You are on page 1of 30

To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.

com

ACCOUNTING INFORMATION SYSTEMS


CONTROLS AND PROCESSES
TURNER / WEICKGENANNT

CHAPTER 4: Internal Controls and Risks in IT Systems

TEST BANK - CHAPTER 4 - TRUE / FALSE

1. If a company’s IT system fails, it would have little or no effect on the company’s operations.

2. It is necessary for students and accountants to understand the types of threats that may
affect an accounting system, so that the threats can be avoided.

3. It is important for accountants to consider possible threats to the IT system and to know how
to implement controls to try to prevent those threats from becoming reality.

4. General controls apply to the IT accounting system and are not restricted to any particular
accounting application.

5. The use of passwords to allow only authorized users to log into an IT system is an example of
an application control.

6. Application controls apply to the IT accounting system and are not restricted to any particular
accounting application.

7. The use of passwords to allow only authorized users to log into an IT system is an example of
a general control.

8. General controls are used specifically in accounting applications to control inputs, processing,
and outputs.

9. Application controls are intended to ensure that inputs and processing are accurate and
complete and that outputs are properly distributed, controlled, and disposed.

10. A validity checks is an example of an input application control.

11. To increase the effectiveness of login restrictions, user Ids must be unique for each user.

12. To increase the effectiveness of login restrictions, passwords must be unique for each user.

13. Biometric devises use unique physical characteristics to identify users. The most common
method used is retina scans.

14. There are a number of methods described that are intended to limit log-ins exclusively to
authorized users. The only method that is foolproof is the biometric devices.

15. The user ID and password for a particular user should not allow access to the configuration
tables unless that user is authorized to change the configuration settings.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

16. It is necessary for an IT system to be networked to an external internet to be open to


opportunities for unauthorized access.

17. Unauthorized access is a concern when an IT system is networked to either internal networks
or the Internet.

18. A firewall can prevent the unauthorized flow of data in both directions.

19. Deciphering renders data useless to those who do not have the correct encryption key.

20. Discussing the strength of encryption refers to how difficult it would be to break the code.

21. The longer the encryption key is bits; the more difficult it will be to break the code.

22. The longest encryption keys are 128 bits.

23. Encryption is more important for dial-up networks than for wireless networks.

24. Using a unique service set identifier (SSID) makes it more difficult for an outsider to access
the wireless network.

25. The VPN, virtual private network, uses the internet and is therefore not truly private – but is
virtually private.

26. Once an organization has set up an effective system to prevent unauthorized access to the IT
system, it is not necessary to continually monitor the vulnerability of that system.

27. It is important to understand that the IT governance committee delegates many of its duties
by the policies that it develops.

28. The most important factor in controlling IT systems is the maintenance of the vulnerability
assessment activities.

29. In a properly segregated IT system, no single person or department should develop computer
programs and also have access to data that is commensurate with operations personnel.

30. It is proper that the database administrator develop and write programs.

31. To the extent possible, IT systems should be installed in locations away from any location
likely to be affected by natural disasters.

32. It is not necessary to control the humidity and temperature in the location where the computer
system is housed.

33. Disaster recovery planning is a proactive plan to protect IT systems and the related data.

34. Each organization has to decide which combination of IT controls is most suitable for its IT
system, making sure that the benefits of each control outweigh its costs.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

35. Controls will help to reduce risks, but it is impossible to completely eliminate risks.

36. It is possible to completely eliminate risks with the proper controls.

37. The most popular type of type of unauthorized access is probably by a person known to the
organization.

38. Employees who hack into computer networks are often more dangerous because of their
knowledge of company operations.

39. It is necessary to identify the “entry points” in the IT system that make an organization
susceptible to IT risks.

40. Access to the operating system will not allow hackers access to the application software or the
database.

41. Controlling access to the operating system is critical because that access opens access to any
data or program within the system.

42. A database is often less open to unauthorized access than the physical, paper records,
because the database has fewer access points.

43. The workstations and the network cabling and connections represent spots were an intruder
could tap into the network for unauthorized access.

44. In a wireless network, signals are transmitted through the air rather than over cables. Anyone
who wants to gain access to the network would need to know the password to access these
“air-borne” signals.
FALSE

45. The use of dual firewalls - one between the internet and the web server and one between the
web server and the organization’s network - can help prevent unauthorized from accessing the
organization’s internal network of computers.

46. Telecommuting workers cause two sources of risk exposures for their organizations - the
network equipment and cabling in addition to the teleworker’s computer - with only “entry-
point” being teleworker’s computer.

47. Many IT systems do not use source documents; the input is automatic.

48. If no source documents are used by the IT system, then the general controls, such as
computer logging of transactions, become less important.

49. The group of controls referred to as Source Document Controls does not include form design.

50. The closer the source document matches the input screen, the easier it will be for the data
entry employee to complete the input screen without errors.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

51. The form authorization and control includes the requirement that source documents should be
prenumbered and are to be used in sequence.

52. Once the data from the source documents have been keyed into the computer, the source
document can be destroyed.

53. With the proper training of employees and the adequate controls, it would be possible to
eliminate all errors.

54. To verify the accuracy of application software, an organization should be sure the software is
tested before it is implemented and must regularly test it after implementation.

55. An organization must maintain procedures to protect the output from unauthorized access in
the form of written guidelines and procedures for output distribution.

56. Management must discourage illegal behavior by employees, such as the misuse of computers
and theft through the computer systems.

ANSWERS TO TEST BANK – CHAPTER 4 – TRUE / FALSE:


1. F 11. T 21. T 31. T 41. T 51. T
2. F 12. F 22. F 32. F 42. F 52. F
3. T 13. F 23. F 33. F 43. T 53. F
4. T 14. F 24. T 34. T 44. F 54. T
5. F 15. T 25. T 35. T 45. T 55. T
6. F 16. F 26. F 36. F 46. F 56. F
7. T 17. T 27. T 37. F 47. T
8. F 18. T 28. F 38. T 48. F
9. T 19. F 29. T 39. T 49. F
10. T 20. T 30. F 40. F 50. T

TEST BANK - CHAPTER 4 - MULTIPLE CHOICE

57. Unchecked risks and threats to the IT could result in:


A. An interruption of the computer operations
B. Damage to an organization
C. Incorrect or incomplete accounting information
D. All of the above

58. In order to master risks and controls and how they fit together, which of the following is NOT
one of the areas to fully understand?
A. The accounting information system.
B. The description of the general and application controls that should exist in IT system.
C. The type and nature of risks in IT systems.
D. The recognition of how controls can be used to reduce risk.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

59. General controls in IT systems are divided into five broad categories. Which of the following is
NOT one of those categories?
A. Authentication of uses and limiting unauthorized access
B. Output controls
C. Organization structure
D. Physical environment and physical security of the system.

60. A process or procedure in an IT system to ensure that the person accessing the IT system is
value and authorized is called:
A. Hacking and other network break-ins
B. Physical environment and physical security
C. Authentication of users and limiting unauthorized access
D. Organizational structure

61. This term relates to making the computer recognize a user in order to create a connection at the
beginning of the computer session.
A. User ID
B. Password
C. Smart card
D. Login

62. Which of the following is NOT one of the rules for the effective use of passwords?
A. Passwords should not be case sensitive
B. Passwords should be at least 6 characters in length
C. Passwords should contain at least one nonalphanumeric character.
D. Password should be changed every 90 days.

63. Which of the following is not a good example of an effective password?


A. Abc*$123
B. a1b2c3
C. A*1b?2C$3
D. MSU#Rules$

64. This item, that strengthens the use of passwords, is plugged into the computer’s card reader
and helps authenticate that the use is valid; it has an integrated circuit that displays a constantly
changing ID code. These statements describe:
A. Security token
B. USB control key
C. Smart card
D. Biometrics

65. A new technology that is used to authenticate users is one that plugs into the USB port and
eliminates the need for a card reader. This item is called a:
A. Biometric reader
B. Smart card
C. USB smart key
D. Security token
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

66. The use of the smart card or security tokens is referred to as a two factor authorization
because:
A. It is based on something the user has, the token or card, and something the user knows,
the password.
B. It requires that the user is granted the card / token in a secure environment and that the
user actually uses the card / token.
C. It requires that the user has two different authorizations: (1) to receive the card / token,
and (2) to use the card / token.
D. It requires the use the card / token to (1) login to the system and (2) access the
applications.

67. This type of authentication uses some unique physical characteristic of the user to identify the
user and allow the appropriate access to the system.
A. Nonrepudiation card
B. Biometric device
C. Configuration table
D. Computer log

68. Which of the following is not an example of physical characteristics being used in biometric
devices?
A. Retina scans
B. Fingerprint matching
C. Social security number
D. Voice verification

69. There are a number of reasons that all access to the IT system be logged - which includes a
computer log of all dates, times, and uses for each user. Which of the following is not one of
the reasons for the log to be maintained?
A. Any login or use abnormalities can be examined in more detail to determine any
weaknesses in the login procedures.
B. A user cannot deny any particular act that he or she did on the system.
C. To establish nonrepudiation of sales transactions by a customer.
D. To establish a user profile.

70. This should be established for every authorized user and determines each user’s access level to
hardware, software, and data according to the individual’s job responsibilities.
A. User profile
B. User password
C. User ID
D. User log

71. This table contains a list of valid, authorized users and the access level granted to each one.
A. User table
B. Authority table
C. Authentication table
D. Configuration table
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

72. The IT system includes this type of table for software, hardware, and application programs that
contain the appropriate set-up and security settings.
A. Configuration table
B. Authentication table
C. User table
D. Authority table

73. Nonrepudiation means that:


A. A user is not authorized to change configuration settings.
B. A user is not allowed access to the authority tables.
C. A user can prevent the unauthorized flow of data in both directions.
D. A user cannot deny any particular act that he or she did on the IT system.

74. Hardware, software, or a combination of both that is designed to block unauthorized access to
an IT system is called:
A. Computer log
B. Biometric device
C. Firewall
D. Security token

75. The process of converting data into secret codes referred to cipher text is called:
A. Deciphering
B. Encryption
C. Nonrepudiation
D. Enciphering

76. This form of encryption uses a single encryption key that must be used to encrypt data and also
to decode the encrypted data.
A. Multiple encryptions
B. Public key encryption
C. Wired encryption
D. Symmetric encryption

77. This form of encryption uses a public key, which is known by everyone, to encrypt data, and a
private key, to decode the data.
A. Multiple encryptions
B. Public key encryption
C. Wired encryption
D. Symmetric encryption

78. This encryption method, used with wireless network equipment, is symmetric in that both the
sending and receiving network nodes must use the same encryption key. It has been proven to
be susceptible to hacking.
A. Wired Equivalency Privacy (WEP)
B. Wired Encryption Policy (WEP)
C. Wireless Protection Access (WPA)
D. Wired Privacy Authentication (WPA)
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

79. This encryption method requests connection to the network via an access point and that point
then requests the use identity and transmits that identity to an authentication server,
substantially authenticating the computer and the user.
A. Wired Equivalency Privacy (WEP)
B. Wired Encryption Provider (WEP)
C. Wireless Provider Authentication (WPA)
D. Wireless Protection Access (WPA)

80. This security feature, used on wireless networks, is a password that is passed between the
sending and receiving nodes of a wireless network.
A. Secure sockets layer
B. Service set identifier
C. Wired provided access
D. Virtual private network

81. Authorized employees may need to access the company IT system from locations outside the
organization. These employees should connect to the IT system using this type of network.
A. Secure socket network
B. Service set identifier
C. Virtual private network
D. Wireless encryption portal

82. The type of network uses tunnels, authentication, and encryption within the Internet network to
isolate Internet communications so that unauthorized users cannot access or use certain data.
A. Residential user network
B. Service internet parameter network
C. Virtual private network
D. Virtual public network

83. This communication protocol is built into web server and browser software that encrypts data
transferred on that website. You can determine if a website uses this technology by looking at
the URL.
A. Secure sockets layer
B. Service security line
C. Secure encryption network
D. Secure service layer

84. Which of the following URL’s would indicate that the site is using browser software that encrypts
data transferred to the website?
A. shttp://misu
B. https://misu
C. http://smisus
D. https://smisus
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

85. A self-replicating piece of program code that can attach itself to other programs and data and
perform malicious actions is referred to as a(n):
A. Worm
B. Encryption
C. Virus
D. Infection

86. A small piece of program code that attaches to the computer’s unused memory space and
replicates itself until the system becomes overloaded and shuts down is called:
A. Infections
B. Virus
C. Serum
D. Worm

87. This type of software should be used to avoid destruction of data programs and to maintain
operation of the IT system. It continually scans the system for viruses and worms and either
deletes or quarantines them.
A. Penicillin Software
B. Antivirus Software
C. Infection Software
D. Internet Software

88. The process of proactively examining the IT system for weaknesses that can be exploited by
hackers, viruses, or malicious employees is called:
A. Intrusion detection
B. Virus management
C. Vulnerability assessment
D. Penetration testing

89. This method of monitoring exposure can involve either manual testing or automated software
tools. The method can identify weaknesses before they become network break-ins and attempt
to fix these weaknesses before they are exploited.
A. Vulnerability assessment
B. Intrusion detection
C. Encryption examination
D. Penetration testing

90. Specific software tools that monitor data flow within a network and alert the IT staff to hacking
attempts or other unauthorized access attempts is called:
A. Security detection
B. Vulnerability assessment
C. Penetration testing
D. Intrusion detection
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

91. The process of legitimately attempting to hack into an IT system to find whether weaknesses
can be exploited by unauthorized hackers is referred to as:
A. Vulnerability assessment
B. Intrusion detection
C. Penetration testing
D. Worm detection

92. The function of this committee is to govern the overall development and operation of IT
systems.
A. IT Budget Committee
B. IT Audit Committee
C. IT Governance Committee
D. IT Oversight Committee

93. Which of the following would normally not be found on the IT Governance Committee?
A. Computer input operators
B. Chief Executive Officer
C. Chief Information Officer
D. Heads of business units

94. The IT Governance Committee has several important responsibilities. Which of the following is
not normally one of those responsibilities?
A. Align IT investments to business strategies.
B. Oversee and prioritize changes to IT systems.
C. Develop, monitor, and review security procedures.
D. Investing excess IT funds in long-term investments.

95. The functional responsibilities within an IT system must include the proper segregation of
duties. Which of the following positions is not one of the duties that are to be segregated from
the others?
A. Systems analysts
B. Chief information officer
C. Database administrator
D. Operations personnel

96. The systematic steps undertaken to plan, prioritize, authorize, oversee, test, and implement
large-scale changes to the IT system are called:
A. IT Governance System
B. Operations Governance
C. System Development Life Cycle
D. Systems Analysis

97. General controls for an IT system include:


A. Controls over the physical environment only.
B. Controls over the physical access only.
C. Controls over the physical environment and over the physical access.
D. None of the above.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

98. A battery to maintain power in the event of a power outage meant to keep the computer
running for several minutes after the power outage is called:
A. Uninterruptible power supply
B. System power supply
C. Emergency power supply
D. Battery power supply

99. An alternative power supply that provides electrical power in the event that a main source is lost
is called:
A. Uninterruptible power supply
B. System power supply
C. Emergency power supply
D. Battery power supply

100. Large-scale IT systems should be protected by physical access controls. Which of the following
is not listed as one of those controls?
A. Limited access to computer rooms.
B. Video surveillance equipment.
C. Locked storage of backup data.
D. Encryption of passwords.

101. A proactive program for considering risks to the business continuation and the development of
plans and procedures to reduce those risks is referred to as:
A. Redundant business planning
B. Business continuity planning
C. Unnecessary in the current safe environments
D. Emergency backup power

102. Two or more computer network or data servers that can run identical processes or maintain the
same data are called:
A. Emergency power supply
B. Uninterruptible power source
C. Redundant servers
D. Business continuity planning

103. Many IT systems have redundant data storage such that two or more disks are exact mirror
images. This is accomplished by the use of:
A. Redundant arrays of independent disks
B. Redundant mirror image disks
C. Mirror image independent disks
D. Redundant mirror image dependent disks

104. The AICPA Trust Principles categorizes IT controls and risks into categories. Which of the
following is not one of those categories?
A. Confidentiality
B. Security
C. Recovery
D. Availability
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

105. The establishment of log-in procedures can help prevent or lessen security risks and are referred
to as:
A. Reactive controls
B. Preventive controls
C. Availability controls
D. Confidentiality controls

106. Availability risks, related to the authentication of users would include:


A. Shutting down the system and shutting down programs
B. Altering data and repudiating transactions
C. Stealing data and recording nonexistent transactions
D. Sabotaging systems and destroying data

107. The accuracy, completeness, and timeliness of the process in IT systems are referred to as:
A. Availability Risks
B. Security Risks
C. Confidentiality Risks
D. Processing Integrity Risks

108. The software that controls the basic input and output activities of the computer are called:
A. Operating System
B. Application Software
C. Data Base Management System
D. Electronic Data Interchange

109. Unauthorized access to the operating system would allow the unauthorized user to:
A. Browse disk files for sensitive data or passwords
B. Alter data through the operating system
C. Alter application programs
D. All of the above

110. A software system that manages the interface between many users and the database is called:
A. Database security system
B. Database management system
C. Database binary monetary system
D. Database assessment

111. A computer network covering a small geographic area, which, in most cases, are within a single
building or a local group of buildings is called a:
A. Land area network
B. Local access network
C. Local area network
D. Locality arena network

112. A group of LANs connected to each other to cover a wider geographic area is called a:
A. Connected local network
B. Wide area network
C. Connected wide area
D. Wide geographic network
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

113. A popular activity is to find a company whose network signal bleeds outside the building to the
sidewalk around it. Abusers of this network then make identifiable chalk marks on the sidewalks
so that others can find the network access. This process is referred to as:
A. Chalkwalking
B. Netwalking
C. Network Warring
D. Warchalking

114. The work arrangement where employees work from home using some type of network
connection to the office is referred to as:
A. Telecommuting
B. Telemarketing
C. Network Employment
D. Electronic working

115. The company-to-company transfer of standard business documents in electronic form is called:
A. Facsimile Transmission
B. PDF Interchange
C. Electronic Data Interchange
D. Tele-transmission

116. The software that accomplishes end user tasks such as word processing, spreadsheets, and
accounting functions is called:
A. Operating Software
B. Database Software
C. Application Software
D. Management Software

117. Internal controls over the input, processing, and output of accounting applications are called:
A. Accounting Controls
B. Application Controls
C. Network Controls
D. LAN Controls

118. This type of control is intended to ensure the accuracy and completeness of data input
procedures and the resulting data:
A. Input Controls
B. Internal Controls
C. Processing Controls
D. Output Controls

119. This type of control is intended to ensure the accuracy and completeness of processing that
occurs in accounting applications:
A. Input Controls
B. Internal Controls
C. Processing Controls
D. Output Controls
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

120. This type of control is intended to help ensure the accuracy, completeness, and security of
outputs that result from application processing:
A. Input Controls
B. Internal Controls
C. Processing Controls
D. Output Controls

121. The process of converting data from human readable form to computer readable form is
referred to as:
A. Transcription
B. Data Input
C. Keyboarding
D. Scanning

122. Which of the following is NOT one of the types of input controls?
A. Source document controls
B. Programmed edit checks
C. Confidentiality check
D. Control totals and reconciliation

123. The paper form used to capture and record the original data of an accounting transaction is
called a(n):
A. Input control
B. Source document
C. Sales invoice
D. General ledger

124. Which of the following items is not one of the source document controls?
A. Validity check
B. Form design
C. Form authorization and control
D. Retention of source documents

125. The process where the details of individual transactions at each stage of the business process
can be recreated in order to establish whether proper accounting procedures for the transaction
were performed is called:
A. Source document reconciliation
B. Range check
C. Validity verification
D. Audit trail

126. The procedures to collect and prepare source documents are termed:
A. Input validation procedures
B. Form authorization procedures
C. Data preparation procedures
D. Document retention procedures
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

127. The data preparation procedures are to be well-defined so that employees will be sure of:
A. Which forms to use
B. When to use them
C. Where to route them
D. All of the above

128. Field check, limit check, range check and sequence check are all examples of:
A. Input Validation Checks
B. Source Document Controls
C. Control Reconciliation
D. Application Controls

129. This type of input validation check examines a field to ensure that the data entry in the field is
valid compared with a preexisting list of acceptable values.
A. Field Check
B. Completeness Check
C. Validity Check
D. Range Check

130. This type of input validation check assesses the critical fields in an input screen to make sure
that a value is in those fields.
A. Field Check
B. Completeness Check
C. Range Check
D. Limit Check

131. This type of input check ensures that the batch of transactions is sorted in order, but does not
help to find the missing transactions.
A. Completeness Check
B. Range Check
C. Self-checking Digit Check
D. Sequence Check

132. An extra digit added to a coded identification number, determined by a mathematical algorithm
is called a:
A. Coded Digit Check
B. Self-Checking Digit Check
C. Sequence Check
D. Run to Run Check

133. Which of the following is NOT one of the types of control totals?
A. Digit Count
B. Record Count
C. Batch Totals
D. Hash Totals
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

134. The totals of fields that have no apparent logical reason to be added are called:
A. Record Totals
B. Digit Totals
C. Batch Totals
D. Hash Totals

135. These controls are intended to prevent, detect, or correct errors that occur during the
processing of an application.
A. Application Controls
B. Source Document Controls
C. Processing Controls
D. Input Controls

136. A primary objective of output controls would be:


A. Manage the safekeeping of source documents
B. Assure the accuracy and completeness of the output
C. Ensure that the input data is accurate
D. Prevention and detection of processing errors

137. The responsibility of management to safeguard assets and funds entrusted to them by the
owners of an organization is referred to as:
A. Stewardship Responsibility
B. IT System Controls
C. Application Controls
D. Internal Controls

ANSWERS TO TEST BANK – CHAPTER 4 – MULTIPLE CHOICE:


57. D 71. B 85. C 99. C 113. D 127. D
58. A 72. A 86. D 100. D 114. A 128. A
59. B 73. D 87. B 101. B 115. C 129. C
60. C 74. C 88. C 102. C 116. C 130. B
61. D 75. B 89. A 103. A 117. B 131. D
62. A 76. D 90. D 104. C 118. A 132. B
63. B 77. B 91. C 105. B 119. C 133. A
64. C 78. A 92. C 106. A 120. D 134. D
65. D 79. D 93. A 107. D 121. B 135. C
66. A 80. B 94. D 108. A 122. C 136. B
67. B 81. C 95. B 109. D 123. B 137. A
68. C 82. C 96. C 110. B 124. A
69. D 83. A 97. C 111. C 125. D
70. A 84. B 98. A 112. B 126. C
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

TEST BANK - CHAPTER 4 – END OF CHAPTER QUESTIONS:

138. Internal controls that apply overall to the IT system are called:
A. Overall Controls
B. Technology Controls
C. Application Controls
D. General Controls

139. In entering client contact information in the computerized database of a telemarketing business,
a clerk erroneously entered nonexistent area codes for a block of new clients. This error
rendered the block of contact useless to the company. Which of the following would most likely
have led to discovery of this error into the company’s computerized system?
A. Limit check
B. Validity check
C. Sequence check
D. Record count

140. Which of the following is not a control intended to authenticate users?


A. Use log–in
B. Security token
C. Encryption
D. Biometric devices

141. Management of an internet retail company is concerned about the possibility of computer data
eavesdropping and wiretapping, and wants to maintain the confidentiality of its information as it
is transmitted. The company should make use of:
A. Data encryption
B. Redundant servers
C. Input controls
D. Password codes

142. An IT governance committee has several responsibilities. Which of the following is least likely to
be a responsibility of the IT governance committee?
A. Develop and maintain the database and ensure adequate controls over the database.
B. Develop, monitor, and review security policies.
C. Oversee and prioritize changes to IT systems.
D. Align IT investments to business strategy.

143. AICPA Trust Principles describe five categories of IT risks and controls. Which of these five
categories would be described by the statement, “The system is protected against unauthorized
access”?
A. Security
B. Confidentiality
C. Processing integrity
D. Availability
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

144. The risk that an unauthorized user would shut down systems within the IT system is a(n):
A. Security risk
B. Availability risk
C. Processing integrity risk
D. Confidentiality risk

145. The risk of an unauthorized user gaining access is likely to be a risk for which of the following
areas?
A. Telecommuting workers
B. Internet
C. Wireless networks
D. All of the above

146. Which programmed input validation check compares the value in a field with related fields which
determine whether the value is appropriate?
A. Completeness check
B. Validity check
C. Reasonableness check
D. Completeness check

147. Which programmed input validation check determines whether the appropriate type of data,
either alphabetic or numeric, was entered?
A. Completeness check
B. Validity check
C. Reasonableness check
D. Field check

148. Which programmed input validation makes sure t hat a value was entered in all of the critical
fields?
A. Completeness check
B. Validity check
C. Reasonableness check
D. Field check

149. Which control total is the total of field values that are added for control purposes, but not added
for any other purpose?
A. Record count
B. Hash total
C. Batch total
D. Field total
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

150. A company has the following invoices in a batch:

Invoice No. Product ID Quantity Unit Price


401 H42 150 $30.00
402 K56 200 $25.00
403 H42 250 $10.00
404 L27 300 $ 5.00

Which of the following numbers represents a valid record count?


A. 1
B. 4
C. 70
D. 900

ANSWERS TO TEST BANK - CHAPTER 4 – END OF CHAPTER QUESTIONS:


138. D 143. A 148. A
139. B 144. B 149. B
140. C 145. D 150. B
141. A 146. D
142. A 147. D

TEST BANK - CHAPTER 4 – SHORT ANSWER QUESTIONS

151. What is the difference between general controls and application controls?
Answer: General controls are internal controls that apply overall to the IT accounting systems;
they are not restricted to any particular accounting application. Application controls apply within
accounting applications to control inputs, processing, and outputs. They are intended to ensure
that inputs and processing are accurate and complete and that outputs are properly distributed,
controlled, and disposed.

152. Is it necessary to have both general controls and application controls to have a strong system of
internal controls?
Answer: Yes, it is necessary to have both types of controls in a strong system of internal controls.
Since they cover different aspects of the IT accounting systems and serve different purposes,
both are important and necessary. An IT system would not have good internal control if it lacked
either general or application controls.

153. What kinds of risks or problems can occur if an organization does not authenticate users of its
IT systems?
Answer: If an organization does not authenticate users of its IT systems, a security breach may
occur in which an unauthorized user may be able to gain access to the computer system. If
hackers or other unauthorized users gain access to information to which they are not entitled, the
organization may suffer losses due to exposure of confidential information. Unauthorized users
may gain access to the system for the purpose of browsing, altering, or stealing company data.
They could also record unauthorized transactions, shut down systems, alter programs, sabotage
systems, or repudiate existing transactions.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

154. Explain the general controls that can be used to authenticate users.
Answer: In order to authenticate users, organizations must limit system log-ins exclusively to
authorized users. This can be accomplished by requiring login procedures, including user IDs and
passwords. Stronger systems use biometric identification or security tokens to authenticate users.
In addition, once a user is logged in, the system should have established access levels and
authority tables for each user. These determine which parts of the IT system each user can
access. The IT system should also maintain a computer log to monitor log-ins and follow up on
unusual patterns.

155. What is two-factor authentication with regard to smart cards or security tokens?
Answer: Two-factor authentication limits system log-ins to authorized users by requiring them to
have possession of a security device such as a smart card or token, and also have knowledge of a
user ID and/or password. Both are needed to gain access to the system.

156. Why should an organization be concerned about repudiation of sales transactions by the
customer?
Answer: Repudiation is the attempt to claim that the customer was not part of a sales transaction
that has taken place. Organizations may suffer losses if customers repudiate sales transactions. If
companies do not have adequate controls to prevent repudiation, they may not be able to collect
amounts due from customers. However, organizations may reduce the risk of such losses if they
require log-in of customers and if they maintain computer logs to establish undeniably which
users take particular actions. This can provide proof of online transactions.

157. A firewall should inspect incoming and outgoing data to limit the passage of unauthorized data
flow. Is it possible for a firewall to restrict too much data flow?
Answer: Yes, it is possible for a firewall to restrict legitimate data flow as well as unauthorized
data flow. This may occur if the firewall establishes limits on data flow that are too restrictive. In
order to prevent blocking legitimate network traffic, the firewall must examine data flow and
attempt to determine which data is authorized or unauthorized. The packets of information that
pass through the firewall must have a proper ID to allow it to pass through the firewall.

158. How does encryption assist in limiting unauthorized access to data?


Answer: Encryption is the process of converting data into secret codes referred to as cipher text.
Encrypted data can only be decoded by those who possess the encryption key or password. It
therefore renders the data useless to any unauthorized user who does not possess the encryption
key. Encryption alone does not prevent access to data, but it does prevent an unauthorized user
from reading or using the data.

159. What kinds of risk exist in wireless networks that can be limited by WEP, WPA, and proper use
of SSID?
Answer: WEP, WPA, and SSIDs can limit the risk of unauthorized access to wireless networks,
which transmit network data as high frequency radio signals through the air. Since anyone within
range of these radio signals can receive the data, protecting data is extremely important within a
wireless network. This can be accomplished through encryption via wired equivalency privacy
(WEP), through encryption and user authentication via wireless protected access (WPA), and
through password protection of the network sending and receiving nodes via service set
identifiers (SSIDs).
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

160. Describe some recent news stories you have seen or heard regarding computer viruses.
Answer: Student responses will vary greatly depending upon the date this is discussed, but should
describe situations of computer malfunctions caused by network break-ins where damaging
actions were upon an organization’s programs and data.

As of April 2008, a report by Symantec (www.symantec.com) included the following statistics:


The U.S. accounted for 31% of all malicious activity and was the origin of attack in 24% of cases.
Symantec observed an average of 61,940 infected computers per day. The US accounted for 56%
of all denial of service attacks. In the second half of 2007, Symantec reported that 499,811 new
malicious code threats were reported.

161. What is the difference between business continuity planning and disaster recovery planning?
Answer: How are these two concepts related? Business continuity planning is a proactive
program for considering risks to the continuation of business and developing plans and
procedures to reduce those risks so that continuation of the IT system is always possible. On the
other hand, disaster recovery planning is a reactive program for restoring business operations,
including IT operations, to normal after a catastrophe occurs. These two concepts are related in
that they are both focused on maintaining IT operations at all times in order to minimize business
disruptions.

162. How can a redundant array of independent disks (RAID) help protect the data of an
organization?
Answer: RAID accomplishes redundant data storage by setting up two or more disks as exact
mirror images. This provides an automatic backup of all data. If one disk drive fails, the other
(maintained on another disk drive) can serve in its place.

163. What kinds of duties should be segregated in IT systems?


Answer: In an IT system, the duties to be segregated are those of systems analysts who analyze
and design the systems, programmers who write the software, operators who process data, and
database administrators who maintain and control the database. No single person should develop
computer programs and also have access to data.

164. Why do you think the uppermost managers should serve on the IT governance committee?
Answer: An IT governance committee should be comprised of top management in order to ensure
that appropriate priority is assigned to the function of governing the overall development and
operation of the organization’s IT systems. Since the committee’s functions include aligning the IT
systems to business strategy and to budget funds and personnel for the effective use of IT
systems, it is important that high-ranking company officials be aware of these priorities and
involved in their development. Only top management has the power to undertake these
responsibilities.

165. Why should accountants be concerned about risks inherent in a complex software system such
as the operating system?
Answer: Accountants need to be concerned about the risks inherent in the organization’s software
systems because all other software runs on top of the operating system. These systems may have
exposure areas that contain entry points for potential unauthorized access to software and/or
data. These entry points must be controlled by the proper combination of general controls and
application controls.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

166. Why is it true that increasing the number of LANs or wireless networks within an organization
increases risks?
Answer: Increasing the number of LANs or wireless networks within an organization increases
exposure areas, or entry points through which a user can gain access to the network. Each LAN
or wireless access point is another potential entry point for an unauthorized user. The more entry
points, the more security risk the organization faces.

167. What kinds of risks are inherent when an organization stores its data in a database and
database management system?
Answer: Since a database management system involves multiple use groups accessing and
sharing a database, there are multiple risks of unauthorized access. Anyone who gains access to
the database may be able to retrieve data that they should not have. This multiples the number of
people who potentially have access to the data. In addition, availability, processing integrity, and
business continuity risks are also important due to the fact that so many different users rely on
the system. Proper internal controls can help to reduce these inherent risks.

168. How do telecommuting workers pose IT system risk?


Answer: The network equipment and cabling that enables telecommuting can be an entry point
for hackers or other break-ins, and the teleworker’s computer is another potential access point
that is not under the company’s direct control. Therefore, it is difficult for the company to monitor
whether telecommuters’ computers is properly protected from viruses and other threats. These
entry points pose security, confidentiality, availability, and processing integrity risks.

169. What kinds of risks are inherent when an organization begins conducting business over the
Internet?
Answer: The Internet connection required to conduct web-based business can expose the
company network to unauthorized use. The sheer volume of users of the World Wide Web
dramatically increases the potential number of unauthorized users who may attempt to access an
organization’s network of computers. An unauthorized user can compromise security and
confidentiality, and affect availability and processing integrity by altering data or software or by
inserting virus or worm programs. In addition, the existence of e-commerce in an organization
poses online privacy risks.

170. Why is it true that the use of EDI means that trading partners may need to grant access to each
other’s files?
Answer: EDI involves transferring electronic business documents between companies. Because
EDI involves the use of a network or the Internet, risks of unauthorized access are prevalent. In
order to authenticate trading partner users to accomplish the transfer of business documents,
other company data files may be at risk of unauthorized use.

171. Why is it critical that source documents be easy to use and complete?
Answer: Source documents should be easy to use and complete in order minimize the potential
for errors, incomplete data, or unauthorized transactions are entered from those source
documents into the company’s IT systems. Since source documents represent the method of
collecting data in a transaction, they need to be easy to use in order to reduce the risk of
incorrect or missing data in the accounting system.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

172. Explain some examples of input validation checks that you have noticed when filling out forms
on websites you have visited.
Answer: Student responses are likely to vary, but may include field checks, validity checks, limit
checks, range checks, reasonableness checks, completeness checks, or sign checks. Although
sequence checks and self-checking digits are additional input validation checks, they are not likely
to be cited because they are applicable to transactions processed in batches, which is not likely to
apply to students’ web transactions.

173. How can control totals serve as input, processing, and output controls?
Answer: Control totals can be used as input controls when they are applied as record counts,
batch totals, or hash totals to verify the accuracy and completeness of data that is being entered
into the IT system. These same control totals can be used as processing controls when they are
reconciled during stages of processing to verify the accuracy and completeness of processing.
Finally, to ensure accuracy and completeness, the output from an IT system can be reconciled to
control totals, thus serving as an output control. Therefore, totals at any stage can be compared
against the initial control total to help ensure the accuracy of input, processing, or output.

174. What dangers exist related to computer output such as reports?


Answer: Output reports contain data that should not fall into the wrong hands, as the
information contained in reports is often confidential or proprietary and could help someone
commit fraud. Therefore, the risk of unauthorized access must be controlled through strict
policies and procedures regarding report distribution, retention, and disposal.

TEST BANK - CHAPTER 4 – SHORT ESSAY

175. Categorize each of the following as either a general control or an application control:
a. validity check
b. encryption
c. security token
d. batch total
e. output distribution
f. vulnerability assessment
g. firewall
h. antivirus software
Answer:
a. validity check – application control (input)
b. encryption – general control
c. security token – general control
d. batch total – application control (input, processing, and output)
e. output distribution – application control (output)
f. vulnerability assessment – general control
g. firewall – general control
h. antivirus software – general control
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

176. Each of the given situations is independent of the other. For each, list the programmed input
validation check that would prevent or detect the error.
a. The zip code field was left blank on an input screen requesting a mailing address.
b. A state abbreviation of “NX” was entered in the state field.
c. A number was accidentally entered in the last name field.
d. For a weekly payroll, the hours entry in the “hours worked field was 400.
e. A pay rate of $50.00 per hour was entered for a new employee. The job code indicates an
entry-level receptionist.
Answer:
a. The zip code field was left blank on an input screen requesting a mailing address. –
Completeness check
b. A state abbreviation of “NX” was entered in the state field. – Validity check
c. A number was accidentally entered in the last name field. – Field check
d. For a weekly payroll, the hours entry in the “hours worked
field was 400. – Limit check or range check
e. A pay rate of $50.00 per hour was entered for a new employee. The job code indicates
an entry-level receptionist. – Reasonableness check

177. For each AICPA Trust Services Principles category shown, list a potential risk and a
corresponding control that would lessen the risk. An example is provided. In a similar manner,
list a risk and control in each of the following categories: Security, Availability, Processing
Integrity, and Confidentiality.
Answer:
a. Security. Risk: an unauthorized user could record an invalid transaction. Control: security
token to limit unauthorized users.
b. Availability. Risk: An unauthorized user may shut down a program. Control: intrusion
detection to find instances of unauthorized users.
c. Processing Integrity. Risk: environmental problems such as temperature can cause
glitches in the system. Control: temperature and humidity controls.
d. Confidentiality. Risk: an unauthorized user could browse data. Control: encryption.

178. For each of the following parts of an IT system of a company, write a one-sentence description
of how unauthorized users could use this as an “entry point”:
a. A local area network (LAN).
b. A wireless network.
c. A telecommuting worker.
d. A company website to sell products.
Answer:
a. A local area network (LAN). Each workstation or the network wiring on the LAN are
access points where someone could tap into the system.
b. A wireless network. The wireless signals broadcast into the air could be intercepted to
gain access to the system.
c. A telecommuting worker. The telecommuter’s computer may be infected with a virus that
allows a perpetrator to see the login ID and password.
d. A company website to sell products. A hacker may try to break through the web server
firewall to gain access to company data.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

179. Application controls include input, processing, and output controls. One type of input control
is source document controls. Briefly explain the importance of each of the following source
document controls: Form design, Form authorization and control, and Retention of source
documents.
` Answer:
a. Form design. A well-designed form will reduce the chance of erroneous or incomplete
data. It could also increase the speed at which the form is completed.
b. Form authorization and control. Forms should have a signature line to indicate that the
underlying transaction was approved by the correct person. Blank documents should be
properly controlled to limit access to them.
c. Retention of source documents. Source documents should be maintained as part of the
audit trail. They also serve as a way to look up data when queries are raised.

180. Explain how control totals such as record counts, batch totals, and hash totals serve as input
controls, processing controls, and output controls.
Answer: Control totals serve as expected results after input, processing, or output has occurred.
At each stage, the current totals can be compared against the initial control total to help ensure
the accuracy of input, processing, or output.

181. Briefly explain a situation at your home, university, or job in which you think somebody used
computers unethically. Be sure to include an explanation of why you think it was unethical.
Answer: Student responses will vary significantly. Some possibilities include copyrighted music or
video downloading from an unauthorized source, viewing pornography on computers at work,
shopping or other browsing while at work, using a work computer to store personal files or
process personal work, using company e-mail systems for personal e-mail (some companies may
not consider this as problematic as other potential unethical acts).
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

TEST BANK - CHAPTER 4 – PROBLEMS

182. Explain why an organization should establish and enforce policies for its IT systems in the
following areas regarding the use of passwords for log-in:
a. Length of password.
b. The use of numbers or symbols in passwords.
c. Using common words or names as passwords.
d. Rotation of passwords.
e. Writing passwords on paper or sticky notes.
Answer:
a. Length of password. Passwords should be at least eight characters in length. This would
make it difficult for a hacker to guess the password in order to gain unauthorized access
to the system.
b. The use of numbers or symbols in passwords. Passwords should contain a mix of
alphanumeric digits as well as other symbols. There may also be a mix of case sensitive
letters. This would make it difficult for a hacker to guess the password.
c. Using common words or names as passwords. Names, initials, and other common names
should be avoided as passwords, as they tend to be easy to guess.
d. Rotation of passwords. Passwords should be changed periodically, approximately every
90 days. This will limit the access of a hacker who has gained unauthorized access.
e. Writing passwords on paper or sticky notes. Passwords should be committed to the user’s
memory and should not be written down. If they are documented, this increases the
likelihood that an unauthorized user may find the password and use it to gain access to
the system.

183. The use of smart cards or tokens is called two-factor authentication. Answer the following
questions, assuming that the company you work for uses smart cards or tokens for two-factor
authentication.
a. What do you think the advantages and disadvantages would be for you as a user?
b. What do you think the advantages and disadvantages would be for the company?
Answer:
a. What do you think the advantages and disadvantages would be for you as a user? As a
user, the advantages of two-factor authentication would be the security of the information
in the system that I am using. I would know that it would be difficult for an unauthorized
user to alter a system that uses two-factor authentication, so I have more confidence in the
data within such a system. In addition, it is relatively easy to remember a password and to
transport a smart card or security token. On the other hand, I might consider the use of
two-factor authentication to be a disadvantage because it places more responsibility on me,
the user. For instance, in order to access the system, I have to remember my password
and maintain control of a security device. It might be considered an inconvenience to a user
to maintain a smart card or security token and remember to keep it accessible at all times
that I may need to access the system. It might also be susceptible to loss, similar to a set of
keys.
b. What do you think the advantages and disadvantages would be for the company? From
the company’s perspective, the advantage of two-factor authentication is the strength of the
extra level of security. The company has additional protection against unauthorized access,
which makes it difficult for a hacker to access the system. The disadvantage is the cost of
the additional authentication tools that comprise the dual layer of security.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

184. Many IT professionals feel that wireless networks pose the highest risks in a company’s network
system.
1. Why do you think this is true?
2. Which general controls can help reduce these risks?
Answer:
1. Why do you think this is true? Wireless networks pose the highest risks in a company’s
network computer system because the network signals are transported through the air
(rather than over cables). Therefore, anyone who can receive radio signals could potential
intercept the company’s information and gain access to its network. This exposure is
considered greater than in traditional WANs and LANs.
2. Which general controls can help reduce these risks? A company can avoid its exposure to
unauthorized wireless network traffic by implementing proper controls, such as wired
equivalency privacy (WEP) ore wireless protected access (WPA), station set identifiers
(SSIDs), and encrypted data.

185. Control totals include batch totals, hash totals, and record counts. Which of these totals would
be useful in preventing or detecting IT system input and processing errors or fraud described as
follows?
a. A payroll clerk accidentally entered the same time card twice.
b. The accounts payable department overlooked an invoice and did not enter it into
the system because it was stuck to another invoice.
c. A systems analyst was conducting payroll fraud by electronically adding to his
“hours worked” field during the payroll computer run.
d. To create a fictitious employee, a payroll clerk removed a time card for a recently
terminated employee and inserted a new time card with the same hours worked.
Answer:
a. A payroll clerk accidentally entered the same time card twice. Any of the three control
totals could be used: A batch total could detect that too many hours were entered; A
hash total could detect that an employee number summation was overstated; A record
count could detect that too many time cards were entered.
b. The accounts payable department overlooked an invoice and did not enter it into the
system because it was stuck to another invoice. Any of the three control totals could be
used: A batch total could detect the missing amount; A hash total could detect that the
vendor number summation was misstated; A record count could detect that too few
invoices were entered.
c. A systems analyst was conducting payroll fraud by electronically adding to his “hours
worked” field during the payroll computer run. A batch total could detect this fraud by
revealing that the hours worked on the inputs did not agree with the hours worked on
the output reports.
d. To create a fictitious employee, a payroll clerk removed a time card for a recently
terminated employee and inserted a new time card with the same hours worked. A
record count could detect this fraud only if there was a control in place to compare the
number of records processed with the number of active employees and the number of
active employees had been updated to reflect a reduction for the recently terminated
employee.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

186. Explain how each of the following input validation checks can prevent or detect errors: field,
validity, limit, range, reasonableness, completeness, sign, and a self-checking digit.
Answer:
a. A field check examines a field to determine whether the appropriate type of data was
entered. This will detect mistakes in input, such as erroneous input of numeric
information in an alpha field.
b. A validity check examines a field to ensure that the data entry in the field is valid
compared with a preexisting list of acceptable values. This will detect mistakes in input,
such as nonsense entries caused by the input personnel striking the wrong key.
c. A limit check verifies field inputs by making sure that they do not exceed a pre-
established limit. This prevents gross overstatements of the data beyond the acceptable
limit.
d. A range check verifies field inputs by making sure that they fall within a pre-established
range limit. This prevents gross overstatements and understatements of the data
beyond the acceptable limits.
e. A reasonableness check compares the value in a field with similar, related fields to
determine whether the value seems reasonable. This can detect possible errors by
identifying “outliers”.
f. A completeness check assesses the critical fields in an input screen to make sure that an
entry has been input in those fields. This detects possible omissions of critical
information.
g. A sign check examines a field to determine that it has the appropriate positive or
negative sign. This can prevent misstatements caused by misinterpretation of
information.
h. A sequence check ensures that a batch of transactions is sorted and processed in
sequential order. This ensures that a batch will be in the same order as the master file.
This may prevent errors in the master file by ensuring that the sequence is appropriate
to facilitate an accurate update of the master file.
i. A self-checking digit is an extra digit added to a coded identification number, determined
by a mathematical algorithm. This detects potential errors in input data.

187. The IT governance committee should comprise top level managers. Describe why you think that
is important. What problems are likely to arise with regard to IT systems if the top level
managers are not involved in IT governance committees?
Answer: It is important for an IT governance committee to be comprised of members of top
management so it can appropriately align IT investments with the company’s overall business
strategies. If top level managers were not involved in this committee, it is likely that IT changes
could be approved which do not enhance the company’s overall goals and strategies. In addition,
it is possible that IT changes could be discussed and developed without receiving proper approval
or funding.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

188. Using a search engine, look up the term “penetration testing.” Describe the software tools you
find that are intended to achieve penetration testing. Describe the types of systems that
penetration testing is conducted upon.
Answer: Software tools that perform penetration tests must be able to replicate a successful
unauthorized access attempt or recreate an attack on a company’s security, but it must be able to
do so without altering of damaging the systems upon which these tests are conducted. This will
reveal weaknesses in the system so that the company can implement controls to strengthen the
security of its system. Penetration testing is typically conducted upon network systems.

189. Visit the AICPA website at www.aicpa.org. Search for the terms “WebTrust” and “SysTrust.”
Describe these services and the role of Trust Services Principles in these services.
Answer: WebTrust services are professional services that build trust and confidence among
customers and businesses which operate on the Internet. SysTrust services build trust and
confidence between business partners who use and rely upon each other’s computer systems.
These services are built upon the Trust Services Principles of Security, Privacy, Availability,
Confidentiality, and Processing Integrity to help companies create trustworthy systems. Both of
these services are represented by seal on the company’s Web site.

190. Using a search site, look up the terms “disaster recovery,” along with “9/11.” The easiest way to
search for both items together is to type into the search box the following: “disaster recovery”
“9/11.” Find at least two examples of companies that have changed their disaster recovery
planning since the terrorist attacks on the World Trade Center on September 11, 2001. Describe
how these companies changed their disaster recovery plans after the terrorist attacks.
Answer: Students’ answers may vary greatly, as there are numerous examples of companies who
operated in or near the World Trade Center or were otherwise affected by the events of
September 11, 2001 and who have revised their business disaster recovery plans as a result. A
few examples are the financial services companies of Lehman Brothers, Merrill Lynch, and
American Express. An article at www.cio.com includes interviews with the IT executives at these
companies as they look back to the events of 9/11. In particular, Lehman Brothers has worked
hard to increase its redundant storage and real-time back-ups. It also updated its phone systems
so that all direct lines to customers would not terminate at the same place, as they did at the
World Financial Center. In addition, it has developed a new business continuity plan, with
variations that are now tied to the Homeland Security Advisory System’s color-coded warning
levels. At Merrill Lynch, disaster recovery efforts focused on diversification of vendors to relieve
the concentration from Lower Manhattan. In addition, it outfitted its buildings used for recovery
with wireless LANs; this allows for increased flexibility through the broadcast of signals to multiple
access points. For American Express, disaster recovery planning and business continuity planning
have changed to a geography-based approach, recognizing that disasters are likely to affect large
geographic areas. The events of 9/11 proved that Amex’s previous building-based program was
not effective.
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com

191. Go to any website that sells goods. Examples would be BestBuy, Staples, and J.Crew. Pretend
that you wish to place an order on the site you choose and complete the order screens for your
pretend order. Do not finalize the order; otherwise, you will have to pay for the goods. As you
complete the order screens, attempt to enter incorrect data for fields or blanks that you
complete. Describe the programmed input validation checks that you find that prevent or detect
the incorrect data input. Student’s responses are likely to vary significantly, as different Web
sites have different input validation checks. However, most Web sites have a warning message
that will appear if invalid information is entered. (For instance, the message “The billing city,
state, zip code, and country entered do not match up. Please revise your selections below” was
encountered on jcrew.com when bogus city and zip code information was entered.) The warning
message will typically prevent the user from proceeding to the next step in the transaction until
the error is corrected.