Chapter 04 Internal Controls and Risks in IT Systems - Accounting Information System 1e by Turner PDF

Preview

Summary

ACCOUNTING INFORMATION SYSTEMSCONTROLS AND PROCESSESTURNER / WEICKGENANNTCHAPTER 4: Internal Controls and Risks in IT SystemsTEST BANK - CHAPTER 4 - TRUE / FALSE If a company’s IT system fails, it would have little or no effect on the company’s operations. It is necessary for students and accountant...

Description

ACCOUNTING INFORMATION SYSTEMS CONTROLS AND PROCESSES TURNER / WEICKGENANNT

CHAPTER 4: Internal Controls and Risks in IT Systems

TEST BANK - CHAPTER 4 - TRUE / FALSE

1.

2.

If a company’s IT system fails, it would have little or no effect on the company’s operations.

It is necessary for students and accountants to understand the types of threats that may affect an accounting system, so that the threats can be avoided.

3.

It is important for accountants to consider possible threats to the IT system and to know how to implement controls to try to prevent those threats from becoming reality.

4.

General controls apply to the IT accounting system and are not restricted to any particular accounting application.

5.

The use of passwords to allow only authorized users to log into an IT system is an example of an application control.

6.

Application controls apply to the IT accounting system and are not restricted to any particular accounting application.

7.

The use of passwords to allow only authorized users to log into an IT system is an example of a general control.

8.

General controls are used specifically in accounting applications to control inputs, processing, and outputs.

9.

Application controls are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed.

10.

A validity checks is an example of an input application control.

11.

To increase the effectiveness of login restrictions, user Ids must be unique for each user.

12.

To increase the effectiveness of login restrictions, passwords must be unique for each user.

13.

Biometric devises use unique physical characteristics to identify users.

The most common

method used is retina scans.

14.

There are a number of methods described that are intended to limit log-ins exclusively to authorized users.

15.

The only method that is foolproof is the biometric devices.

The user ID and password for a particular user should not allow access to the configuration tables unless that user is authorized to change the configuration settings.

16.

It is necessary for an IT system to be networked to an external internet to be open to opportunities for unauthorized access.

17.

Unauthorized access is a concern when an IT system is networked to either internal networks or the Internet.

18.

A firewall can prevent the unauthorized flow of data in both directions.

19.

Deciphering renders data useless to those who do not have the correct encryption key.

20.

Discussing the strength of encryption refers to how difficult it would be to break the code.

21.

The longer the encryption key is bits; the more difficult it will be to break the code.

22.

The longest encryption keys are 128 bits.

23.

Encryption is more important for dial-up networks than for wireless networks.

24.

Using a unique service set identifier (SSID) makes it more difficult for an outsider to access the wireless network.

25.

The VPN, virtual private network, uses the internet and is therefore not truly private – but is virtually private.

26.

Once an organization has set up an effective system to prevent unauthorized access to the IT system, it is not necessary to continually monitor the vulnerability of that system.

27.

It is important to understand that the IT governance committee delegates many of its duties by the policies that it develops.

28.

The most important factor in controlling IT systems is the maintenance of the vulnerability assessment activities.

29.

In a properly segregated IT system, no single person or department should develop computer programs and also have access to data that is commensurate with operations personnel.

30.

It is proper that the database administrator develop and write programs.

31.

To the extent possible, IT systems should be installed in locations away from any location likely to be affected by natural disasters.

32.

It is not necessary to control the humidity and temperature in the location where the computer system is housed.

33.

Disaster recovery planning is a proactive plan to protect IT systems and the related data.

34.

Each organization has to decide which combination of IT controls is most suitable for its IT system, making sure that the benefits of each control outweigh its costs.

35.

Controls will help to reduce risks, but it is impossible to completely eliminate risks.

36.

It is possible to completely eliminate risks with the proper controls.

37.

The most popular type of type of unauthorized access is probably by a person known to the organization.

38.

Employees who hack into computer networks are often more dangerous because of their knowledge of company operations.

39.

It is necessary to identify the “entry points” in the IT system that make an organization susceptible to IT risks.

40.

Access to the operating system will not allow hackers access to the application software or the database.

41.

Controlling access to the operating system is critical because that access opens access to any data or program within the system.

42.

A database is often less open to unauthorized access than the physical, paper records, because the database has fewer access points.

43.

The workstations and the network cabling and connections represent spots were an intruder could tap into the network for unauthorized access.

44.

In a wireless network, signals are transmitted through the air rather than over cables.

Anyone

who wants to gain access to the network would need to know the password to access these “air-borne” signals. FALSE

45.

The use of dual firewalls - one between the internet and the web server and one between the web server and the organization’s network - can help prevent unauthorized from accessing the organization’s internal network of computers.

46.

Telecommuting workers cause two sources of risk exposures for their organizations - the network equipment and cabling in addition to the teleworker’s computer - with only “entrypoint” being teleworker’s computer.

47.

Many IT systems do not use source documents; the input is automatic.

48.

If no source documents are used by the IT system, then the general controls, such as computer logging of transactions, become less important.

49.

The group of controls referred to as Source Document Controls does not include form design.

50.

The closer the source document matches the input screen, the easier it will be for the data entry employee to complete the input screen without errors.

51. The form authorization and control includes the requirement that source documents should be prenumbered and are to be used in sequence.

52.

Once the data from the source documents have been keyed into the computer, the source document can be destroyed.

53.

With the proper training of employees and the adequate controls, it would be possible to eliminate all errors.

54.

To verify the accuracy of application software, an organization should be sure the software is tested before it is implemented and must regularly test it after implementation.

55.

An organization must maintain procedures to protect the output from unauthorized access in the form of written guidelines and procedures for output distribution.

56.

Management must discourage illegal behavior by employees, such as the misuse of computers and theft through the computer systems.

ANSWERS TO TEST BANK – CHAPTER 4 – TRUE / FALSE: 1.

F

11.

T

21.

T

31.

T

41.

T

51.

T

2.

F

12.

F

22.

F

32.

F

42.

F

52.

F

3.

T

13.

F

23.

F

33.

F

43.

T

53.

F

4.

T

14.

F

24.

T

34.

T

44.

F

54.

T

5.

F

15.

T

25.

T

35.

T

45.

T

55.

T

6.

F

16.

F

26.

F

36.

F

46.

F

56.

F

7.

T

17.

T

27.

T

37.

F

47.

T

8.

F

18.

T

28.

F

38.

T

48.

F

9.

T

19.

F

29.

T

39.

T

49.

F

10.

T

20.

T

30.

F

40.

F

50.

T

TEST BANK - CHAPTER 4 - MULTIPLE CHOICE

57.

58.

Unchecked risks and threats to the IT could result in: A.

An interruption of the computer operations

B.

Damage to an organization

C.

Incorrect or incomplete accounting information

D.

All of the above

In order to master risks and controls and how they fit together, which of the following is NOT one of the areas to fully understand? A.

The accounting information system.

B.

The description of the general and application controls that should exist in IT system.

C.

The type and nature of risks in IT systems.

D.

The recognition of how controls can be used to reduce risk.

59.

General controls in IT systems are divided into five broad categories.

Which of the following is

NOT one of those categories?

60.

A.

Authentication of uses and limiting unauthorized access

B.

Output controls

C.

Organization structure

D.

Physical environment and physical security of the system.

A process or procedure in an IT system to ensure that the person accessing the IT system is value and authorized is called:

61.

A.

Hacking and other network break-ins

B.

Physical environment and physical security

C.

Authentication of users and limiting unauthorized access

D.

Organizational structure

This term relates to making the computer recognize a user in order to create a connection at the beginning of the computer session.

62.

63.

64.

A.

User ID

B.

Password

C.

Smart card

D.

Login

Which of the following is NOT one of the rules for the effective use of passwords? A.

Passwords should not be case sensitive

B.

Passwords should be at least 6 characters in length

C.

Passwords should contain at least one nonalphanumeric character.

D.

Password should be changed every 90 days.

Which of the following is not a good example of an effective password? A.

Abc*$123

B.

a1b2c3

C.

A*1b?2C$3

D.

MSU#Rules$

This item, that strengthens the use of passwords, is plugged into the computer’s card reader and helps authenticate that the use is valid; it has an integrated circuit that displays a constantly changing ID code.

65.

These statements describe:

A.

Security token

B.

USB control key

C.

Smart card

D.

Biometrics

A new technology that is used to authenticate users is one that plugs into the USB port and eliminates the need for a card reader. A.

Biometric reader

B.

Smart card

C.

USB smart key

D.

Security token

This item is called a:

66.

The use of the smart card or security tokens is referred to as a two factor authorization because: A.

It is based on something the user has, the token or card, and something the user knows, the password.

B.

It requires that the user is granted the card / token in a secure environment and that the user actually uses the card / token.

C.

It requires that the user has two different authorizations: (1) to receive the card / token, and (2) to use the card / token.

D.

It requires the use the card / token to (1) login to the system and (2) access the applications.

67.

This type of authentication uses some unique physical characteristic of the user to identify the user and allow the appropriate access to the system.

68.

A.

Nonrepudiation card

B.

Biometric device

C.

Configuration table

D.

Computer log

Which of the following is not an example of physical characteristics being used in biometric devices?

69.

A.

Retina scans

B.

Fingerprint matching

C.

Social security number

D.

Voice verification

There are a number of reasons that all access to the IT system be logged - which includes a computer log of all dates, times, and uses for each user.

Which of the following is not one of

the reasons for the log to be maintained? A.

Any login or use abnormalities can be examined in more detail to determine any weaknesses in the login procedures.

70.

B.

A user cannot deny any particular act that he or she did on the system.

C.

To establish nonrepudiation of sales transactions by a customer.

D.

To establish a user profile.

This should be established for every authorized user and determines each user’s access level to hardware, software, and data according to the individual’s job responsibilities.

71.

A.

User profile

B.

User password

C.

User ID

D.

User log

This table contains a list of valid, authorized users and the access level granted to each one. A.

User table

B.

Authority table

C.

Authentication table

D.

Configuration table

72.

The IT system includes this type of table for software, hardware, and application programs that contain the appropriate set-up and security settings.

73.

A.

Configuration table

B.

Authentication table

C.

User table

D.

Authority table

Nonrepudiation means that: A.

74.

A user is not authorized to change configuration settings.

B.

A user is not allowed access to the authority tables.

C.

A user can prevent the unauthorized flow of data in both directions.

D.

A user cannot deny any particular act that he or she did on the IT system.

Hardware, software, or a combination of both that is designed to block unauthorized access to an IT system is called:

75.

76.

A.

Computer log

B.

Biometric device

C.

Firewall

D.

Security token

The process of converting data into secret codes referred to cipher text is called: A.

Deciphering

B.

Encryption

C.

Nonrepudiation

D.

Enciphering

This form of encryption uses a single encryption key that must be used to encrypt data and also to decode the encrypted data.

77.

A.

Multiple encryptions

B.

Public key encryption

C.

Wired encryption

D.

Symmetric encryption

This form of encryption uses a public key, which is known by everyone, to encrypt data, and a private key, to decode the data.

78.

A.

Multiple encryptions

B.

Public key encryption

C.

Wired encryption

D.

Symmetric encryption

This encryption method, used with wireless network equipment, is symmetric in that both the sending and receiving network nodes must use the same encryption key. be susceptible to hacking. A.

Wired Equivalency Privacy (WEP)

B.

Wired Encryption Policy (WEP)

C.

Wireless Protection Access (WPA)

D.

Wired Privacy Authentication (WPA)

It has been proven to

79.

This encryption method requests connection to the network via an access point and that point then requests the use identity and transmits that identity to an authentication server, substantially authenticating the computer and the user.

80.

A.

Wired Equivalency Privacy (WEP)

B.

Wired Encryption Provider (WEP)

C.

Wireless Provider Authentication (WPA)

D.

Wireless Protection Access (WPA)

This security feature, used on wireless networks, is a password that is passed between the sending and receiving nodes of a wireless network.

81.

A.

Secure sockets layer

B.

Service set identifier

C.

Wired provided access

D.

Virtual private network

Authorized employees may need to access the company IT system from locations outside the organ...