In the organization of the information systems function, the most important segregation of duties is
Answer (B) is correct. Segregation of duties is a general control that is vital in a computerized environment. Some segregation of duties common in non computerized environments may not be feasible in a computer environment. However, certain tasks should not be combined. Systems analysts, for example, should be separate from programmers and computer operators. Programmers design, write, test, and document specific programs required by the system developed by the analysts. Both programmers and analysts may be able to modify programs, data files, and controls and should therefore have no access to computer equipment and files or to copies of programs used in production. Operators should not be assigned programming duties or responsibility for systems design and should have no opportunity to make changes in programs and systems.
To properly control access to accounting database files, the database administrator should ensure that database system features are in place to permit
Answer (C) is correct. A database management system’s software includes security features. Thus, a specified user’s access may be limited to certain data fields or logical views depending on the individual’s assigned duties. A logical view consists of the fields available to a given user, function, or application. It may include all or part of a physical data file or a combination of fields from multiple physical data files.
Data input validation routines include
Answer (C) is correct. Application controls, including input controls, are designed to ensure the accuracy and completeness of data entered into the computer. Input controls provide assurance that data have not been lost, suppressed, added, duplicated, or otherwise improperly changed. A hash total is an example of a data input validation routine. A hash total is a control total without a defined meaning, such as the total of employee numbers or invoice numbers, that is used to verify the completeness of data. Thus, the hash total for the employee listing by the personnel department could be compared with the total generated during the processing run.
An accounting system identification code that uses a sum-of-digits check digit will detect all of the following errors except
Answer (C) is correct. Self-checking digits may be used to detect incorrect identification numbers. The digit is generated by applying an algorithm to the ID number. During the input process, the check digit is recomputed by applying the same algorithm to the code actually entered. If the check digit is merely a sum, transposition errors will not be detected because the sum will be unaffected.
In order to prevent, detect and correct errors and unauthorized tampering, a payroll system should have adequate controls. The best set of controls for a payroll system includes
Answer (A) is correct. Controls in a payroll system should include a proper separation of the functions of authorization, record keeping, and custody of assets; batch totals for such items as hours worked and payroll amounts; hash totals (e.g., of employee identification numbers) to test for completeness of processing; record counts for each run; special control over unclaimed checks (the person who distributes checks must not retain unclaimed checks); and backup copies of files to allow for reconstruction if information is lost.
An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted the purchase order number. The best systems control to detect this error would be
Answer (B) is correct. A completeness test checks that all data elements are entered before processing. An interactive system can be programmed to notify the user to enter the number before accepting the receiving report.
Which one of the following statements concerning concurrent auditing techniques is false?
Answer (D) is correct. The primary use of generalized audit software (GAS) is to select and summarize a client’s records for additional testing. These packages permit the auditor to audit through the computer; to extract, compare, analyze, and summarize data; and to generate output for use in the audit. They allow the auditor to exploit the computer to examine many more records than otherwise possible with far greater speed and accuracy. Hence, GAS facilitates analysis of all sources of potential error. However, concurrent auditing techniques are not included because they must be incorporated into the client’s systems. For example, embedded audit data collection is a transaction selection approach incorporated within the regular production programs to routinely extract transactions meeting certain criteria for further testing. In effect, it provides a window through which the auditor can access the process.
In auditing computer-based systems, the integrated test facility (ITF)
Answer (C) is correct. An ITF involves the use of a fictitious entity, such as a dummy customer in accounts receivable, against which data transactions are processed. Results are compared with previously determined results. This procedure is used within the framework of regular production, frequently without computer operator knowledge. The use of an ITF enables testing of a system as it routinely operates. The cost of using an ITF is low. The disadvantages of the ITF include the need to later nullify the data put into the system and
the possibility of contaminating a database.
A company makes snapshot copies of some often-used data files and makes them available
on the server. Authorized users can then download data subsets into spreadsheet
programs. A risk associated with this means of providing data access is that data
Answer (D) is correct.
Snapshot files are created at a fixed time. Thus, by the time an employee
downloads the data subset, it could be obsolete. Snapshot data available
to download into spreadsheets may contain old or erroneous information
that was later corrected on the main file system.
The most critical aspect of separation of duties within information systems is between
Answer (B) is correct.
The computer operator should not be assigned programming
responsibility and have the opportunity to make changes in programs as
(s)he operates the equipment. In general, achieving control through
separation of duties in the EDP department requires that EDP personnel
have no access to assets and that access to computer operation,
possession of files, and development of program logic be strictly