an information system from a person outside the organization. d. Hackers can obtain user names and passwords by posing as a legitimate employee and requesting sensitive information from another employee. ANS: C COMPLETION 1. The Computer Crime and Security Survey works with the Computer Intrusion Squad of the ___________. ANS: FBI 2. Objects in their widest sense are called __________. ANS: data 3. IT resources that are the sum of manual and programmed procedures reflecting business processes are called _________________________. ANS: applications systems 4. The system of controls used in this text consists of the ____________________, ____________________ control plans, and application control plans. ANS: control environment pervasive

Controlling Information Systems: IT Process

169

5. As used in the text, the information systems function is synonymous with the ____________________. ANS: IT function 6. The function composed of people, procedures, and equipment that is typically called the information services department, IT department, or data processing department is the _______________________________. ANS: information systems function (or ISF) 7. The type of structure that places the information systems function under the line authority of the vice president of information systems is called a(n) ____________________. ANS: centralized information systems structure 8. A _________________ organization assigns personnel to skills-based units, such as programming and systems analysis, and is used by both centralized and decentralized organizations. ANS: functional 9. A ______________ organization assembles work teams or project teams from different operating departments under the temporary authority of a team leader. ANS: matrix 10. The functional title with the principal responsibilities of guiding and advising the information systems function is the ____________________. ANS: steering committee 11. The functional title with the principal responsibilities of insuring the security of all information systems function resources is the ____________________. ANS: security officer 12. The functional title with the principal responsibilities of studying information related problems and proposing solutions is the ____________________. ANS: systems analyst or systems analysis 13. The information systems function ____________________ conducts reviews to determine adherence to ISF standards and procedures and achievement of ISF objectives. ANS: quality assurance 14. Within the data center, the ____________________ group is responsible for logging input and output batches, checking batches for authorization and completeness, and distributing output. ANS: data control

170

Chapter 8

15. The information systems function ____________________ provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks, loading printer paper, and responding to computer messages. ANS: computer operations 16. Within the data center, the ____________________ function grants access to programs, data, and documentation to authorized personnel only. ANS: (data) librarian 17. Combining the functions of authorizing and executing events related to that asset is a violation of the organizational control plan known as ____________________. ANS: segregation of duties 18. Segregation of duties consists of separating the four functions of authorizing events, ____________________ events, ____________________ events, and safeguarding the resources resulting from consummating the events. ANS: executing recording 19. ________________ is any fraud committed by two or more individuals or departments. ANS: Collusion 20. A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called _______________________. ANS: compensatory controls 21. The functions of the ____________________ commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans. ANS: security officer 22. The ____________________ coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan. ANS: information technology (IT) steering committee 23. The policy of requiring an employee to alternate jobs periodically is known as ____________________. ANS: rotation of duties 24. ____________________ is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place. ANS: Forced vacations

Controlling Information Systems: IT Process

25. A(n) ____________________ indemnifies a company in case it suffers losses from defalcations committed by its employees. ANS: fidelity bond

171

26. The ____________________ is a formal set of activities, or a process, used to develop and implement a new or modified information system. ANS: system development life cycle (SDLC) 27. Actual computer software that is used to facilitate the execution of a given business process is called _____________________________. ANS: application software 28. The ____________________ documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports. ANS: systems 29. ____________________ documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings. ANS: Program 30. The ____________________ gives detailed instructions to computer operators and to data control about a particular application. ANS: operations run manual 31. The ____________________ describes user procedures for an application and assists the user in preparing inputs and using outputs. ANS: user manual 32. ____________________ are documentation that helps users learn their jobs and perform consistently in those jobs. ANS: Training materials 33. ____________________ provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented. ANS: Program change controls 34. The terms ____________________ planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the backup and recovery control plans designed to ensure that an organization can recover from a major calamity. ANS: contingency

172

Chapter 8

35. _______________________ is now more cost effective and is used to disperse the processing load among servers so that if one server fails, another can continue process event data. ANS: Server clustering 36. The disaster backup and recovery technique known as ____________________ uses a process automatically transmits event-related data or actual master data changes on a continuous basis to an off-site electronic vault. ANS: electronic vaulting (shadowing or replication) 37. The disaster recovery strategy known as a(n) ____________________ is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber's fee. ANS: hot site 38. A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a(n) ____________________. ANS: cold site 39. In a ______________________________ a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. ANS: denial of service attack 40. ____________________ security systems identify authorized personnel through some unique physical trait--a fingerprint, voiceprint, retina image, or the like. ANS: Biometric 41. A(n) ____________________ is a technique to protect one network from another "untrusted" network. ANS: firewall 42. The most common biometric devices read _______________. ANS: fingerprints or thumbprints 43. In an online environment, the operating system software generally includes a(n) ____________________ designed to restrict access to programs and data. ANS: security module 44. In an online computer environment, the accumulation of access activity and its review by the security officer is also called ____________________. ANS: threat monitoring

Controlling Information Systems: IT Process

45. A(n) ____________________ is attached to the outside casings of a file to indicate the file's identification number, contents, and other information. ANS: external label

173

46. ____________________ are read by application programs or systems software to ensure that the correct data source is being used for processing, that the data source is read in its entirety, and that no records are lost or inadvertently added. ANS: Internal labels 47. Periodic cleaning, testing, and adjusting of computer equipment is referred to as ____________________. ANS: preventive maintenance 48. ____________________ is the intentional penetration of an organization's computer system, accomplished by bypassing the system's access security controls. ANS: Computer hacking (or computer cracking) PROBLEM 1. Below is an alphabetical list of ten functional titles for the centralized information systems organization structure shown in Chapter 8. The second list contains descriptions (some partial) of the major duties of eight of the functions. Required: On the blank line to the left of each numbered description, place the capital letter of the functional title that best matches the major duties described. Do not use a letter more than once. You should have two letters unused. A. B. C. D. E. Applications programming Data control Data librarian Data preparation Systems analysis Functional Title F. Systems design G. Systems programming H. Technical services manager I. Vice president of information services J. Steering committee K. Security officer MAJOR DUTIES 1. 2. 3. Analyze existing application systems and write new system specifications. Log batches of transactions; check input batches for authorization, completeness, and accuracy, etc. Plan resource acquisition and development.

Answers _____ _____ _____

174

Chapter 8

_____ _____ _____ _____ _____ _____ _____ ANS:

4. 5. 6. 7. 8. 9. 10.

Code, test, and debug applications programs. Issue programs, files, and documentation to authorized users. Manage functional units such as networks, CAD/CAM, systems programming, and program maintenance. Modify and adapt operating systems software and various utility routines. Enter (convert) data into machine-readable form. Physical security Prioritize and select ISF projects and resources

Major Duties Description 1 2 3 4 5 6 7 8 9 10

Answer E B I A C H G D K J

2. The four events-processing functions that constitute the segregation of duties control plan are: A. B. C. D. Authorizing events Executing events Recording events Safeguarding resources resulting from consummating events

Required: Below is a list of ten events-processing activities, five relating to the cycle of activities involved in processing a sale event and five relating to the cycle for a purchase event. Classify each of the ten activities into one of the four functional categories listed above by placing the letter A, B, C, or D on the answer line to the left of each number. You should use only one letter for each of the ten answers.

Controlling Information Systems: IT Process

175

EVENT-PROCESSING ACTIVITIES Answers _____ _____ _____ _____ _____ 1. 2. 3. 4. 5. (For a sale event) The order entry department instructs the shipping department to ship goods to a customer by sending an approved document to the shipping department. The shipping department keeps inventory items in a locked storeroom. The billing department prepares and mails a bill to the customer. The invoice in item 3 is added to the customer balance in the accounts receivable master data. The general ledger bookkeeper enters a sales event in a data file. (For a purchase event) _____ _____ _____ _____ _____ _____ _____ ANS: Transaction Activity 1 2 3 4 5 6 7 8 9 10 11 12 Answer A D B C C B A A B C D C 8. 9. 10. 11. 12. 6. 7. The purchasing department is requested to order goods The purchasing department receives a signed request document from the inventory control department. The purchasing department manager reviews and signs all order documents in excess of $100. The goods are received from the vendor The receiving department completes the receiving report The goods received in item 8 are placed into the locked inventory storeroom. A payable is recognized by updating the accounts payable master data.

176

Chapter 8

3. Listed below are several pervasive control plans discussed in Chapter 8. On the blank line to the left of each control plan, insert a "P" (preventive), "D" (detective), or "C" (corrective) to best classify that control. If you think that more than one code could apply to a particular plan, insert all appropriate codes and briefly explain your answer: CODE _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. CONTROL PLAN Internal and external labels Program change controls Fire and water alarms Adequate fire and water insurance Install batteries for temporary loss in power Mirror site Server clustering IT steering committee Security officer Operations run manuals Rotation of duties and forced vacations Fidelity bonding Personnel performance evaluations Personnel termination procedures Segregation of duties Threat monitoring Disaster recovery planning Restrict entry to the computer facility through the use of security guards, locks, badges, and identification cards Security module Library controls

Controlling Information Systems: IT Process

ANS: CODE
__P__ __P__ __P__ __C__ __C__ __C__ __C__ __P__ __P__ __P__ P or D __C__ P or D __P__ P or D __P__ __C__ __P__ P or D P or D 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.

177

CONTROL PLAN
Internal and external labels Program change controls Fire and water alarms Adequate fire and water insurance Install batteries for temporary loss in power Mirror site Server clustering IT steering committee Security officer Operations run manuals Rotation of duties and forced vacations Fidelity bonding Personnel performance evaluations Personnel termination procedures Segregation of duties Threat monitoring Disaster recovery planning Restrict entry to the computer facility through the use of security guards, locks, badges, and identification cards Security module Library controls

4. The first list below contains 10 control plans discussed in Chapter 8. The second list describes 10 system failures that have control implications. Required: On the answer line to the left of each system failure, insert the capital letter from the first list of the best control plan to prevent the system failure from occurring. If you can't find a control that will prevent the failure, then choose a detective or a corrective plan. A letter should be used only once.

178

Chapter 8
Control Plans Personnel development control plans Operations run manuals Disaster recovery plans Program change controls Librarian controls Segregation of systems development and programming from computer operations Retention control plans Restriction of physical access to computer resources Segregation of recording events from safeguarding resources Internal labels SYSTEM FAILURES 1. The controller at Infotech, Inc., has just completed an analysis of personnel costs and believes that the costs associated with training new personnel is too high. She attributes this high cost to the increasing rate at which employees are being hired to replace defections to Infotech's competitors. Paul the programmer has modified the accounts receivable statement program so that the receivables from his cousin Peter will be eliminated from the accounts receivable master file upon printing of the monthly statements. Paul made these changes to the program while he was operating the computer on a Saturday morning. When the hurricane hit the coast, Soggy Records Company lost the use of its flooded computer room. In such cases, plans called for using an alternate computer center 100 miles inland. However, Soggy was unable to operate in the alternate facility because the company's programs and files were lost in the flooded computer facility. All the files were lost at the Stoughton Company when a visitor sat down at a computer terminal, signed on using one of the passwords posted on the computer terminals, and erased some of the data files. Sally is the inventory control/warehouse clerk at Techtron Inc. She has been stealing secret computer components from the warehouse, selling them to foreign agents, and covering up her thefts by altering the inventory records. At Maralee Company, there seems to be a lack of progression from lower to middle management. Edward, the director of personnel, believes that the people being hired have great potential, but they are just not realizing their potential. Roger, the night-shift computer operator, has had occasion several times in the last month to call his supervisor to receive assistance--over the telephone--to correct a problem that he was having in operating the computer. Mary had become quite unhappy with her job at Funk, Inc. She knew that she was going to quit soon and decided to destroy some computer files. Using her own username and password, she found several disk packs on a table outside

A. B. C. D. E. F. G. H. I. J.

Answers _____

_____

2.

_____

3.

_____

4.

_____

5.

_____

6.

_____

7.

_____

8.

Controlling Information Systems: IT Process

the computer room and proceeded to "erase" the data with a powerful magnet. After Mary's departure, Funk spent several months reconstructing the data that had been on the lost files. _____ 9. One of the inventory control programs at Excess Company has been ordering more inventory than is required, causing an overstock condition on many items. During an investigation of the problem, it was discovered that the inventory ordering program had recently been changed. The changes were approved, but the new program was never tested. Sydney, the new computer operator, mounted the accounts payable master file disk pack on the disk drive. The computer, which was running an accounts receivable application, did not recognize that this was the accounts payable master file and destroyed the data on the accounts payable master file.

179

_____

10.

ANS: System Failure Number 1 2 3 4 5 6 7 8 9 10

Answer G F C H I A B E D J

5. The first list below contains 9 control plans discussed in Chapter 8. The second list describes 9 system failures that have control implications. Required: On the answer line to the left of each system failure, insert the capital letter from the first list of the best control plan to prevent the system failure from occurring. (If you can't find a control that will prevent the failure, then choose a detective plan or, as a last resort, a corrective control plan). A letter should be used only once. A. B. C. D. E. F. G. H. I. Control Plans Selection and hiring control plans Documentation control plans Segregation of programmers from computer operations Forced vacations Biometric security system Fire-protection control plans Protection tabs, doors, and rings Off-site storage of back up computer files Program change controls

180

Chapter 8

Answers _____

SYSTEM FAILURES 1. While moving the new payroll program from testing status into production status, Peter the programmer made a change to the program and then go to computer operations so that each time payroll was run, his pay would be incremented by 10%. 2. Cary enters cash receipts into the computer at Kiting Inc. For the past year she has been pocketing customer payments. To keep herself from being discovered, she enters credit memos into the computer, which records them as reductions in the customers' accounts receivable records--as if the payment had been made. 3. Procedures for the approval of orders have been put in place at Overstock Company. Clyde, the new purchasing agent, was given a briefing on these procedures when he was hired and has been applying those procedures as best as he can remember them. Consequently, Clyde sometimes orders more inventory than is required. 4. The new sales reporting system includes a computer printout that was supposed to report daily sales to the V.P. of marketing. The report was never tested and contains erroneous sales figures and is not presented in the format required by the V.P. 5. There was a flood and all of the computers and all their data were destroyed. 6. Freida was just hired as a computer operator at Vertigo Inc. Just a few days after being hired, she discovered that she would not be allowed to spend some of her time writing computer programs. This was contrary to what she was told initially, and she is now quite unhappy with her circumstances. 7. After careful screening and selection of employees, an organization issues its employees name badges with magnetic strips that stores the employees' personal information. Employees in the IT function can scan the badges to gain entry into various rooms within the IT center. Recently management discovered that employees are sharing their badges to enable them to gain access to every room in the facility. 8. A fire at the Mitre Corporation caused the release of a poisonous gas which contaminated the entire building. While the computer files were not destroyed during the fire, they were contaminated and cannot be removed from the building and personnel cannot enter the building. It took several months to recreate the computer files. 9. The computer asked Herb, the computer operator, to load a scratch disk on drive 1 and copy the accounts receivable master file on drive 2. The accounts receivable master file on drive 2 was accidentally erased before the files could be copied to the scratch disk on drive 1.

_____

_____

_____

_____ _____

_____

_____

_____

ANS:

Controlling Information Systems: IT Process

181

System Failure Number 1 2 3 4 5 6 7 8 9

Answer C D B I H A E F G