ACCOUNTING INFORMATION SYSTEMS 10TH EDITION BY JAMES A HALL TEST BANK by QuentinAxel

SOLUTIONS MANUAL

ACCOUNTING INFORMATION SYSTEMS 10TH EDITION BY JAMES A HALL TEST BANK Chapter 1 1. Information is a business resource. *a. True b. False

2. IT outsourcing is location-independent computing. a. True *b. False

3. Transaction processing systems convert non-financial transactions into financial transactions. a. True *b. False

4. Information lacking reliability may still have value. a. True *b. False

5. A balance sheet prepared in conformity with GAAP is an example of discretionary reporting. a. True *b. False

6. The management reporting system provides the internal financial information needed to manage a business. *a. True b. False

7. Most of the inputs to the general ledger system come from the financial reporting system. a. True *b. False

8. When preparing discretionary reports, organizations can choose what information to report and how to present it. *a. True b. False

9. Retrieval is the task of permanently removing obsolete or redundant records from the database. a. True *b. False

10. Systems development represents 80 to 90 percent of the total cost of a computer system. a. True *b. False

11. The database administrator is responsible for the security and integrity of the database. *a. True b. False

12. Custom software is developed and maintained by enterprise resource planners. a. True *b. False

13. The internal auditor represents the interests of third-party outsiders. a. True *b. False

14. Information technology (IT) audits can be performed by both internal and external auditors. *a. True b. False

15. Custom software is the most affordable systems development option. a. True *b. False

16. A database is a collection of interconnected computers and communications devices that allows users to communicate, access data and applications, and share information and resources. a. True *b. False

17. Systems maintenance consumes the majority of a system’s total costs. *a. True b. False

18. Cloud computing is a practice in which the organization sells its IT resources to a third-party outsourcing vendor then leases back IT services from the vendor for a contract period. a. True *b. False

19. A potential benefit of cloud computing is that the client firm does not need to know where its data are being processed. a. True *b. False

20. One of the greatest disadvantages of database systems is that all data is always available to all users. a. True *b. False

21. Under SOX legislation public accounting firms are no longer allowed to provide consulting services to audit clients. *a. True b. False

22. One member of a company’s audit committee must be an independent CPA. a. True *b. False

23. Which of the following is not a business resource? a. raw material b. labor c. information *d. all are business resources

24. Which level of management is responsible for short-term planning and

coordination of activities necessary to accomplish organizational objectives? a. operations management *b. middle management c. top management d. line management

25. Which level of management is responsible for controlling day-to-day

operations? a. top management b. middle management *c. operations management d. executive management

26. Location-independent computing in which shared data centers deliver hosted IT

services over the Internet is called a. IT outsourcing b. network administration *c. cloud computing d. custom software

27. The value of information for users is determined by all of the following except a. reliability b. relevance *c. convenience d. completeness

28. An example of a nonfinancial transaction is a. sale of products b. cash disbursement *c. log of customer calls d. purchase of inventory

29. An example of a financial transaction is *a. the purchase of computer b. a supplier’s price list c. a delivery schedule d. an employee benefit brochure

30. Which subsystem is not part of the accounting information system?

a. transaction processing system *b. expert system c. general ledger/financial reporting system d. management reporting system

31. The major difference between the financial reporting system (FRS) and the

management reporting system (MRS) is the *a. FRS provides information to internal and external users; the MRS provides information to internal users b. FRS provides discretionary information; the MRS provides nondiscretionary information c. FRS reports are prepared using information provided by the general ledger system; the MRS provides information to the general ledger system d. FRS reports are prepared in flexible, nonstandard formats; the MRS reports are prepared in standardized, formal formats

32. The purpose of the transaction processing system includes all of the following

except a. converting economic events into financial transactions b. recording financial transactions in the accounting records c. distributing essential information to operations personnel to support their daily operations *d. measuring and reporting the status of financial resources and the changes in those resources

33. The transaction processing system includes all of the following cycles except a. the revenue cycle *b. the administrative cycle c. the expenditure cycle d. the conversion cycle

34. The primary input to the transaction processing system is *a. a financial transaction b. an accounting record c. an accounting report d. a nonfinancial transaction

35. When designing the data collection activity, which type of data should be

avoided? a. data that is relevant

b. data that is efficient *c. data that is redundant d. data that is accurate

36. The most basic element of useful data in the database is the a. record b. key c. file *d. attribute

37. In a database, a complete set of attributes for a single occurrence of an entity

class is called a a. key b. file *c. record d. character

38. Effective information has all of the following characteristics except a. relevance b. completeness c. summarization *d. structure

39. Database management tasks do not include *a. summarization b. storage c. retrieval d. deletion

40. The author distinguishes between the accounting information system and the

management information system based on *a. whether the transactions are financial or nonfinancial b. whether discretionary or nondiscretionary reports are prepared c. the end users of the reports d. the organizational structure of the business

41. Which activity is not part of the finance function? a. cash receipts b. portfolio management c. credit

*d. general ledger

42. Market research and advertising are part of which business function? a. materials management b. finance *c. marketing d. production

43. Which function manages the financial resources of the firm through portfolio

management, banking, credit evaluation, and cash receipts and disbursements? a. accounting *b. finance c. materials management d. distribution

44. Which of the following is not part of the accounting function? a. managing the financial information resource of the firm b. capturing and recording transactions in the database c. distributing transaction information to operations personnel *d. managing the physical information system of the firm

45. The term “accounting independence” refers to a. data integrity *b. separation of duties, such as record keeping and custody of physical resources c. generation of accurate and timely information d. business segmentation by function

46. In the distributed data processing approach a. computer services are consolidated and managed as a shared organization resource b. the computer service function is a cost center c. the end users are billed using a charge-back system *d. computer services are organized into small information processing units under the control of end users

47. Which of the following is not a cloud computing service? a. software as a service b. infrastructure as a service

*c. network as a service d. platform as a service

48. The goal of data processing is a. the verification of the algorithms used b. to collect only relevant data *c. the production of useful information d. to develop a hierarchy of outputs

49. Attestation services are performed by *a. external auditors b. internal accountants c. internal auditors d. third-party accountants

50. IT professionals create custom software using a. distributed data processing b. turnkey systems c. enterprise resource planning *d. the system development life cycle

51. The objectives of all information systems include all of the following except a. support for the stewardship function of management *b. evaluating transaction data c. support for the day-to-day operations of the firm d. support for management decision making

52. Which individuals may be involved in the systems development life cycle? a. accountants b. systems professionals c. end users *d. all of the above

53. An appraisal function housed within the organization that performs a wide range

of services for management is *a. internal auditing b. data control group c. external auditing d. database administration

54. Which of the following is not a production support activity? a. maintenance *b. marketing c. production planning d. quality control

55. Advantages of cloud computing include all of the following except a. access to whatever computing power is needed b. paying only for what is used *c. unknown data processing location d. flexible, short term contracts

56. Motivations for IT outsourcing include each of the following except a. IT’s highly technical nature *b. long term contracts in IT outsourcing c. expense of IT d. dynamically changing nature of IT

57. An internal audit department’s independence is compromised when the

department reports to: *a. the company controller b. the audit committee of the board of directors c. Both a. and b. d. Neither a. nor b.

58. What factor conceptually distinguishes external auditing and internal auditing? a. tests of controls b. substantive tests c. education *d. constituencies

59. All of the following are external end users except *a. cost accountants b. creditors c. stockholders d. tax authorities

60. Useful information must possess all of the following characteristics except

a. relevance *b. precision c. accuracy d. completeness

61. The objectives of an information system include each of the following except a. support for the stewardship responsibilities of management *b. furthering the financial interests of shareholders c. support for management decision making d. support for the firm’s day-to-day operations

62. Accountants play many roles relating to the accounting information system,

including all of the following except a. system users b. system designers c. system auditors *d. system converters

63. Entities outside the organization with a direct or indirect interest in the firm, such

as stockholders, financial institutions, and government agencies, are called . Correct Answer(s): a. stakeholders

64. Location-independent sharing of data centers hosting IT servers over the

Internet is called

Correct Answer(s): a. cloud computing

65. Transactions with trading partners include

and

. Correct Answer(s): a. sales, purchases

66. A practice in which an organization sells its IT resources and leases them back is called

. Correct Answer(s): a. IT outsourcing

67. The task of locating and transferring an existing record from the database for

processing is called data

Correct Answer(s): a. retrieval

68. These tests focus on data rather than process:

. Correct Answer(s): a. substantive tests

69. Three activities that are part of the finance function are

, .

, and

Correct Answer(s): a. portfolio management, treasury, credit evaluation, cash disbursements, cash receipts, banking

70. Two distinct ways to structure the data processing function are

and

Correct Answer(s): a. centralized, distributed

71. Two methods to acquire information systems are to

and to

Correct Answer(s): a. develop custom systems, purchase commercial systems

72. The most common audit types are

, and

, auditors.

Correct Answer(s): a. internal (operational), external (attestation), fraud

73. Sales of products to customers, purchases of inventory from vendors, and cash

disbursements are all examples of Correct Answer(s): a. financial transactions

74. The three major subsystems of the accounting information system are

, .

, and

Correct Answer(s): a. the transaction processing system (TPS), the general ledger/financial reporting system (GL/FRS), the management reporting system (MRS)

75. The

and standards that characterize the accounting information system clearly distinguish it from the management information system. Correct Answer(s): a. legal, professional

76. The transaction processing system is comprised of three cycles:

, .

, and

Correct Answer(s): a. revenue, expenditure, conversion

77. The tests that focus on the system itself and how it is designed to reduce risk is

called

. Correct Answer(s): a. tests of controls

78. Sarbanes-Oxley legislation requires that management designs and implements

controls over the entire financial reporting process. What systems does this include? Correct Answer(s): a. This includes the financial reporting system, the general ledger system, and the transaction processing systems that supply the data for financial reporting.

79. Why is it necessary to distinguish between accounting information systems

(AIS) and management information systems (MIS)? Correct Answer(s): a. Because of the highly integrative nature of modern information systems, management and auditors need a conceptual view of the information system that distinguishes key processes and areas of

risk and legal responsibility from the other (non-legally binding) aspects of the system. Without such a model, critical management and audit responsibilities under SOX may not be met.

80. How has SOX legislation impacted the consulting practices of public accounting

firms? Correct Answer(s): a. Prior to SOX, a gray area of overlap existed between assurance and consulting services. Auditors were once allowed to provide consulting services to their audit clients. They are now prohibited from doing so under SOX legislation.

81. What is discretionary reporting? Correct Answer(s): a. Reports used by management that the company is not obligated by law, regulation, or contract to provide. These are often used for internal problem-solving issues rather than by external constituents.

82. Name the five characteristics of information. Correct Answer(s): a. Relevance, accuracy, completeness, summarization, and timeliness.

83. Contrast the responsibilities of operations management, middle management, and top management. Explain the different information needs for each level of management. Correct Answer:

Operations management is directly responsible for controlling day-to-day operations. Operations managers require detailed information on individual transactions such as sales, shipment of goods, usage of labor and materials in the production process, and internal transfers of resources from one department to another. Budgeting information and instructions flow downward from top and middle management to operations management. Middle managers perform short-term planning and coordination of activities necessary to accomplish organizational objectives. Middle management requires information that is more summarized and oriented toward reporting on overall performance and problems, rather than routine operations.

Top management is responsible for longer-term planning and setting organizational objectives. Information provided to top management is highly summarized.

84. Explain the difference between data and information. Correct Answer:

Data are facts which may or may not be processed; data have no particular impact on the user. Information is processed data that causes the user to take action. 85. Why do auditors need to understand the organizational structure of the business? Correct Answer:

The structure of an organization reflects the distribution of responsibility, authority, and accountability throughout the organization. Auditors need to know how the organization functions to properly audit it. 86. Several advantages of cloud computing have been discussed. Discuss at least three. Correct Answer:

The advantages of cloud computing include access to whatever computing power it needs, paying only for what is used, and flexible and relatively short-term computing contracts. 87. Name and explain the purpose of the three major subsystems of the accounting information system (AIS):

Correct Answer:

TPS

records the financial transactions of the firm

GL/FRS

produces the financial statements, etc. required by law

MRS

provides information to internal management for decision making

88. What are the three primary functions performed by the transaction processing system?

Correct Answer:

The primary functions are converting economic events into financial transactions, recording financial transactions in the accounting records (journals and ledgers), and distributing essential financial information to operations personnel to support daily operations. 89. What factors motivate management to outsource IT? Correct Answer:

Management may be motivated to outsource IT because the IT segment of an organization comprises highly technical, dynamically changing, and expensive activities. The administrative burden and high costs associated with managing and maintaining IT functions are also motivations. 90. Describe the problem of data redundancy. Correct Answer:

Information systems have limited collection, processing, and data storage capacity. Data redundancy overloads facilities and reduces the overall efficiency of the system. Inconsistency among redundant data elements can result in inappropriate actions and bad decisions. 91. Compare and contrast IT outsourcing and cloud computing. Correct Answer:

IT outsourcing involves an organization selling its IT resources (hardware, software, and facilities) to a third-party outsourcing vendor and then leasing back IT services from the vendor for a contract period of typically between five and ten years. A variant of IT outsourcing, called cloud computing, is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. An organization pursuing cloud computing signs a contract with an IT service provider to provide computing resources. When demand exceeds the provider’s IT capacity, it acquires additional capacity from data centers in the “cloud” that are connected via the Internet. The advantage to the client organization is access to whatever computing power it needs, while it pays only for what it uses. Also, cloud computing contracts are flexible and relatively short term. In contrast, traditional outsourcing contracts tend to be fixed price, inflexible, and much longer term. 92. Distinguish between the accounting information system and the management information system. Correct Answer:

The accounting information system processes financial (e.g., cash receipts) and nonfinancial (e.g., addition to the approved vendor list) transactions that directly affect the processing of financial transactions. These are handled by the three major subsystems: transaction processing, general ledger/financial reporting, and

management reporting. The management information system processes additional nonfinancial transactions that contribute to the decision making of managers. 93. Describe the attest function and its objectives. Correct Answer:

The attest function—the task of an external audit—is an independent attestation performed by an expert—the auditor—who expresses an opinion regarding the presentation of financial statements. The attest function is performed by certified public accountants (CPAs) who work for public accounting firms that are independent of the client organization being audited. The audit objective is always associated with assuring the fair presentation of financial statements. These audits are, therefore, often referred to as financial audits. The Securities and Exchange Commission (SEC) requires all publicly traded companies to undergo a financial audit annually. CPAs conducting such audits represent the interests of outsiders: stockholders, creditors, government agencies, and the general public. 94. Why is it important to organizationally separate the accounting function from other functions of the organization? Correct Answer:

The accounting function provides record-keeping services for all of the operations and day-to-day activities of other departments, which affect the financial position of the organization. Record keeping tasks must be kept separate from any area that has custody over assets. Thus, the accounting function must remain independent so that the protection of the firm’s assets is carried out in an environment with minimum possibilities for theft. 95. How does SOX affect the provision of attest and advisory services Correct Answer:

Prior to the passage of SOX, accounting firms could provide advisory services concurrently to audit (attest function) clients. SOX legislation, however, greatly restricts the types of non-audit services that auditors may render audit clients. It is now unlawful for a registered public accounting firm that is currently providing attest services for a client to provide the following services: bookkeeping or other services related to the accounting records or financial statements of the audit client, financial information systems design and implementation, appraisal or valuation services, fairness opinions, or contribution-in-kind reports, actuarial services, internal audit outsourcing services, management functions or human resources, broker or dealer, investment adviser, or investment banking services, legal services and expert services unrelated to the audit, or any other service that the board of directors determines, by regulation, is impermissible. 96. What are the similarities and differences between external auditors and internal auditors?

Correct Answer:

The characteristic that conceptually distinguishes external auditors from internal auditors is their respective constituencies: while external auditors represent outsiders, internal auditors represent the interests of the organization. Nevertheless, in this capacity, internal auditors often cooperate with and assist external auditors in performing aspects of financial audits. This cooperation is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor. The independence and competence of the internal audit staff determine the extent to which external auditors may cooperate with and rely on work performed by internal auditors. External auditors can rely in part on evidence gathered by internal audit departments that are organizationally independent and report to the board of directors’ audit committee. A truly independent internal audit staff adds value to the external audit process. 97. What are fraud audits and why have they become more common? Correct Answer:

The objective of a fraud audit is to investigate anomalies and gather evidence of fraud that may lead to criminal conviction. Sometimes fraud audits are initiated when corporate management suspects employee fraud. Alternatively, boards of directors may hire fraud auditors to investigate their own executives if theft of assets or financial fraud is suspected. Organizations victimized by fraud usually contract with specialized fraud units of public accounting firms or with companies that specialize in forensic accounting. In recent years, fraud audits have increased in popularity as a corporate governance tool. They have been thrust into prominence due to a corporate environment in which both employee theft of assets and major financial frauds by management (e.g., Enron and WorldCom) have become rampant.

Chapter 2 1. Processing more transactions at a lower unit cost makes batch processing more efficient than real-time systems. *a. True b. False

2. The process of acquiring raw materials is part of the conversion cycle. a. True *b. False

3. Directing work-in-process through its various stages of manufacturing is part of the conversion cycle. *a. True b. False

4. The portion of the monthly bill that the customer returns to the credit card company with the payment is an example of a turnaround document. *a. True b. False

5. The general journal is used to record recurring transactions that are similar in nature. a. True *b. False

6. Document flowcharts are used to represent systems at different levels of detail. a. True *b. False

7. Data flow diagrams represent the physical system. a. True *b. False

8. System flowcharts are often used to depict processes that are handled in batches.

*a. True b. False

9. Program flowcharts depict the type of media being used (paper, magnetic tape, or disks) and terminals. a. True *b. False

10. System flowcharts represent the input sources, programs, and output products of a computer system. *a. True b. False

11. Program flowcharts are used to describe the logic represented in system flowcharts. *a. True b. False

12. Batch processing systems can store data on direct access storage devices. *a. True b. False

13. Selecting a specific record from a master file containing millions of records requires a direct access file environment. *a. True b. False

14. The box symbol represents a temporary file. a. True *b. False

15. Auditors may prepare program flowcharts to verify the correctness of program logic. *a. True b. False

16. A control account is a general ledger account which is supported by a subsidiary ledger.

*a. True b. False

17. The most significant characteristic of direct access files is access speed. *a. True b. False

18. Real-time processing is used for routine transactions in large numbers. a. True *b. False

19. Batch processing is best used when timely information is needed because this method processes data efficiently. a. True *b. False

20. An inverted triangle with the letter “N” represents a file in “name” order. a. True *b. False

21. Real-time processing in systems that handle large volumes of transactions each day can create operational inefficiencies. *a. True b. False

22. Operational inefficiencies occur because accounts unique to many concurrent transactions need to be updated in real time. a. True *b. False

23. Operational inefficiencies occur because accounts common to many concurrent transactions need to be updated in real time. *a. True b. False

24. Batch processing of non-critical accounts improves operational efficiency. *a. True b. False

25. Batch processing of accounts common to many concurrent transactions reduces operational efficiency. a. True *b. False

26. The block code is the coding scheme most appropriate for a chart of accounts. *a. True b. False

27. Sequential codes may be used to represent complex items or events involving two or more pieces of related data. a. True *b. False

28. Block codes restrict each class to a pre-specified range. *a. True b. False

29. For a given field size, a system that uses alphabetic codes can represent far more situations than a system with that uses numeric codes. *a. True b. False

30. Mnemonic codes are appropriate for items in either an ascending or descending sequence, such as the numbering of checks or source documents. a. True *b. False

31. The flat-file approach is most often associated with so-called legacy systems. *a. True

b. False

32. In a flat-file system, files are easily shared by users. a. True *b. False

33. To avoid deadlocks, batch processing is recommended for general ledger accounts. *a. True b. False

34. A key feature of a database management system is that users are given access only to the information they need to perform their jobs. *a. True b. False

35. Which system is not part of the expenditure cycle? a. cash disbursements b. payroll *c. production planning/control d. purchases/accounts payable

36. Which system produces information used for inventory valuation, budgeting,

cost control, performance reporting, and make-buy decisions? a. sales order processing b. purchases/accounts payable c. cash disbursements *d. cost accounting

37. Which of the following is a turnaround document? *a. remittance advice b. sales order c. purchase order d. payroll check

38. A ledger is organized by a. transaction number *b. account number c. date

d. user

39. The order of the entries made in the general journal is by *a. date b. account number c. user d. customer number

40. In general, a special journal would not be used to record a. sales b. cash disbursements *c. depreciation d. purchases

41. Which account is least likely to have a subsidiary ledger? *a. sales b. accounts receivable c. fixed assets d. inventory

42. Subsidiary ledgers are used in manual accounting environments. What file is

comparable to a subsidiary ledger in a computerized environment? a. archive file b. reference file c. transaction file *d. master file

43. A journal is used in manual accounting environments. What file is comparable to

a journal in a computerized environment? *a. archive file b. reference file c. transaction file d. master file

44. In a computerized environment, a list of authorized suppliers would be found in

the a. master file b. transaction file *c. reference file d. archive file

45. Which of the following is an archive file? a. an accounts payable subsidiary ledger b. a cash receipts file c. a list of approved suppliers *d. a file of accounts receivable that have been written off

46. Which document is not a type of source document? a. a sales order b. an employee time card *c. a paycheck d. a sales return receipt

47. The most important purpose of a turnaround document is to *a. serve as a source document b. inform a customer of the outstanding amount payable c. provide an audit trail for the external auditor d. inform the bank of electronic funds deposits

48. Which type of graphical documentation represents systems at different levels of

detail? *a. data flow diagram b. document flowchart c. system flowchart d. program flowchart

49. Data flow diagrams *a. depict logical tasks that are being performed, but not who is performing them b. illustrate the relationship between processes, and the documents that flow between them and trigger activities c. represent relationships between key elements of the computer system d. describe in detail the logic of the process

50. System flowcharts a. depict logical tasks that are being performed, but not who is performing them b. illustrate the relationship between database entities in systems

*c. represent relationships between key elements of both manual and computer systems d. describe the internal logic of computer applications in systems

51. When determining the batch size, which consideration is the least important? a. achieving economies by grouping together large numbers of transactions *b. complying with legal mandates c. providing control over the transaction process d. balancing the trade-off between batch size and error detection

52. In contrast to a real-time system, in a batch processing system *a. there is a lag between the time when the economic event occurs and the financial records are updated b. relatively more resources are required c. a greater resource commitment per unit of output is required d. processing takes place when the economic event occurs

53. In contrast to a batch processing system, in a real-time system a. a lag occurs between the time of the economic event and when the transaction is recorded b. relatively fewer hardware, programming, and training resources are required c. a lesser resource commitment per unit of output is required *d. processing takes place when the economic event occurs

54. The type of transaction most suitable for batch processing is a. airline reservations b. credit authorization *c. payroll processing d. adjustments to perpetual inventory

55. The type of transaction most suitable for real-time processing is a. recording fixed asset purchases b. recording interest earned on long-term bonds c. adjusting prepaid insurance *d. recording a sale on account

56. A(n)

structure employs an algorithm that converts the primary key of a record directly into a storage address.

*a. hashing b. indexed c. pointer d. sequential

57. Both the revenue and the expenditure cycle can be viewed as having two key

parts. These are a. manual and computerized *b. physical and financial c. input and output d. batch and real-time

58. All of the following can provide evidence of an economic event except a. source document b. turnaround document *c. master document d. product document

59. An entity is a. a physical resource b. an event c. an agent *d. all of the above are entities

60. Which symbol represents an on-page connector?

*c.

61. Which symbol represents a manual operation?

*d.

62. Which symbol represents accounting records?

*a.

63. Which symbol represents a document?

*b.

64. Which symbol represents a magnetic tape (sequential storage device)?

*d.

65. Which symbol represents a decision?

*a.

66. The characteristics that distinguish between batch and real-time systems

include all of the following except a. time frame b. resources used *c. file format d. efficiency of processing

67. A file that stores data used as a standard when processing transactions is *a. a reference file b. a master file c. a transaction file d. an archive file

68. Sequential storage means a. data is stored on tape b. access is achieved through an index c. access is direct *d. reading record 100 requires first reading records 1 to 99

69. Real-time processing would be most beneficial in handling a firm’s a. fixed asset records b. retained earnings information *c. merchandise inventory d. depreciation records

70. Which accounting application is least suited to batch processing? a. general ledger b. vendor payments *c. sales order processing d. payroll

71. Which accounting application is best suited to batch processing? a. general ledger b. updating inventory reductions to the subsidiary ledger c. sales order processing

*d. payroll processing

72. Operational inefficiencies occur because a. accounts both common and unique to many concurrent transactions need to be updated in real time *b. accounts common to many concurrent transactions need to be updated in real time c. accounts unique to many concurrent transactions need to be updated in real time d. none of the above

73. Operational efficiencies can be improved by a. updating accounts both common and unique to many concurrent transactions in real time b. updating accounts both common and unique to many concurrent transactions in batch mode *c. updating accounts unique to many concurrent transactions in real time and updating common accounts in batch mode d. none of the above

74. The coding scheme most appropriate for a chart of accounts is a. sequential code *b. block code c. group code d. mnemonic code

75. A common use for sequential coding is a. creating the chart of accounts b. identifying inventory items *c. identifying documents d. identifying fixed assets

76. The most important advantage of sequential coding is that *a. missing or unrecorded documents can be identified b. the code itself lacks informational content c. items cannot be inserted d. deletions affect the sequence

77. When a firm wants its coding system to convey meaning without reference to

any other document, it would choose

a. an alphabetic code *b. a mnemonic code c. a group code d. a block code

78. The most important advantage of an alphabetic code is that a. meaning is readily conveyed to users b. sorting is simplified *c. the capacity to represent items is increased d. missing documents can be identified

79. A cardinality of 1:M indicates a a. many to one connection b. one to one connection *c. one to many connection d. any of the above

80. What is a disadvantage of the virtual storage access method? *a. It cannot insert new records efficiently. b. Its indexes do not provide an exact physical address for a specific record. c. It is too costly for a small set of records. d. It favors access speed over efficient processing.

81. List two of the three transaction cycles. Correct Answer:

expenditure cycle, conversion cycle, revenue cycle 82. Documents that are created at the beginning of the transaction are called . Correct Answer:

source documents 83. approaches used in modern systems.

are the two data processing

Correct Answer:

Batch processing and real-time processing 84. Give a specific example of a turnaround document.

Correct Answer:

credit card, electricity, water, or telephone bill, etc. 85. Explain when it is appropriate to use special journals. Correct Answer:

Special journals are used to record large volumes of recurring transactions that are similar in nature. 86. What are the subsystems of the revenue cycle? Correct Answer:

sales order processing, cash receipts 87. What are the subsystems of the expenditure cycle? Correct Answer:

purchasing, cash disbursements, payroll, fixed asset system 88. Most organizations have replaced the general journal with a . Correct Answer:

journal voucher system 89. Provide a specific example of a general ledger account and a corresponding subsidiary ledger. Correct Answer:

accounts receivable control account and accounts receivable subsidiary, accounts payable control account and accounts payable subsidiary, inventory control and a subsidiary of specific inventory items, fixed asset control account and a subsidiary of specific fixed assets, notes receivable/payable and individual notes receivable and payable 90. Name four documentation techniques. Correct Answer:

entity relationship diagrams, data flow diagrams, system flowcharts, program flowcharts 91. Why is the audit trail important? Correct Answer:

The audit trail is used to track transactions from the source document to the financial statements and vice versa. Accountants use the audit trail to correct errors, answer queries, and perform audits. 92. What is a ledger? Correct Answer:

A ledger is a book of accounts that reflects the financial effects of the firm’s transactions after they are posted from the journals. Ledgers show activity by account type. 93. Only four symbols are used in data flow diagrams. What are they? Correct Answer:

process, data store, data flow, entity 94. Which documentation technique depicts relationship between business entities in databases? Correct Answer:

entity relationship diagram 95. What are the three characteristics that are used to distinguish between batch and real-time systems. Correct Answer:

time frame, resources, operational efficiency 96. Give one advantages of real-time data collection. Correct Answer:

Certain transaction errors can be prevented or detected and corrected at their source. 97. In one sentence, what does updating a master file record involve? Correct Answer:

Updating a master file record involves changing the value of one or more of its variable fields to reflect the effects of a transaction. 98. What are the two broad classes of file technologies? Correct Answer:

Flat files and databases

99. Explain two types of coding schemes and give examples of their use. Correct Answer:

Sequential codes represent items in some sequential order. Pre-numbered checks are one example. Block codes use sequential numbering in specific parts of the total code—all current assets begin with ‘11,’ fixed assets ‘12,’ etc. Traditional charts of accounts use block codes and start assets with 1, liabilities with 2, etc.

Alphabetic codes are similar to numeric codes with increased options. A two-character code AA has potential for 676 items (262) whereas a two-digit code can accommodate only 100 (102).

Mnemonic codes use letters with meaning. The postal state abbreviations are mnemonic.

100. Describe the key activities in the revenue, conversion, and expenditure cycles. Correct Answer:

Revenue cycle: Sales order processing involves preparation of sales orders, credit granting, shipment, and billing. Cash receipts collects cash and makes bank deposits. Conversion cycle: Production system involves planning, scheduling, and control of the manufacturing process. Cost accounting system monitors the flow of cost information related to production.

Expenditure cycle: Purchases/accounts payable involves the acquisition of physical inventory. Cash disbursements authorizes payment and disburses funds. Payroll monitors labor usage and disburses paychecks to employees.

101. Categorize each of the following activities into the expenditure, conversion, or revenue cycles and identify the applicable subsystem.a.Preparing the weekly payroll for manufacturing personnel. b. Releasing raw materials for use in the manufacturing cycle. c. Recording the receipt of payment for goods sold. d. Recording the order placed by a customer. e. Ordering raw materials. f. Determining the amount of raw materials to order. Correct Answer:

a. Expenditure cycle-payroll subsystemb. Conversion cycle-production system subsystem c. Revenue cycle-cash receipts subsystem d. Revenue cycle-sales order processing subsystem e. Expenditure cycle-purchases subsystem f. Conversion cycle-production subsystem

102. What does an entity relationship diagram represent? Why do accountants need to understand them? Correct Answer:

Entity relationship diagrams represent the relationship between entities in a system. An entity is either 1) a resource (such as cash or inventory), 2) an event (such as a sale or a receipt of cash), or 3) an agent (such as a customer or vendor). ERDs represent the relationship between entities graphically. ERDs are used in the design of databases. 103. Time lag is one characteristic used to distinguish between batch and real-time systems. Explain. Give an example of when each is a realistic choice. Correct Answer:

Batch processing collects similar transactions into groups (batches) and processes them all at once. Hence, affected files are up to date immediately after the update, but can be expected to be out of date until the next run. Hence, there is a time lag between the event and its recording in the system. A payroll system is often handled with batch processing since it must be up to date on pay days, but does not need to be modified between pay dates. Real-time systems process each transaction as it occurs, and files are always up to date—there is no time lag. This is preferred when there may be a need to query the system for the status of transactions. A sales order processing system would benefit from real-time processing. Hence, customer questions could be answered easily, without waiting for the next update (as would be required if the system was batch).

104. The revenue cycle has two subsystems. What are they and what occurs within each? Correct Answer:

The two subsystems of the revenue cycle are sales order processing and cash receipts. In the sales order processing subsystem, the sales order is processed, credit granted, goods are shipped, customer is billed, and related files updated (sales, accounts receivable, inventory, etc.). In the cash receipts subsystem, cash is collected and deposited in the bank and files updated (cash, accounts receivable, etc.).

105. Resource use is one characteristic used to distinguish between batch and real-time systems. Explain. Correct Answer:

Batch processing typically requires the use of fewer resources including programmer time and effort, computer time, hardware, and user training. Real-time systems require significantly more programming time, especially in the development of the user interface. They often require much more computer time, and more expensive hardware— even a dedicated processor.

106. Give a brief description of each of the following documentation techniques: systems flowchart and program flowchart. Correct Answer:

System flowcharts portray the relationships between source data, transaction files, computer programs, master files, and output, including the form or type of media of each. Program flowcharts represent the logic of a particular program. Each step is represented by a separate symbol, each of which represents one or more lines of computer instructions. The order of the steps is represented by the flow lines.

107. Give an example of how cardinality relates to business policy. Correct Answer:

Cardinality reflects normal business rules as well as organizational policy. For instance, the 1:1 cardinality between the entities “Salesperson” and “Company Car” suggests that each salesperson in the organization is assigned one company car. If instead the organization’s policy were to assign a single automobile to one or more salespersons who share it, this policy would be reflected by a 1:M relationship. 108. For what purpose are ER diagrams used? Correct Answer:

An entity relationship (ER) diagram is a documentation technique used to represent the relationship between entities. One common use for ER diagrams is to model an organization’s database. 109. With regard to an entity relationship diagram, what is an entity? Correct Answer:

Entities are physical resources (automobiles, cash, or inventory), events (ordering inventory, receiving cash, shipping goods) and agents (salesperson, customer, or vendor) about which the organization wishes to capture data.

110. Is a DFD an effective documentation technique for identifying who or what performs a particular task? Explain. Correct Answer:

No. A DFD shows which tasks are being performed, but not who performs them. It depicts the logical system. 111. Is a flowchart an effective documentation technique for identifying who or what performs a particular task? Explain. Correct Answer:

Yes. A flowchart depicts the physical system and illustrates who, what, and where a task is performed. 112. How may batch processing be used to improve operational efficiency? Correct Answer:

A single transaction may affect several different accounts. Some of these accounts, however, may not need to be updated in real time. In fact, the task of doing so takes time which, when multiplied by hundreds or thousands of transactions, can cause significant processing delays. Batch processing of non-critical accounts, however, improves operational efficiency by eliminating unnecessary activities at critical points in the process. 113. If an organization processes large numbers of transactions that use common data records, what type of system would work best (all else being equal)? Correct Answer:

Large-scale systems that process high volumes of transactions often use real-time data collection and batch updating. Master file records that are unique to a transaction, such as customer accounts and individual inventory records, can be updated in real time without causing operational delays. Common accounts should be updated in batch mode. Real-time processing is better suited to systems that process lower transaction volumes and those that do not share common records. 114. Why might an auditor use a program flowchart? Correct Answer:

When testing an application program, the auditor needs details about its internal logic provided by the program flowchart to design the audit tests. 115. How are computer system flowcharts and program flowcharts related?

Correct Answer:

The system flowchart shows the relationship between two computer programs, the files that they use, and the outputs that they produce. However, this level of documentation does not provide the operational details that are sometimes needed. An auditor wishing to assess the correctness of a program’s logic cannot do so from the system flowchart. A program flowchart provides this detail. Every program represented in a system flowchart should have a supporting program flowchart that describes its logic. 116. What are the key distinguishing features of legacy systems? Correct Answer:

Legacy systems tend to have the following distinguishing features: they are mainframe-based applications; they tend to be batch oriented; early legacy systems use flat files for data storage, however, hierarchical and network databases are often associated with later legacy systems. These highly structured and inflexible storage systems promote a single-user environment that discourages information integration within business organizations. 117. What information is provided by a record layout diagram? Correct Answer:

Record layout diagrams are used to reveal the internal structure of the records that constitute a file or database table. The layout diagram usually shows the name, data type, and length of each attribute (or field) in the record. 118. Comment on the following statement: “Legacy systems use flat file structures.” Correct Answer:

A flat-file model is a single-view model that characterizes many legacy systems in which data files are structured, formatted, and arranged to suit the specific needs of the owner or primary user of the system. However, there are legacy systems that use early database technologies. 119. What factor influences the decision to employ real-time data collection with batch updating rather that purely real-time processing? Explain. Correct Answer:

Transaction volume is the key factor. Large scale systems that process high volumes of transactions often use real-time data collection and batch updating. Master file records that are unique to a transaction, such as customer accounts and individual inventory records, can be updated in real time without causing operational delays. Common accounts should be updated in batch mode. Real-time processing is better suited to systems that process lower transaction volumes and those that do not share common records.

120. Why is the master file backup procedure important? Correct Answer:

Master file backup is a standard procedure in transaction processing systems to maintain master file integrity in the event that any of the following problems should occur:1) An update program error corrupts the master files being updated. 2) Undetected errors in the transaction data result in corrupted master file balances. 3) A disaster such as a fire or flood physically destroys current master files.

If the current master file becomes corrupted or is destroyed, corporate IT professionals can retrieve the most current backed-up file from the archives and use it to reconstruct the current version of the master file.

121. What are the reasons companies use coding schemes in their accounting information systems? Correct Answer:

Companies use coding schemes in their AISs because codes concisely represent large amounts of complex information that would otherwise be unmanageable. They also provide a means of accountability over the completeness of the transactions processed and identify unique transactions and accounts within a file. In addition, coding supports the audit function by providing an effective audit trail. 122. Compare and contrast the relative advantages and disadvantages of sequential, block, group, alphabetic, and mnemonic codes. Correct Answer:

Sequential codes are appropriate for items in either an ascending or descending sequence, such as the numbering of checks or source documents. An advantage is that during batch processing, any gap detected in the sequence is a signal that a transaction may be missing. A disadvantage is that the codes carry little, if any, information other than the sequence order. Another disadvantage is that sequential codes are difficult to manage when items need to be added; the sequence needs either to be reordered or the items must be added to the end of the list. Block codes provide some remedies to sequential codes by restricting each class to a prespecified range. The first digit typically represents a class, whereas the following digits are sequential items which may be spaced in intervals in case of future additions. An example of block coding is a chart of accounts. A disadvantage of block coding is that the information content does not provide much meaning. For example, an account number only means something if the chart of accounts is known.

Group codes may be used to represent complex items or events involving two or more pieces of related data. The code is comprised of fields which possess specific meaning. The advantages of group codes over sequential and block codes are 1) they facilitate the representation of large amounts of diverse data, 2) they allow complex data structures to be represented in a hierarchical form that is logical and thus more easily remembered by humans, and 3) they permit detailed analysis and reporting both within an item class and across different classes of items. A disadvantage is that the codes may be overused to link classes which do not need to be linked, thus creating a more complex coding system than is necessary.

Alphabetic codes may be used sequentially or in block or group codes. An advantage is that a system which uses alphabetic codes can represent far more situations than a system with numeric codes, given a specific field size. Some disadvantages are that sequentially assigned codes mostly have little meaning. Also, humans typically find alphabetic codes more difficult to sort than numeric data.

Lastly, mnemonic codes are alphabetic characters in the form of acronyms, abbreviations or other combinations that convey meaning. The meaning aspect is its advantage. A disadvantage of mnemonic codes is that they are limited in their ability to represents items within a class, i.e., names of all of American Express’s customers.

123. APPENDIX QUESTION Explain how a hashing structure works and why it is quicker than using an index. Give an example. If it so much faster, why isn’t it used exclusively? Correct Answer:

A hashing structure typically works by taking a key value and using it to divide a prime number. The result is a unique number almost all of the time if enough decimal places are used. The resulting numbers are used to find the unique location of the record. Calculating a record’s address is faster than searching for it through an index, therefore the principal advantage of hashing is access speed. It is not used exclusively because it does not use the storage disk efficiently. Some disk locations will never be selected because they do not correspond to legitimate key values. Also, different record keys may sometimes translate to the same address and data collision could occur. A way around this exists using pointers, but the additional pointers slow down the system.

124. APPENDIX QUESTION Explain the following three types of pointers: physical address pointer, relative address pointer, and logical key pointer.

Correct Answer:

A physical address pointer contains the actual disk storage location (cylinder, surface, and record number) needed by the disk controller. This approach allows the system to access the record directly without obtaining further information. A relative address pointer contains the relative position of a record in the file. This address (i.e., the 200th record on the file) must be further manipulated to convert it to the actual physical address. The conversion software determines this by using the physical address of the beginning of the file, the length of each record in the file, and the relative address of the record being sought.

A logical key pointer contains the primary key of the related record. This key value is then converted into the record’s physical address by a hashing algorithm.

Chapter 3 1. The ethical principle of justice asserts that the benefits of the decision should be distributed fairly to those who share the risks. *a. True b. False

2. The ethical principle of informed consent suggests that the decision should be implemented so as to minimize all of the necessary risks and to avoid any unnecessary risks. a. True *b. False

3. Employees should be made aware of the firm’s commitment to ethics. *a. True b. False

4. Business ethics is the analysis of the nature and social impact of computer technology, and the corresponding formulation and justification of policies for the ethical use of such technology. a. True *b. False

5. Para computer ethics is the exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology. a. True *b. False

6. Computer programs are intellectual property. *a. True b. False

7. Copyright laws and computer industry standards have been developed jointly and rarely conflict. a. True *b. False

8. Business bankruptcy cases always involve fraudulent behavior.

a. True *b. False

9. Defalcation is another word for financial fraud. *a. True b. False

10. According to an Association of Certified Fraud Examiners (ACFE) study, most frauds are committed by employees in management positions. a. True *b. False

11. The external auditor is responsible for establishing and maintaining the internal control system. a. True *b. False

12. Segregation of duties is an example of an internal control procedure. *a. True b. False

13. Of the three fraud factors (situational pressure, ethics, and opportunity), situational pressure is the factor that actually facilitates the act. a. True *b. False

14. Preventive controls are passive techniques designed to reduce fraud. *a. True b. False

15. Ethical issues and legal issues are essentially the same. a. True *b. False

16. Internal control systems are recommended but not required of firms subject to the Sarbanes-Oxley Act.

a. True *b. False

17. Collusion among employees in the commission of a fraud is difficult to prevent but easy to detect. a. True *b. False

18. The Sarbanes-Oxley Act requires only that a firm keep good records. a. True *b. False

19. A key modifying assumption in internal control is that the internal control system is the responsibility of management. *a. True b. False

20. Database management fraud includes altering, updating, and deleting an organization’s data. a. True *b. False

21. While the Sarbanes-Oxley Act prohibits auditors from providing nonaccounting services to their audit clients, they are not prohibited from performing such services for non-audit clients or privately held companies. *a. True b. False

22. The Sarbanes-Oxley Act requires the audit committee to hire and oversee the external auditors. *a. True b. False

23. Section 404 requires that corporate management (including the CEO) certify their organization’s internal controls on a quarterly and annual basis. a. True *b. False

24. Section 302 requires the management of public companies to assess and formally report on the effectiveness of their organization’s internal controls. a. True *b. False

25. The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all phases of the audit process. *a. True b. False

26. The fraud triangle represents a geographic area in Southeast Asia where international fraud is prevalent. a. True *b. False

27. Situational pressure includes personal or job-related stresses that could coerce an individual to act dishonestly. *a. True b. False

28. Opportunity involves direct access to assets and/or access to information that controls assets. *a. True b. False

29. Cash larceny involves stealing cash from an organization before it is recorded on the organization’s books and records. a. True *b. False

30. Skimming involves stealing cash from an organization after it is recorded on the organization’s books and records. a. True *b. False

31. A check digit is a method of detecting data coding errors.

*a. True b. False

32. Input controls are intended to detect errors in transaction data after processing. a. True *b. False

33. A run-to-run control is an example of an output control. a. True *b. False

34. Shredding computer printouts is an example of an output control. *a. True b. False

35. In a computerized environment, all input controls are implemented after data is input. a. True *b. False

36. Spooling is a form of processing control. a. True *b. False

37. An input control that tests time card records to verify that no employee has worked more 50 hours in a pay period is an example of a range test. a. True *b. False

38. Systems that use sequential master files employ a backup technique called destructive update. a. True *b. False

39. Which ethical principle states that the benefit from a decision must outweigh the

risks, and that there is no alternative decision that provides the same or greater benefit with less risk? a. minimize risk b. justice c. informed consent *d. proportionality

40. Individuals who acquire some level of skill and knowledge in the field of

computer ethics are involved in which level of computer ethics? *a. para computer ethics b. pop computer ethics c. theoretical computer ethics d. practical computer ethics

41. All of the following are factors in the fraud triangle except a. ethical behavior of an individual b. pressure exerted on an individual at home and job related *c. materiality of the assets d. opportunity to gain access to assets

42. Which characteristic is not associated with software as intellectual property? a. uniqueness of the product b. possibility of exact replication *c. automated monitoring to detect intruders d. ease of dissemination

43. For an action to be called fraudulent, all of the following conditions are required

except *a. poor judgment b. false representation c. intent to deceive d. injury or loss

44. One characteristic of employee fraud is that the fraud a. is perpetrated at a level to which internal controls do not apply b. involves misstating financial statements *c. involves the direct conversion of cash or other assets to the employee’s personal benefit

d. involves misappropriating assets in a series of complex transactions involving third parties

45. Forces which may permit fraud to occur do not include a. a gambling addiction b. lack of segregation of duties *c. centralized decision-making environment d. questionable integrity of employees

46. Which of the following best describes lapping? *a. applying cash receipts to a different customer’s account in an attempt to conceal previous thefts of funds b. inflating bank balances by transferring money among different bank accounts c. expensing an asset that has been stolen d. creating a false transaction

47. Skimming involves *a. stealing cash from an organization before it is recorded b. stealing cash from an organization after it has been recorded c. manufacturing false purchase orders, receiving reports, and invoices d. paying a vendor twice for the same products and cashing the reimbursement check issued by the vendor

48. Who is responsible for establishing and maintaining the internal control system? a. the internal auditor b. the accountant *c. management d. the external auditor

49. The concept of reasonable assurance suggests that *a. the cost of an internal control should be less than the benefit it provides b. a well-designed system of internal controls will detect all fraudulent activity c. the objectives achieved by an internal control system vary depending on the data processing method d. the effectiveness of internal controls is a function of the industry environment

50. Which of the following is not a limitation of the internal control system?

a. errors are made due to employee fatigue b. fraud occurs because of collusion between two employees *c. the industry is inherently risky d. management instructs the bookkeeper to make fraudulent journal entries

51. The most cost-effective type of internal control is *a. preventive control b. accounting control c. detective control d. corrective control

52. Which of the following is a preventive control? *a. credit check before approving a sale on account b. bank reconciliation c. physical inventory count d. comparing the accounts receivable subsidiary ledger to the control account

53. A well-designed purchase order is an example of a *a. preventive control b. detective control c. corrective control d. none of the above

54. A physical inventory count is an example of a a. preventive control *b. detective control c. corrective control d. feedforward control

55. The bank reconciliation uncovered a transposition error in the books. This is an

example of a a. preventive control *b. detective control c. corrective control d. none of the above

56. In balancing the risks and benefits that are part of every ethical decision,

managers receive guidance from each of the following except

a. justice *b. self interest c. risk minimization d. proportionality

57. Which of the following is not an element of the control environment? a. management philosophy and operating style b. organizational structure of the firm *c. well-designed documents and records d. the participation of the board of directors and the audit committee

58. According to an ACFE study, when it comes to fraud losses *a. the median fraud loss caused by males is more than double that caused by females b. most frauds are committed by individuals acting alone c. managers commit more frauds than employees d. all of the above

59. Giving, receiving, offering, or soliciting something of value because of an official

act that has been taken is a. bribery b. a conflict of interest *c. an illegal gratuity d. economic extortion

60. SOX requires: a. public companies to report all off-balance sheet transactions b. management to accept responsibility for maintaining adequate internal controls c. officers to certify that company accounts fairly present the results of operations *d. all of the above

61. Economic extortion a. involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties b. occurs when an employee acts of behalf of a third party during the discharge or his or her duties *c. is the use of threat of force by an individual or organization to obtain something of value

d. all of the above

62. Cash larceny involves a. stealing cash from an organization before it is recorded *b. stealing cash from an organization after it has been recorded c. manufacturing false purchase orders, receiving reports, and invoices d. paying a vendor twice for the same products and cashing the reimbursement check issued by the vendor

63. Which of the following is not an internal control procedure? a. authorization *b. management’s operating style c. independent verification d. accounting records

64. The decision to extend credit beyond the normal credit limit is an example of a. independent verification *b. authorization c. segregation of functions d. supervision

65. When duties cannot be segregated, the most important internal control

procedure is *a. supervision b. independent verification c. access controls d. accounting records

66. An accounting system that maintains an adequate audit trail is implementing

which internal control procedure? a. access controls b. segregation of functions c. independent verification *d. accounting records

67. Employee fraud involves three steps. Of the following, which is not involved? a. concealing the crime to avoid detection b. stealing something of value *c. misstating financial statements

d. converting the asset to a usable form

68. Which of the following is not an example of independent verification? a. comparing fixed assets on hand to the accounting records b. performing a bank reconciliation c. comparing the accounts payable subsidiary ledger to the control account *d. permitting only authorized users to access the accounting system

69. The importance to the accounting profession of the Sarbanes-Oxley Act is that a. bribery will be eliminated b. management will not override the company’s internal controls *c. management is required to certify the internal control system d. firms will not be exposed to lawsuits

70. The board of directors consists entirely of personal friends of the chief executive

officer. This indicates a weakness in a. the accounting system *b. the control environment c. control procedures d. This is not a weakness.

71. A shell company fraud involves a. stealing cash from an organization before it is recorded b. stealing cash from an organization after it has been recorded *c. manufacturing false purchase orders, receiving reports, and invoices d. paying a vendor twice for the same products and cashing the reimbursement check issued by the vendor

72. When certain customers made cash payments to reduce their accounts

receivable, the bookkeeper embezzled the cash and wrote off the accounts as uncollectible. Which control procedure would most likely prevent this irregularity? *a. segregation of duties b. accounting records c. accounting system d. access controls

73. The office manager forgot to record in the accounting records the daily bank

deposit. Which control procedure would most likely prevent or detect this error?

a. segregation of duties *b. independent verification c. accounting records d. supervision

74. Business ethics involves a. how managers decide on what is right in conducting business b. how managers achieve what they decide is right for the business *c. both a and b d. none of the above

75. All of the following are conditions for fraud except a. false representation b. injury or loss c. intent *d. material reliance

76. Which of the following is not a principal type of corruption? a. bribery *b. skimming c. conflict of interest d. economic extortion

77. Which of the following is not part of the COSO framework? a. monitoring b. risk assessment *c. certification by management d. control activities

78. Internal control systems have limitations. These include all of the following

except a. possibility of honest error b. circumvention c. management override *d. stability of systems

79. Management can expect various benefits to follow from implementing a system of strong

internal control. Which of the following benefits is least likely to occur?

a. reduced cost of an external audit *b. preventing employee collusion to commit fraud c. availability of reliable data for decision-making purposes d. some assurance that important documents and records are protected

80. Which of the following situations is not a segregation of duties violation? a. The purchasing department initiates purchases when the purchasing supervisor determines inventory levels are too low. b. The warehouse clerk, who has the custodial responsibility over inventory in the warehouse, keeps the official inventory records. c. The sales manager has the responsibility to approve credit and the authority to write off accounts. *d. All of these are segregation of duty violations.

81. Which of the following is not an issue to be addressed in a business code of

ethics required by the SEC? a. conflicts of interest b. full and fair disclosures *c. equitable access to records by all classes of employees d. internal reporting of code violations

82. According to common law, a fraudulent act must a. intend to cause injury or loss regardless of whether or not such loss occurred *b. include a false statement or nondisclosure c. both a. and b. d. neither a. nor b.

83. The correct purchase order number is 123456. Which of the following is an

example of a transcription error? a. 1234567 b. 12345 *c. 124356 d. 123454

84. Which of the following is correct statement about check digits? a. Check digits should be used for all data codes. b. Check digits must be placed at the end of a data code. c. Check digits do not affect processing efficiency. *d. Check digits are designed to detect transcription and transposition errors.

85. Which statement is not correct? a. The goal of batch controls is to ensure that during processing transactions are not omitted. b. The goal of batch controls is to ensure that during processing transactions are not added. *c. The goal of batch controls is to ensure that during processing transactions are free from clerical errors. d. The goal of batch controls is to ensure that during processing an audit trail is created.

86. An example of a hash total is a. total payroll checks–$12,315 b. total number of employees–10 *c. sum of the social security numbers–12,555,437,251 d. all of the above

87. Which of the following is an objective of batch controls? a. to ensure that all transactions include transaction codes b. to locate any fraudulent data in the batch c. to coordinate run-to-run controls with batch controls *d. to reconcile system output with the data originally input into the system

88. Which of the following is not an example of a processing control? a. a hash total b. a record count c. a batch total *d. a check digit

89. Which of the following is an example of an input control test? a. sequence check b. zero value check c. spooling check *d. range check

90. Which input control check would detect a payment made to a nonexistent

vendor? a. missing data check b. numeric/alphabetic check c. range check

*d. validity check

91. Which input control check would detect a posting to the wrong customer

account? a. missing data check *b. check digit c. reasonableness check d. validity check

92. The employee entered "40" in the "hours worked per day" field. Which check

would detect this unintentional error? a. numeric/alphabetic data check b. sign check *c. limit check d. missing data check

93. An inventory record indicates that 12 items of a specific product are on hand. A

customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a. numeric/alphabetic data checks *b. limit check c. range check d. reasonableness check

94. Which check is not an input control? a. reasonableness check b. validity check *c. spooling check d. missing data check

95. A computer operator was in a hurry and accidentally used the wrong master file

to process a transaction file. As a result, the accounts receivable master file was erased. Which control would prevent this from happening? *a. header label check b. expiration date check c. version check d. validity check

96. Run-to-run control totals can be used for all of the following except

*a. to ensure that all data input is validated b. to ensure that only transactions of a similar type are being processed c. to ensure the records are in sequence and are not missing d. to ensure that no transaction is omitted

97. Methods used to maintain an audit trail in a computerized environment include

all of the following except a. transaction logs b. transaction listings *c. data encryption d. log of automatic transactions

98. Control weaknesses associated with creating an output file as an intermediate

step in the printing process (spooling) include all of the following actions by a computer criminal except a. gaining access to the output file and changing critical data values *b. using a remote printer and incurring operating inefficiencies c. making a copy of the output file and using the copy to produce illegal output reports d. printing an extra hardcopy of the output file

99. Which statement is not correct? a. Only successful transactions are recorded on a transaction log. b. Unsuccessful transactions are recorded in an error file. *c. A transaction log is a temporary file. d. The transaction log and transactions in error files should account for all transactions in the batch.

100. Supervision is often called a(n)

control.

a. access b. verification *c. compensating d. input

101. Which of the following is an example of an input error correction technique? a. immediate correction b. rejection of batch c. creation of error file *d. All are examples of input error correction techniques.

102. Which of the following is not an input control? a. range check b. limit check *c. spooling check d. validity check

103. Which of the following is an input control? *a. reasonableness check b. run-to-run check c. spooling check d. batch check

104. Systems that use a sequential master files employ a backup technique called a. batch check b. destructive update *c. grandfather-father-son d. master file backup

105. What are the main issues to be addressed in a business code of ethics required by the SEC? Correct Answer:

conflicts of interest, full and fair disclosures, legal compliance, internal reporting of code violations, and accountability 106. List the four broad objectives of the internal control system. Correct Answer:

safeguard assets,ensure the accuracy and reliability of accounting records, promote organizational efficiency, comply with management’s policies and procedures

107. Explain the purpose of the PCAOB. Correct Answer:

The PCAOB is empowered to set auditing, quality control, and ethics standards; to inspect registered accounting firms; to conduct investigations; and to take disciplinary actions.

108. What are the five internal control components described in the COSO framework? Correct Answer:

the control environment, risk assessment, information and communication, monitoring, and control activities 109. What are management responsibilities under Sections 302 and 404 of SOX? Correct Answer:

Section 302 requires that corporate management (including the CEO) certify their organization’s internal controls on a quarterly and annual basis. Section 404 requires the management of public companies to assess and formally report on the effectiveness of their organization’s internal controls.

110. Identify to indicate whether each procedure is a preventive or detective control. a. authorizing a credit sale

Preventive

Detective

b. preparing a bank reconciliation

Preventive

Detective

c. locking the warehouse

Preventive

Detective

d. preparing a trial balance

Preventive

Detective

e. counting inventory

Preventive

Detective

Correct Answer:

A. preventive; B. detective; C. preventive; D. detective; E. detective

111. Use the internal control procedures listed below to complete the statements.

segregation of duties

specific authorization

general authorization

accounting records

access controls

independent verification

supervision

A clerk reorders 250 items when the inventory falls below 25 items. This is an example of . Correct Answer:

general authorization

112. Use the internal control procedures listed below to complete the statements.

segregation of duties

specific authorization

general authorization

accounting records

access controls

independent verification

supervision The internal audit department recalculates payroll for several employees each pay period. This is an example of . Correct Answer:

independent verification

113. Use the internal control procedures listed below to complete the statements.

segregation of duties

specific authorization

general authorization

accounting records

access controls

independent verification

supervision Locking petty cash in a safe is an example of . Correct Answer:

access controls

114. Use the internal control procedures listed below to complete the statements.

segregation of duties

specific authorization

general authorization

accounting records

access controls

independent verification

supervision Approving a price reduction because goods are damaged is an example of . Correct Answer:

specific authorization

115. Use the internal control procedures listed below to complete the statements.

segregation of duties

specific authorization

general authorization

accounting records

access controls

independent verification

supervision Using cameras to monitor the activities of cashiers is an example of . Correct Answer:

supervision

116. Use the internal control procedures listed below to complete the statements.

segregation of duties

specific authorization

general authorization

accounting records

access controls

independent verification

supervision

Not permitting the computer programmer to enter the computer room is an example of . Correct Answer:

segregation of duties

117. Use the internal control procedures listed below to complete the statements.

segregation of duties

specific authorization

general authorization

accounting records

access controls

independent verification

supervision Sequentially numbering all sales invoices is an example of . Correct Answer:

accounting records 118. What are the five conditions necessary for an act to be considered fraudulent? Correct Answer:

false representation, material fact, intent, justifiable reliance, and injury or loss 119. What is the objective of SAS 99? Correct Answer:

The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all phases of the audit process. 120. Distinguish between control weaknesses and risk. Correct Answer:

Control weaknesses increase the firm’s risk of financial loss or injury. Risk is the probability of incurring such a loss or injury. 121. Explain the characteristics of management fraud. Correct Answer:

Management fraud typically occurs at levels above where the internal control system is effective.Financial statements are frequently modified to make the firm appear healthier than it actually is. If any misappropriation of assets occurs, it is usually well hidden.

122. The text discusses a red-flag checklist of questions regarding personal traits of executives which might help uncover fraudulent activity. List three of these questions. Correct Answer:

Questions relate to any of the following three areas in executives’ lives: high personal debt, living beyond their means, engaged in habitual gambling, appearing to abuse alcohol or drugs, appearing to lack personal codes of ethics, appearing to be unstable, having close associations with suppliers 123. Give two examples of employee fraud and explain how the theft might occur. Correct Answer:

Answers will vary but should involve (1) stealing something of value, (2) converting the asset to cash, and (3) concealing the act. Examples could include—Charges to expense accounts: Cash could be stolen and charged to a miscellaneous expense account. Once the account is closed, detection would be more difficult. Lapping: This involves converting cash receipts to personal use. If a customer’s check is taken, his/her balance will not reflect a payment and will be detected when a statement is sent. In order to conceal this fraud, a later payment is used to cover the stolen check. This is in effect a small-scale Ponzi scheme.

124. What are the six categories of physical control activities discussed in the text? Correct Answer:

Transaction authorization, segregation of duties, supervision, access controls, accounting records, and independent verification 125. Explain the shell company fraud. Correct Answer:

A shell company fraud first requires that the perpetrator establish a false supplier on the books of the victim company. The fraudster then manufactures false purchase orders, receiving reports, and invoices in the name of the vendor and submits them to the accounting system, which creates the illusion of a legitimate transaction. Based on these documents, the system will set up an account payable and ultimately issue a check to the false supplier (the fraudster).

126. Explain the pass-through fraud. Correct Answer:

The perpetrator creates a false vendor and issues purchases orders to it for inventory or supplies. The false vendor then purchases the needed inventory from a legitimate vendor. The false vendor charges the victim company much more than market price for the items, but pays only the market price to the legitimate vendor. The difference is the profit that the perpetrator pockets. 127. Explain the pay-and-return scheme. Correct Answer:

A pay-and-return scheme involves a clerk with check-writing authority who pays a vendor twice for the same products (inventory or supplies) received. The vendor, recognizing that its customer made a double payment, issues a reimbursement to the victim company. The clerk intercepts and cashes the reimbursement check. 128. What is check tampering? Correct Answer:

Check tampering involves forging or changing in some material way a check that the organization has written to a legitimate payee. One example of this is an employee who steals an outgoing check to a vendor, forges the payee’s signature, and cashes the check. A variation on this is an employee who steals blank checks from the victim company and makes them out to himself or an accomplice. 129. What are the three broad categories of application controls? Correct Answer:

input, processing, and output controls 130. How does privacy relate to output control? Correct Answer:

If the privacy of certain types of output (e.g., sensitive information about clients or customers) is violated, a firm could be legally exposed. 131. What are the three categories of processing control? Correct Answer:

Batch controls, run-to-run controls, and audit trail controls

132. What control issue is related to reentering corrected error records into a batch processing system? What are the two methods for doing this? Correct Answer:

Errors detected during processing require careful handling, since these records may already be partially processed. Simply resubmitting the corrected records at the data input stage may result in processing portions of these transactions twice. One method to solve the problem is to reverse the effects of the partially processed transactions and resubmit the corrected records to the data input stage. The second method is to reinsert corrected records into the processing stage at which the error was detected.

133. Output controls ensure that output is not lost, misdirected, or corrupted and that privacy is not violated. What are some output exposures or situations where output is at risk? Correct Answer:

output spooling, print programs, waste, report distribution 134. Name four input controls and describe what they test. Correct Answer:

1. Numeric-alphabetic checks look for the correct type of character content in a field, either numbers or letters.2. Limit checks verify that values are within preset limits. 3. Range checks verify that values fall within an acceptable range. 4. Reasonableness check determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record.

135. Explain input controls. Correct Answer:

Input controls are programmed procedures (routines) that perform tests on transaction data to ensure they are free from errors. 136. Name three types of transcription errors. Correct Answer:

1. Addition errors occur when an extra digit or character is added to the code. For example, inventory item number 83276 is recorded as 832766. 2. Truncation errors occur when a digit or character is removed from the end of a code. In this type of error, the inventory item above would be recorded as 8327.

3. Substitution errors are the replacement of one digit in a code with another. For example, code number 83276 is recorded as 83266.

137. Describe two types of transposition errors. Correct Answer:

1. Single transposition errors occur when two adjacent digits are reversed. For instance, 83276 is recorded as 38276. 2. Multiple transposition errors occur when nonadjacent digits are transposed. For example, 83276 is recorded as 87236.

138. Describe factors that influence the number of backup files needed for each application. Correct Answer:

The systems designer determines the number of backup master files needed for each application. Two factors influence this decision: (1) the financial significance of the system and (2) the degree of file activity. For example, a master file that is updated several times a day may require 30 or 40 generations of backup, whereas a file that is updated only once each month may need only four or five backup versions. This decision is important because certain types of system failures can result in the destruction of large numbers of backup versions within the same family of files. 139. The text describes six internal control activities. List four of them and provide a specific example of each one. Correct Answer:

Control Activity

Example

Authorization

general (purchase of inventory when level drops) or specific (credit approval beyond normal limit)

Segregation of functions

separate authorization from processing, and separate custody of assets from record keeping

Supervision

required when separation of duties is not possible, such as opening the mail (cash receipts)

Accounting records

maintain an adequate audit trail

Access controls

maintain physical security

Independent verification

bank reconciliation, physical inventory count

140. Contrast management fraud with employee fraud. Correct Answer:

Employee fraud is usually designed to directly convert cash or other assets to the employee’s personal benefit. Management fraud involves less of a direct benefit to the perpetrator. Management fraud may involve an attempt to misstate financial performance in order to gain additional compensation or to earn a promotion. Management fraud may also involve an attempt to misstate financial performance in order to increase the price of the company’s stock or to reduce the cost of debt. Management fraud is more insidious than employee fraud because it often escapes detection until the organization has suffered irreparable damage or loss. Management fraud usually does not involve the direct theft of assets.

141. Four underlying problems that called pre-SOX federal security law adequacy into question were addressed in the text. Discuss two of these problems. Correct Answer:

Lack of auditor independence—Auditing firms that provide other services to audit clients lack independence. They are, in effect, auditing their own work. Lack of director independence—Many boards of directors have members that serve on boards of other directors’ companies, or have a business trading, financial, or operational relationship with the company. The majority of directors should be independent outsiders.

Questionable executive compensation schemes—There is a strong belief that executives have abused stock-based compensation. The consensus is that fewer stock options should be offered than is typical under current practice. In extreme cases, financial statement misrepresentation has been used to achieve stock prices needed to exercise options.

Inappropriate accounting practices—The use of inappropriate accounting techniques is a common characteristic in many financial statement fraud schemes.

142. Why are the computer ethics issues of privacy, security, and property ownership of interest to accountants? Correct Answer:

Privacy is a concern because the nature of computer data files makes it possible for unauthorized individuals to obtain information without it being recognized as “missing” from its original location. Security is a concern because its absence makes control from a privacy viewpoint questionable. In addition, lack of security may permit unauthorized changes to data, therefore distorting information that is reported.

Property ownership raises issues of legitimacy of organizational software, valuation of assets, and questions of lost revenues.

143. According to common law, there are five conditions that must be present for an act to be deemed fraudulent. Name and explain each. Correct Answer:

false representation: meaning some misrepresentation or omission must have occurred,material facts: meaning that the facts must influence someone’s actions, intent: meaning there must have been the intention to deceive others, justifiable reliance: meaning it did affect someone’s decision, and injury or loss must have occurred.

144. Management fraud is regarded as more serious than employee fraud. Three special characteristics have been discussed for management fraud. What are they? Explain. Correct Answer:

Management fraud is more insidious than employee fraud because it often escapes detection until the organization has suffered irreparable damage or loss. It usually occurs at levels above the normal internal control system. There is typically an intent to present a better picture of the business than is valid, often to deceive creditors and/or shareholders. If assets are misappropriated, the route is quite devious, involving a maze of business transactions. 145. Four principal types of corruption are discussed. Name all four and explain at least two. Correct Answer:

Corruption involves an executive, manager, or employee of a business working in collusion with an outsider. The four principal types of corruption are bribery, illegal gratuity, conflict of interest, and economic extortion. Bribery involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties.

An illegal gratuity involves giving. receiving, offering, or soliciting something of value because of an official act that has been taken.

A conflict of interest occurs when an employee acts on behalf of a third party during the discharge of his or her duties or has self-interest in the activity being performed.

Economic extortion is the use (or threat) of force (including economic sanctions) by an individual or organization to obtain something of value.

146. Misappropriation of assets can involve various schemes: expense reimbursement fraud, lapping, and payroll fraud. Explain each and give an example. Correct Answer:

Expense reimbursement fraud involve fictitious or inflated claims for reimbursement of business expenses such as travel that never occurred. Lapping is a technique whereby an early theft is covered up by a later one, i.e., with the moves “lapping” over each other. The simplest example involves taking a customer’s payment. A later payment is then credited to the first customer’s account, not the second. And on it goes.

Payroll fraud is the distribution of fraudulent paychecks to existent and/or nonexistent employees.

147. Distinguish between skimming and cash larceny. Give an example of each. Correct Answer:

Skimming involves stealing cash from an organization before it is recorded on the organization’s books and records. One example of skimming is an employee who accepts payment from a customer but does not record the sale. Another example is mail room fraud, in which an employee opening the mail steals a customer’s check and destroys the associated remittance advice.

Cash larceny involves schemes in which cash receipts are stolen from an organization after they have been recorded in the organization’s books and records. An example of this is lapping, in which the cash receipts clerk first steals and cashes a check from Customer A. To conceal the accounting imbalance caused by the loss of the asset, Customer A’s account is not credited. Later (the next billing period), the employee uses a check received from Customer B and applies it to Customer A’s account. Funds received in the next period from Customer C are then applied to the account of Customer B, and so on.

148. Explain why collusion between employees and management in the commission of a fraud is difficult to both prevent and detect. Correct Answer:

Collusion among employees in the commission of a fraud is difficult to both prevent and detect. This is particularly true when the collusion is between managers and their subordinate employees. Management plays a key role in the internal control structure of an organization. They are relied upon to prevent and detect fraud among their subordinates. When they participate in fraud with the employees over whom they are supposed to provide oversight, the organization’s control structure is weakened, or completely circumvented, and the company becomes more vulnerable to losses. 149. Since all fraud involves some form of financial misstatement, how is fraudulent statement fraud different? Correct Answer:

Fraudulent statements are associated with management fraud. While all fraud involves some form of financial misstatement, to meet the definition under this class of fraud scheme, the statement itself must bring direct or indirect financial benefit to the perpetrator. In other words, the statement is not simply a vehicle for obscuring or covering a fraudulent act. For example, misstating the cash account balance to cover the theft of cash does not fall under this class of fraud scheme. On the other hand, understating liabilities to present a more favorable financial picture of the organization to drive up stock prices does qualify. 150. SAS 109 requires auditors to obtain an understanding of an organization’s control environment. Discuss two techniques that may be used to obtain such understanding. Correct Answer:

Auditors should assess the integrity of management and may use investigative agencies to report on the background of key managers. Auditors should be aware of conditions that would predispose management fraud, such as lack of sufficient working capital, adverse industry conditions, bad credit ratings, or restrictive bank or indenture agreements.

Auditors should understand a client’s business and industry and be aware of conditions peculiar to the industry that may affect the audit.

151. A company’s board of directors should, at a minimum, adopt the provisions of SOX. Discuss three of the six established best practices that a board should also follow. Correct Answer:

The roles of CEO and board chairman should be separate to facilitate discussions without management being present. The board should establish a code of ethical standards from which management and staff will take direction. Minimally, it should address outside employment conflicts, gifts that could be considered bribery, falsification of data, conflicts of interest, political contributions, confidentiality, honesty, and membership on external boards.

Establishment of an independent audit committee that selects the independent auditor.

Compensation committees that evaluate management compensation schemes to ensure they create the desired incentives.

Nominating committees with a plan to maintain a fully staffed, capable board of directors. Committees must recognize the need for independent directors and have criteria for determining independence.

All committees of the board should have access to attorneys and consultants other than the corporation’s normal counsel and consultants.

152. SAS 109 requires auditors to obtain sufficient knowledge of the organization’s risk assessment procedures to understand how management identifies, prioritizes, and manages financial reporting risk. List five circumstances that can cause risks to arise or change. Correct Answer:

 Changes in the operating environment that impose new or changed competitive pressures on the firm.  New personnel who have a different or inadequate understanding of internal control.  New or reengineered information systems that affect transaction processing.  Significant and rapid growth that strains existing internal controls.

 The implementation of new technology into the production process or information system that impacts transaction processing.  The introduction of new product lines or activities with which the organization has little experience.  Organizational restructuring resulting in the reduction and/or reallocation of personnel such that business operations and transaction processing are affected.  Entering into foreign markets that may impact operations (risk associated with foreign currency transactions).  Adoption of a new accounting principle that impacts financial statement preparation.

153. Explain the problems associated with inappropriate accounting practices. Correct Answer:

The use of inappropriate accounting techniques is a characteristic common to many financial statement fraud schemes. Enron made elaborate use of Special Purpose Entities (SPE) to hide liabilities through off-balance sheet accounting. WorldCom management transferred transmission line costs from current expense accounts to capital accounts. This allowed them to defer some operating expenses and report higher earnings. Also, they reduced the book value of hard assets of MCI by $3.4 billion and increased goodwill by the same amount. Had the assets been left at book value, they would have been charged against earnings over four years. Goodwill, on the other hand, was amortized over a much longer period. 154. Explain the purpose of the PCAOB. Correct Answer:

The Sarbanes-Oxley Act creates a Public Company Accounting Oversight Board (PCAOB). The PCAOB is empowered to set auditing, quality control, and ethics standards, to inspect registered accounting firms, to conduct investigations, and to take disciplinary actions. 155. Auditor independence under SOX includes categories of services that a public accounting firm cannot perform for a client. List five prohibited functions. Correct Answer:

Bookkeeping or other services related to the accounting records or financial statementsFinancial information systems design and implementation Appraisal or valuation services, fairness opinions, or contribution-in-kind reports Actuarial services Internal audit outsourcing services Management functions or human resources

Broker or dealer, investment adviser, or investment banking services Legal services and expert services unrelated to the audit Any other service that the PCAOB determines is impermissible

156. What are the key points of the “Issuer and Management Disclosure” of the Sarbanes-Oxley Act? Correct Answer:

1. Public companies must report all off-balance-sheet transactions.2. Annual reports filed with the SEC must include a statement by management asserting that it is responsible for creating and maintaining adequate internal controls and asserting to the effectiveness of those controls. 3. Officers must certify that the company’s accounts ‘fairly present’ the firm’s financial condition and results of operations. 4. Knowingly filing a false certification is a criminal offense.

157. Define and describe the importance of physical controls. Correct Answer:

Virtually all systems, regardless of their sophistication, employ human activities that need to be controlled. This class of controls relates primarily to the human activities employed in accounting systems. These activities may be purely manual, such as the physical custody of assets, or they may involve the use of computers to record transactions or update accounts. Physical controls do not relate to the computer logic that actually performs these accounting tasks. Rather, they relate to the human activities that initiate such computer logic. In other words, physical controls do not suggest an environment in which clerks update paper accounts with pen and ink. 158. How has the Sarbanes-Oxley Act had a significant impact on corporate governance? Correct Answer:

The Sarbanes-Oxley Act requires all audit committee members to be independent and requires the audit committee to hire and oversee the external auditors. This provision is consistent with the position of many investors who consider board composition to be a critical investment factor. For example, a Thomson Financial survey revealed that most institutional investors want corporate boards to be comprised of at least 75 percent independent directors. Two other significant provisions of the act relating to corporate governance are (1) public companies are prohibited from making loans to executive officers and directors, and (2) the act requires attorneys to report evidence of a material violation of securities laws or breaches of fiduciary duty to the CEO, CFO, or the PCAOB.

159. Define and describe a conflict of interest. Correct Answer:

A conflict of interest occurs when an employee acts on behalf of a third party during the discharge of his or her duties or has self-interest in the activity being performed. When such a conflict is unknown to the employer and results in financial loss, fraud has occurred. Bribery and illegal gratuities are examples of conflicts of interest. Conflicts can also occur when an employee has an interest in the outcome of an economic event. An example would include an employee who directs a disproportionate number of overpriced purchase orders to a company in which the employee is a part-owner.

160. What are the key points of the section 404 of the Sarbanes-Oxley Act? Correct Answer:

Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls. This entails providing an annual report addressing the following points: (1) a statement of management’s responsibility for establishing and maintaining adequate internal control; (2) an assessment of the effectiveness of the company’s internal controls over financial reporting; (3) a statement that the organization’s external auditors have issued an attestation report on management’s assessment of the company’s internal controls; (4) an explicit written conclusion as to the effectiveness of internal control over financial reporting; and (5) a statement identifying the framework used in the assessment of internal controls. 161. Describe the factors that constitute the fraud triangle. Why is it important to auditors? Correct Answer:

The fraud triangle consists of three factors that contribute to or are associated with management and employee fraud. These are:(1) situational pressure, which includes personal or job-related stresses that could coerce an individual to act dishonestly; (2) opportunity, which involves direct access to assets and/or access to information that controls assets, and; (3) ethics, which pertains to one’s character and degree of moral opposition to acts of dishonesty.

An individual with a high level of personal ethics, who is confronted by low pressure and limited opportunity to commit fraud, is more likely to behave honestly than one

with weaker personal ethics, who is under high pressure and exposed to greater fraud opportunities.

Research by forensic experts and academics has shown that the auditor’s evaluation of fraud is enhanced when the fraud triangle factors are considered.

162. Define each of the following input controls and give an example of how they may be used:a. Missing data check b. Numeric/alphabetic data check c. Limit check d. Range check e. Reasonableness check f. Validity check Correct Answer:

Missing data check is useful because some programming languages are restrictive as to the justification (right or left) of data within the field. If data are not properly justified or if a character is missing (has been replaced with a blank), the value in the field will be improperly processed. For example, the presence of blanks in a numeric data field may cause a system failure. When the control routine detects a blank where it expects to see a data value, the error is flagged. A numeric-alphabetic check control identifies when data in a particular field are in the wrong form. For example, a customer’s account balance should not contain alphabetic data and the presence of it will cause a data processing error. Therefore, if alphabetic data are detected, the error record flag is set.

Limit checks are used to identify field values that exceed an authorized limit. For example, assume the firm’s policy is that no employee works more than 44 hours per week. The payroll system input control program can test the hours-worked field in the weekly payroll records for values greater than 44.

Range checks exist when data have upper and lower limits to their acceptable values. For example, if the range of pay rates for hourly employees in a firm is between 8 and 20 dollars, this control can examine the pay rate field of all payroll records to ensure that they fall within this range.

A reasonableness check determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record. For example, assume that an employee’s pay rate of 18 dollars per hour falls within an acceptable

range. This rate is excessive, however, when compared to the employee’s job skill code of 693; employees in this skill class should not earn more than 12 dollars per hour.

A validity check compares actual field values against known acceptable values. For example, this control may be used to verify such things as valid vendor codes, state abbreviations, or employee job skill codes. If the value in the field does not match one of the acceptable values, the record is flagged as an error.

163. After data is entered into the system, it is processed. Processing control exists to make sure that the correct things happen during processing. Discuss processing controls. Correct Answer:

Processing controls take three forms—batch controls, run-to-run controls, and audit trail controls.

Batch controls are used to manage the flow of high volumes of transactions through batch processing systems. The objective of batch control is to reconcile output produced by the system with the input originally entered into the system. This provides assurance that:

 All records in the batch are processed.  No records are processed more than once.  An audit trail of transactions is created from input through processing to the output stage of the system. Run-to-run controls use batch figures and new balances to monitor the batch as it goes through the system—i.e. from run to run. These are to assure that no transactions are lost and that all are processed completely.

Audit trail controls are designed to document the movement of transactions through the system. The most common techniques include the use of transaction logs and transaction listings, unique transaction identifiers, logs and listings of automatic transactions, and error listings.

164. If input and processing controls are adequate, why are output controls needed? Correct Answer:

Output controls are designed to ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Great risk exists if checks are misdirected, lost, or stolen. Certain types of data must be kept private—trade secrets, patents pending, customer records, etc. 165. Explain the grandfather-father-son backup technique. Correct Answer:

GFS backup technique begins when the current master file (the father) is processed against the transaction file to produce a new updated master file (the son). Note that the son is a physically different file from the father. With the next batch of transactions, the son becomes the current master file (the new father), and the original father becomes the backup file (grandfather). This procedure is continued with each new batch of transactions, creating several generations of backup files. When the desired number of backup copies is reached, the oldest backup file is erased (scratched). If the current master file is destroyed or corrupted, it is reconstructed by processing the most current backup file against the corresponding transaction file.

Chapter 4 1. The packing slip is also known as the shipping notice. a. True *b. False

2. The bill of lading is a legal contract between the buyer and the seller. a. True *b. False

3. Another name for the stock release form is the picking ticket. *a. True b. False

4. Warehouse stock records are the formal accounting records for inventory. a. True *b. False

5. The purpose of the invoice is to bill the customer. *a. True b. False

6. In most large organizations, the journal voucher file has replaced the formal general journal. *a. True b. False

7. The cash receipts journal is a special journal. *a. True b. False

8. In the revenue cycle, the internal control “limit access” applies to physical assets only. a. True *b. False

9. In real-time processing systems, routine credit authorizations are automated. *a. True b. False

10. In a computerized accounting system, segregation of functions refers to inventory control, accounts receivable, billing, and general ledger tasks. a. True *b. False

11. A written customer purchase order is required to trigger the sales order system. a. True *b. False

12. Inventory control has physical custody of inventory. a. True *b. False

13. The principal source document in the sales order system is the sales order. *a. True b. False

14. Sales orders should be prenumbered documents. *a. True b. False

15. Integrated accounting systems automatically transfer data between modules. *a. True b. False

16. If a customer submits a written purchase order, there is no need to prepare a sales order. a. True *b. False

17. Sales return involves receiving, sales, credit, and billing departments, but not accounts receivable. a. True *b. False

18. A remittance advice is a form of turnaround document. *a. True b. False

19. A bill of lading is a request for payment for shipping charges. a. True *b. False

20. In point-of-sale systems, authorization takes the form of validation of credit card charges. *a. True b. False

21. The warehouse is responsible for updating the inventory subsidiary ledger. a. True *b. False

22. In a manual system, the billing department is responsible for recording the sale in the sales journal. *a. True b. False

23. The stock release document is prepared by the shipping department to provide evidence that the goods have been released to the customer. a. True *b. False

24. The accounts receivable clerk is responsible for updating the AR control accounts to reflect each customer sale. a. True *b. False

25. When customer payments are received, the mail room clerk sends the checks to the cash receipts clerk and the remittance advices to the ARclerk. *a. True b. False

26. Physical controls are embedded in computer systems to control access to data. a. True *b. False

27. Process controls are controls over the logic of the application. *a. True b. False

28. In a basic technology revenue cycle system, a robust password control policy should be implemented. *a. True b. False

29. In an integrated cash receipts system, the cash receipts clerk reconciles the checks and the remittance advices and prepares deposit slips. *a. True b. False

30. Multilevel security employs programmed techniques that permit simultaneous access to a central system by many users with different access privileges but allows them to obtain information for which they lack authorization. a. True *b. False

31. The POS environment places both cash and inventory at risk. *a. True b. False

32. The revenue cycle consists of

a. one subsystem—order entry *b. two subsystems—sales order processing and cash receipts c. two subsystems—order entry and inventory control d. three subsystems—sales order processing, credit authorization, and cash receipts

33. The reconciliation that occurs in the shipping department is intended to ensure

that a. credit has been approved b. the customer is billed for the exact quantity shipped *c. the goods shipped match the goods ordered d. inventory records are reduced for the goods shipped

34. The adjustment to accounting records to reflect the decrease in inventory due to

a sale occurs in the a. warehouse b. shipping department c. billing department *d. inventory control department

35. Which document triggers the revenue cycle? a. the sales order *b. the customer purchase order c. the sales invoice d. the journal voucher

36. Copies of the sales order can be used for all of the following except *a. purchase order b. credit authorization c. shipping notice d. packing slip

37. The purpose of the sales invoice is to a. record reduction of inventory b. transfer goods from seller to shipper *c. bill the customer d. select items from inventory for shipment

38. The customer open order file is used to *a. respond to customer queries

b. fill the customer order c. ship the customer order d. authorize customer credit

39. The stock release copy of the sales order is not used to a. locate and pick the items from the warehouse shelves b. record any out-of-stock items c. authorize the warehouse clerk to release custody of the inventory to shipping *d. record the reduction of inventory

40. The shipping notice a. is mailed to the customer b. is a formal contract between the seller and the shipping company c. is always prepared by the shipping clerk *d. informs the billing department of the quantities shipped

41. The billing department is not responsible for *a. updating the inventory subsidiary records b. recording the sale in the sales journal c. notifying accounts receivable of the sale d. sending the invoice to the customer

42. Customers should be billed for back-orders when a. the customer purchase order is received *b. the back-ordered goods are shipped c. the original goods are shipped d. customers are not billed for back-orders because a back-order is a lost sale

43. Usually, specific authorization is required for all of the following except a. sales on account which exceed the credit limit *b. sales of goods at the list price c. a cash refund for goods returned without a receipt d. write-off of an uncollectible account receivable

44. Which of following functions should be segregated? *a. opening the mail and making the journal entry to record cash receipts

b. authorizing credit and determining reorder quantities c. maintaining the subsidiary ledgers and handling customer queries d. providing information on inventory levels and reconciling the bank statement

45. Which situation indicates a weak internal control structure? *a. the mail room clerk authorizes credit memos b. the record keeping clerk maintains both accounts receivable and accounts payable subsidiary ledgers c. the warehouse clerk obtains a signature before releasing goods for shipment d. the accounts receivable clerk prepares customer statements every month

46. The most effective internal control procedure to prevent or detect the creation of

fictitious credit memoranda for sales returns is to a. supervise the accounts receivable department b. limit access to credit memoranda c. prenumber and sequence check all credit memoranda *d. require management approval for all credit memoranda

47. The accounts receivable clerk destroys all invoices for sales made to members of her family

and does not record the sale in the accounts receivable subsidiary ledger. Which procedure will not detect this fraud? a. prenumber and sequence check all invoices b. reconcile the accounts receivable control to the accounts receivable subsidiary ledger *c. prepare monthly customer statements d. reconcile total sales on account to the debits in the accounts receivable subsidiary

ledger

48. Which department is least likely to be involved in the revenue cycle? a. credit *b. accounts payable c. billing d. shipping

49. Which document is included with a shipment sent to a customer? a. sales invoice b. stock release form *c. packing slip d. shipping notice

50. Good internal controls in the revenue cycle should ensure all of the following except *a. all sales are profitable b. all sales are recorded c. credit is authorized d. inventory to be shipped is not stolen

51. Which control does not help to ensure that accurate records are kept of customer accounts

and inventory? a. reconcile accounts receivable control to accounts receivable subsidiary *b. authorize credit c. segregate custody of inventory from record keeping d. segregate record keeping duties of general ledger from accounts receivable

52. Internal controls for handling sales returns and allowances do not include *a. computing bad debt expense using the percentage of credit sales b. verifying that the goods have been returned c. authorizing the credit memo by management d. using the original sales invoice to prepare the sales returns slip

53. The printer ran out of preprinted sales invoice forms and several sales invoices

were not printed. The best internal control to detect this error is *a. a batch total of sales invoices to be prepared compared to the actual number of sales invoices prepared b. sequentially numbered sales invoices c. visual verification that all sales invoices were prepared d. none of the above will detect this error

54. Which department prepares the bill of lading? a. sales b. warehouse *c. shipping d. credit

55. A remittance advice is a. used to increase (debit) an account receivable by the cash received *b. is a turnaround document

c. is retained by the customer to show proof of payment d. none of the above

56. A weekly reconciliation of cash receipts would include comparing *a. the cash prelist with bank deposit slips b. the cash prelist with remittance advices c. bank deposit slips with remittance advices d. journal vouchers from accounts receivable and general ledger

57. At which point is supervision most critical in the cash receipts system? a. accounts receivable b. general ledger *c. mail room d. cash receipts

58. EDI trading partner agreements specify all of the following except a. selling price b. quantities to be sold c. payment terms *d. person to authorize transactions

59. A cash prelist is a. a document that records sales returns and allowances b. a document returned by customers with their payments c. the source of information used to prepare monthly statements *d. none of the above

60. An advantage of real-time processing of sales is a. the cash cycle is lengthened *b. current inventory information is available c. hardcopy documents provide a permanent record of the transaction d. data entry errors are corrected at the end of each batch

61. Commercial accounting systems have fully integrated modules. The word

“integrated” means that a. segregation of duties is not possible *b. transfer of information among modules occurs automatically c. batch processing is not an option

d. separate entries are made in the general ledger accounts and the subsidiary ledgers

62. The data processing method that can shorten the cash cycle is a. batch, sequential file processing b. batch, direct access file processing *c. real-time file processing d. none of the above

63. Which of the following is not a risk exposure in a PC accounting system? *a. reliance on paper documentation is increased b. functions that are segregated in a manual environment may be combined in a computer accounting system c. backup procedures require human intervention d. data are easily accessible

64. Which journal is not used in the revenue cycle? a. cash receipts journal b. sales journal *c. purchases journal d. general journal

65. Periodically, the general ledger department receives all of the following except a. total increases to accounts receivable *b. total of all sales backorders c. total of all sales d. total decreases in inventory

66. The credit department a. prepares credit memos when goods are returned b. approves credits to accounts receivable when payments are received *c. authorizes the granting of credit to customers d. none of the above

67. Adjustments to accounts receivable for payments received from customers is

based upon a. the customer’s check b. the cash prelist *c. the remittance advice that accompanies payment

d. a memo prepared in the mail room

68. The revenue cycle utilizes all of the following files except a. credit memo file b. sales history file c. shipping report file *d. cost data reference file

69. All of the following are advantages of real-time processing of sales except a. The cash cycle is shortened b. Paperwork is reduced *c. Incorrect data entry is difficult to detect d. Up-to-date information can provide a competitive advantage in the marketplace

70. Which document is not prepared by the sales department? a. packing slip b. shipping notice *c. bill of lading d. stock release

71. Which type of control is considered a compensating control? a. segregation of duties b. access control *c. supervision d. accounting records

72. Which of the following is not a common method for achieving multilevel security? a. access control list *b. application integrity c. role-based access control d. all of the above

73. In an integrated cash receipts system, which of the following is not a task of the mail room

clerk? a. reconciles checks and remittance advices b. open envelopes c. prepare remittance list

*d. make bank deposit

74. Distinguish between a packing slip, shipping notice, and a bill of lading. Correct Answer:

The packing slip travels with the goods to the customer, and it describes the contents on the order. Upon filling the order, the shipping department sends the shipping notice to the billing department to notify them that the order has been filled and shipped. The shipping notice contains additional information that the packing slip may not contain, such as shipment date, carrier and freight charges. The bill of lading is a formal contract between the seller and the transportation carrier; it shows legal ownership and responsibility for assets in transit. 75. State two specific functions or jobs that should be segregated in the sales processing system. Correct Answer:

sales order processing and credit approval; inventory control (record keeping) from warehouse (custody); and general ledger from accounts receivable subsidiary ledger 76. State two specific functions or jobs that should be segregated in the cash receipts system. Correct Answer:

cash receipts (custody) from accounts receivable (record keeping); and general ledger from accounts receivable subsidiary ledger; mail room (receiving cash) and accounts receivable subsidiary ledger 77. List two points in the sales processing system when authorization is required. Correct Answer:

credit check, sales returns policy, preparation of cash prelist 78. For the revenue cycle, state two specific independent verifications that should be performed. Correct Answer:

Shipping verifies that the goods sent from the warehouse are correct in type and quantity.Billing reconciles the shipping notice with the sales order to ensure that customers are billed only for the quantities shipped.

General ledger reconciles journal vouchers submitted by the billing department (sales journal), inventory control (inventory subsidiary ledger), and cash receipts (cash receipts journal).

Treasurer determines that all cash received got to the bank.

79. What task can the accounts receivable department engage in to verify that all checks sent by customers have been appropriately deposited and recorded? Correct Answer:

The company should periodically, perhaps monthly, send an account summary to each customer listing invoices and amounts paid by check number and date. This form allows the customer to verify the accuracy of the records. If any payments are not recorded, they will notify the company of the discrepancy. These reports should not be handled by the accounts receivable clerk or the cashier. 80. What specific internal control procedure would prevent the sale of goods on account to a fictitious customer? Correct Answer:

credit check 81. The clerk who opens the mail routinely steals remittances and checks. Describe a specific internal control procedure that wouldprevent or detect this fraud. Correct Answer:

supervision (two people) when opening the mail; customer complaints when monthly statements mailed 82. A customer payment of $247 was correctly posted in the general ledger but was recorded as $274 in the customer’s account receivable. Describe a specific internal control procedure that would detect this error. Correct Answer:

Reconcile the accounts receivable control account to the accounts receivable subsidiary ledger; compare control totals of cash received with total credits to AR subsidiary ledger. 83. Goods are shipped to a customer, but the shipping department does not notify billing and the customer never receives an invoice. Describe a specific internal control procedure that would detect this error.

Correct Answer:

Billing department matches the stock release copy of the sales order (from shipping) to the invoice, ledger, and file copies of the sales order (sent directly to billing), and then mails the invoice to the customer. After a certain amount of time has passed, the billing department should investigate any unmatched invoice, ledger, and file copies of the sales order. 84. A clerk embezzles customer payments on account and covers up the theft by making an adjustment to the accounts receivable ledger. Describe a specific internal control procedure that would prevent this fraud. Correct Answer:

Segregation of duties would prevent this fraud. One person shouldn’t have custody of payments and the ability to make adjustments to the records. All adjustments to accounts receivable records must be authorized. 85. A credit sale is made to a customer, even though the customer’s account is four months overdue. Describe a specific internal control procedure that would prevent this from happening. Correct Answer:

Perform a credit check and require management approval for all sales to accounts that are overdue. 86. What specific internal control procedure would prevent a customer from being billed for all 50 items ordered although only 40 items were shipped? Correct Answer:

Billing should reconcile the shipping report with the sales order. 87. What specific internal control procedure would prevent the shipping clerk from taking goods from the storeroom and sending them to someone who had not placed an order? Correct Answer:

Shipping clerk should not have access to the storeroom. 88. What specific internal control procedure would prevent an accounts receivable clerk from issuing a fictitious credit memo to a customer (who is also a relative) for goods that were “supposedly” returned from previous sales? Correct Answer:

Credit memo should be authorized after verifying the return of goods based on evidence from the person who received the goods.

89. What specific internal control procedure would prevent an increase in sales returns since salespeople were placed on commission? Correct Answer:

Customer credit should be verified by the credit department. 90. What specific internal control procedure would detect the misplacement of a prepared sales invoice that was not mailed to the customer? The invoice was never found. Correct Answer:

All documents should be prenumbered. Any gap should be investigated. 91. What function does the receiving department serve in the revenue cycle? Correct Answer:

The receiving department counts and inspects items which are returned by customers. The receiving department prepares a return slip; a copy of which goes to the warehouse for restocking. Another copy of the return slip goes to the sales order department so that a credit memo can be issued to the customer. 92. What are the three rules that ensure that no single employee or department processes a transaction in its entirety? Correct Answer:

1. Transaction authorization should be separate from transaction processing.2. Asset custody should be separate from asset record keeping. 3. The organization structure should be such that the perpetration of a fraud requires collusion between two or more individuals.

93. What is automation and why is it used? Correct Answer:

Automation involves using technology to improve the efficiency and effectiveness of a task. Automation of the revenue cycle is typically used to reduce overhead costs, make better credit granting decisions, and better collect outstanding accounts receivable. 94. What are the benefits and risks of making Internet sales? Correct Answer:

Internet sales opens an organization’s doors to thousands of potential business partners with whom it has no formal agreement. Connecting to the Internet exposes the organization to threats from computer hackers, viruses, and transaction fraud. 95. What are the key segregation of duties related to computer programs that process accounting transactions? Correct Answer:

The tasks of design, maintenance, and operation of computer programs need to be segregated. The programmers who write the original computer programs should not be responsible for making program changes. Both of these functions must also be separate from the daily task of operating the system. 96. How is EDI more than technology? What unique control problems may it pose? Correct Answer:

EDI represents a unique business arrangement between the buyer and seller in which they agree, in advance, to the terms of their relationship on such items as selling price, quantities, delivery times, payment terms and methods of handling disputes. The terms of agreement are binding. One problem is ensuring that only valid transactions are processed. Another risk is that a non-trading partner will masquerade as a trading partner and access the firm's processing systems. 97. What makes point-of-sale systems different from revenue cycles of manufacturing firms? Correct Answer:

In point-of-sale systems, the customer literally has possession of the items purchased, thus the inventory is in hand. Typically, for manufacturing firms, the order is placed and the good is shipped to the customer at some later time period. Thus, updating inventory at the time of sale is necessary in point-of-sale systems since the inventory is changing hands, while it is not necessary in manufacturing firms until the goods are actually shipped to the customer. Also, POS systems are used extensively in grocery stores, department stores, and other types of retail organizations. Generally, only cash, checks, and bank credit card sales are valid. Unlike manufacturing firms, the organization maintains no customer accounts receivable. Unlike some manufacturing firms, inventory is kept on the store’s shelves, not in a separate warehouse. The customers personally pick the items they wish to buy and carry them to the checkout location, where the transaction begins. Shipping, packing, bills of lading, etc. are not relevant to POS systems.

98. Give three examples of access control in a point-of-sale (POS) system.

Correct Answer:

• Lock on the cash drawer• Internal cash register tape that can be accessed only by the manager • Physical security over the inventory, for example: steel cables to secure expensive leather coats to the clothing rack; locked showcases to display jewelry and costly electronic equipment; magnetic tags attached to merchandise that will sound an alarm when removed from the store.

Note to instructor: Some physical security devices could also be classified as supervision.

99. Describe the key tasks in the sales order process. Correct Answer:

Sales order procedures include the tasks involved in receiving and processing a customer order, filling the order and shipping products to the customer, billing the customer at the proper time, and correctly accounting for the transaction. 100. What is the purpose(s) of the stock release document? Correct Answer:

The stock release document (also called the picking ticket) is sent to the warehouse to identify the items of inventory that have been sold and must be located and picked from the warehouse shelves. It also provides formal authorization for warehouse personnel to release the specified items. 101. What is the role of the shipping notice? Correct Answer:

The shipping notice triggers the billing process. When the goods are shipped, the shipping notice is forwarded to the billing function as evidence that the customer’s order was filled and shipped. This document conveys pertinent new facts such as the date of shipment, the items and quantities actually shipped, the name of the carrier, and freight charges. 102. What is a bill of lading? Correct Answer:

The bill of lading is a formal contract between the seller and the shipping company (carrier) to transport the goods to the customer. This document establishes legal ownership and responsibility for assets in transit.

103. What is the purpose of the credit memo? Correct Answer:

This document is the authorization for the customer to receive credit for the merchandise returned. A credit memo may be similar in appearance to a sales order. Some systems may actually use a copy of the sales order marked credit memo. 104. Explain the steps needed to process a credit memo in the sales return system. Correct Answer:

The objective is to reverse the effects of the original sales transaction. The billing department records an entry into the sales returns and allowance or sales journal and inventory control debits the inventory records to reflect the return of goods. The AR clerk credits the customer account in the AR subsidiary ledger. 105. What is multilevel security? Correct Answer:

Multilevel security employs programmed techniques that permit simultaneous access to a central system by many users with different access privileges but prevents them from obtaining information for which they lack authorization. 106. What does EDI technology do? Correct Answer:

EDI technology was devised to expedite routine transactions between manufacturers and wholesalers, and between wholesalers and retailers.

107. When Clipper Mail Order Co. receives telephone and fax orders, the billing department prepares an invoice. The invoice is mailed immediately. A copy of the invoice serves as a shipping notice. The shipping department removes inventory from the warehouse and prepares the shipment. When the order is complete, the goods are shipped. The clerk checks the customer’s credit before recording the sale in the general journal and the account receivable subsidiary ledger. The receptionist opens the mail and lists all payments. The receptionist also handles all customer complaints and prepares sales return forms for defective merchandise. The cashier records all cash receipts in the general journal and makes the appropriate entry in the accounts receivable subsidiary ledger. The cashier prepares the daily bank deposit.

Describe at least five internal control weaknesses at Clipper Mail Order Co.

Correct Answer:

no sales order is prepared;credit should be checked before shipping the items; invoices are mailed before the goods are shipped; shipping has access to the warehouse; record keeping duties are not segregated (general ledger from subsidiary ledger); only one person opens the mail; sales return forms are not authorized by management; custody and record keeping duties are not separated; the cashier has custody of cash, makes journal entries, and maintains AR ledger; cashier has custody of cash and handles customer complaints (e.g., about unrecorded payments).

108. How may an employee embezzle funds by issuing an unauthorized sales credit memo if the appropriate segregation of functions and authorization controls were not in place? Correct Answer:

An employee who has access to incoming payments, either cash or check, as well as the authorization to issue credit memos may pocket the cash or check of a payment for goods received. This employee could then issue a credit memo to this person’s account so that the customer does not show a balance due. 109. For each of the following documents, describe its purpose, the functional area preparing it, and the key data included: sales order, bill of lading, credit memo. Correct Answer:

A sales order is used to collect information needed to initiate the sales process. It can be a copy of the customer’s purchase order prepared by the customer or a document prepared by a member of the sales staff in response to mail, phone or personal contact with the customer. It contains information about the customer, the type and quantity of merchandise being requested, price information, shipping information, etc. The bill of lading is prepared by the shipping clerk. It is a formal contract between the seller and the carrier who will transport the goods to the customer. It contains information about the carrier, the customer, descriptions of the package(s) being shipped, declared value of the goods, and information on freight charges, including how much and who will pay.

A credit memo is a document authorizing issuance of credit to a customer for returned goods. It is prepared in the sales department after receipt of a return slip from receiving. It shows the customer’s name, reason for the return, a list of items

and prices, and the total amount of credit. Many credit memos require additional authorization.

110. Discuss two IT controls or edits that can be programmed into a system to minimize the risk from data input errors. Correct Answer:

1. Checks for missing data, alpha-numeric data, and valid data values reduce the risk of undetected data entry errors in accounts receivable, inventory control, billing, and cash receipts. 2. Check digit edits provide control over accessing the wrong accounts when posting customer sales and cash receipts transactions. Long customer account numbers are susceptible to transcription and transposition errors during data entry. Check digit controls reduce the risk of such errors.

111. What role does each of the following departments play in the sales order processing subsystem: sales, credit, and shipping? Be complete. Correct Answer:

The sales department receives the order information from the customer, either by mail, phone, or in person. Information is captured on a sales order form which includes customer name; account number; name, number, and description of items ordered; quantities and unit prices plus taxes; shipping information, discounts, and freight terms. This form is usually prepared in multiple copies that are used for credit approval; packing; stock release; shipping; and billing. The credit department provides transaction authorization by approving the customer for a credit sale and returns and allowances.

The shipping department receives information from the sales department in the form of packing slip and shipping notice. When the goods arrive from the warehouse, the documents are reconciled with the stock release papers. The goods are packed and labeled. The packing slip is included. The shipping notice is sent to billing. A bill of lading is prepared to accompany the shipment.

112. With regard to segregation of duties, rule one is that transaction authorization and transaction processing should be separated. What doesthis require in the revenue cycle? Correct Answer:

Within the revenue cycle, the credit department is separate from the rest of the process. Hence, the authorization of the transaction (granting of credit) is independent. If other people, e.g., sales staff, were able to authorize credit sales, there would be the temptation to approve sales to any customer, even those known to not be creditworthy.

113. With regard to segregation of duties, rule two is that asset custody and record keeping should be separated. What does this require in the revenue cycle? Correct Answer:

In the revenue cycle, the warehouse has custody of physical assets while accounting (especially general ledger and inventory control) maintains the records. Also, in the cash receipts subsystem, cash receipts has custody of the asset (cash) while general ledger and accounts receivable keep the records. 114. What role does each of the following departments play in the cash receipts subsystem: mail room, cash receipts, accounts receivable, andgeneral ledger? Be complete. Correct Answer:

The mail room receives the customer’s payment—usually a check accompanied by a document called a remittance advice (which may be a copy of the invoice sent to the customer). Mail clerks separate the two, prepare a cash prelist or remittance list which lists all the payments received, and sends the checks to the cashier and remittance advices to accounts receivable. In cash receipts someone (e.g., cashier) restrictively endorses the checks and records the payments in the cash receipts journal. A deposit slip is prepared which accompanies the checks to the bank.

The accounts receivable department posts from the remittance advices to the customer accounts in the AR subsidiary ledger.

The general ledger department records cash receipts to the cash and AR control accounts based on the list from the mail room and the summary report of posting from AR.

115. For each of the following documents, describe its purpose, the functional area preparing it, and the key data included: remittanceadvice, remittance list, deposit slip. Correct Answer:

A remittance advice is sent by the customer to accompany payment. However, it is often part of or a copy of the invoice previously sent by the billing department after the goods were shipped. A remittance list is often called a cash prelist and is prepared by the mail room clerk to record all cash received. It accompanies the checks to the cashier.

A deposit slip is prepared by the cashier to accompany the checks to the bank. This is usually a preprinted bank form.

116. How is independent verification carried out in a manual revenue system? Correct Answer:

Independent verification occurs in several departments as part of the sales order processing system. The shipping department verifies that the goods released by the warehouse for shipment, as shown on the stock release document, match the packing slip. Billing compares the shipping notice with the invoice to be sure customers are billed only for goods shipped. And general ledger reconciles the journal vouchers prepared by billing, inventory control, cash receipts, and accounts receivable. This reconciliation focuses on a match between what was ordered, what was removed from the stockroom, what was shipped, what was billed, cash received, and credit to the customer account. 117. Describe two common methods for achieving multilevel security. Correct Answer:

Two common methods for achieving multilevel security are the access control list (ACL) and role-based access control (RBAC). The ACL method assigns privileges, such as the right to perform computer program procedures and access data files, directly to the individual. In large organizations with thousands of employees, this can become a considerable administrative burden as access needs constantly change with changes in job responsibilities. RBAC involves creating standard tasks (e.g., cash receipts processing) called roles. Each role is assigned access privileges to specific data and procedures, such as the right to add a record to the cash receipts journal. Once a role is created, individuals are assigned to it. Using this technique, individuals may be easily added or deleted from roles as their job responsibilities change. Individuals assigned to a particular role may not access program procedures and data that are not specified by that role. 118. What unique control problems does EDI pose? Correct Answer:

EDI poses unique control problems for organizations. One problem is ensuring that, in the absence of explicit authorization, only valid transactions are processed. Another risk is that a trading partner, or someone masquerading as a trading partner, will access the firm’s accounting records in a way that is unauthorized by the trading partner agreement. 119. Describe a credit check in an advanced technology system. Correct Answer:

In an advanced technology system, the system logic, not a human being, makes the decision to grant or deny credit based on the customer’s credit history contained in the credit history file. If credit is denied, the sales clerk should not be able to force the transaction to continue. However, to allow for operational flexibility in unusual circumstances, the system provides a management override option that may only be performed by a supervisor. Any such overrides should be fully documented in the credit history record and in management reports.

Chapter 5 1. In merchandising firms, purchasing decisions are authorized by inventory control. *a. True b. False

2. The blind copy of the purchase order that goes to the receiving department contains no item descriptions. a. True *b. False

3. Firms that wish to improve control over cash disbursements use a voucher system. *a. True b. False

4. In a voucher system, the sum of all unpaid vouchers in the voucher register equals the firm’s total voucher payable balance. *a. True b. False

5. The accounts payable department reconciles the accounts payable subsidiary ledger to the control account. a. True *b. False

6. The use of inventory reorder points suggests the need to obtain proper authorization. a. True *b. False

7. Proper segregation of duties requires that the responsibility for approving a payment be separated from posting to the cash disbursements journal. *a. True b. False

8. A major risk exposure in the expenditure cycle is that accounts payable may be overstated at the end of the accounting year.

a. True *b. False

9. When a trading partner agreement is in place, the traditional threeway match may be eliminated. *a. True b. False

10. Authorization of purchases in a merchandising firm occurs in the production planning and control department. a. True *b. False

11. A three-way match involves a purchase order, a purchase requisition, and an invoice. a. True *b. False

12. Authorization for a cash disbursement occurs in the cash disbursement department upon receipt of the supplier’s invoice. a. True *b. False

13. An automated cash disbursements system can yield better cash management since payments are made on time. *a. True b. False

14. Permitting warehouse staff to maintain the only inventory records violates separation of duties. *a. True b. False

15. A purchasing system that employs electronic data interchange does not use a purchase order. a. True *b. False

16. Inventory control should be located in the warehouse. a. True *b. False

17. Inspection of shipments in the receiving department would be improved if the documentation showed the value of the inventory. a. True *b. False

18. One reason for authorizing purchases is to enable efficient inventory management. *a. True b. False

19. If accounts payable receives an invoice directly from the supplier, it needs to be reconciled with the purchase order and receiving report. *a. True b. False

20. Supervision in receiving is intended to reduce the theft of assets. *a. True b. False

21. The general ledger function receives the AP account summary from cash disbursements. a. True *b. False

22. The warehouse is responsible for updating the inventory subsidiary ledger. a. True *b. False

23. The receiving report is prepared by the vendor to provide evidence that the purchase order was received. a. True *b. False

24. The accounts payable clerk is responsible for updating the AP control accounts to reflect each vendor liability. a. True *b. False

25. When goods are received, the receiving clerk sends copies of the receiving report to the inventory control clerk and the AP clerk. *a. True b. False

26. The check digit control will provide control over accessing the wrong accounts. *a. True b. False

27. The level of departmental activity is higher with an integrated purchases processing system than it is with a basic technology system. a. True *b. False

28. The purpose of the purchase requisition is to a. order goods from vendors b. record receipt of goods from vendors *c. authorize the purchasing department to order goods d. bill for goods delivered

29. The purpose of the receiving report is to a. order goods from vendors *b. record receipt of goods from vendors c. authorize the purchasing department to order goods d. bill for goods delivered

30. All of the following departments have a copy of the purchase order except a. the purchasing department b. the receiving department c. accounts payable *d. general ledger

31. The purpose of the purchase order is to

*a. order goods from vendors b. record receipt of goods from vendors c. authorize the purchasing department to order goods d. approve payment for goods received

32. The open purchase order file in the purchasing department is used to determine a. the quality of items a vendor ships b. the best vendor for a specific item *c. the orders that have not been received d. the quantity of items received

33. The purchase order a. is the source document to make an entry into the accounting records *b. indicates item description, quantity, and price c. is prepared by the inventory control department d. is approved by the end-user department

34. The reason that a blind copy of the purchase order is sent to receiving is to a. inform receiving when a shipment is due *b. force a count of the items delivered c. inform receiving of the type, quantity, and price of items to be delivered d. require that the goods delivered are inspected

35. The receiving report is used to *a. accompany physical inventories to the storeroom or warehouse b. advise the purchasing department of the dollar value of the goods delivered c. advise general ledger of the accounting entry to be made d. advise the vendor that the goods arrived safely

36. When a copy of the receiving report arrives in the purchasing department, it is

used to a. adjust perpetual inventory records b. record the physical transfer of inventory from receiving to the warehouse c. analyze the receiving department’s process *d. recognize the purchase order as closed

37. The financial value of a purchase is determined by reviewing the a. packing slip b. purchase requisition c. receiving report *d. supplier’s invoice

38. Which document is least important in determining the financial value of a

purchase? *a. purchase requisition b. purchase order c. receiving report d. supplier’s invoice

39. In a merchandising firm, authorization for the payment of inventory is the

responsibility of a. inventory control b. purchasing *c. accounts payable d. cash disbursements

40. In a merchandising firm, authorization for the purchase of inventory is the

responsibility of *a. inventory control b. purchasing c. accounts payable d. cash disbursements

41. When purchasing inventory, which document usually triggers the recording of a

liability? a. purchase requisition b. purchase order c. receiving report *d. supplier’s invoice

42. Because of time delays between receiving inventory and making the journal

entry *a. liabilities are usually understated b. liabilities are usually overstated c. liabilities are usually correctly stated d. liabilities are not affected

43. Usually the open voucher payable file is organized by a. vendor *b. payment due date c. purchase order number d. transaction date

44. Which of the following statements is not correct? a. The voucher system is used to improve control over cash disbursements. *b. The sum of the paid vouchers represents the voucher payable liability of the firm. c. The voucher system permits the firm to consolidate payments of several invoices on one voucher. d. Many firms replace accounts payable with a voucher payable system.

45. In the expenditure cycle, general ledger does not a. post the journal voucher from the accounts payable department b. post the account summary from inventory control *c. post the journal voucher from the purchasing department d. reconcile the inventory control account with the inventory subsidiary summary

46. The documents in a voucher packet include all of the following except *a. a check b. a purchase order c. a receiving report d. a supplier’s invoice

47. To maintain a good credit rating and to optimize cash management, cash

disbursements should arrive at the vendor’s place of business a. as soon as possible b. on the due date *c. before the discount date d. by the end of the month

48. Which of the following tasks is not performed by the cash disbursement clerk? a. Review the supporting documents for completeness and accuracy. b. Prepare checks. *c. Sign checks.

d. Mark the supporting documents paid.

49. When a cash disbursement in payment of an accounts payable is recorded a. the liability account is increased b. the income statement is changed c. the cash account is unchanged *d. the liability account is decreased

50. Authorization for payment of an accounts payable liability is the responsibility of a. inventory control b. purchasing *c. accounts payable d. cash disbursements

51. Of the following duties, it is most important to separate a. warehouse from stores *b. warehouse from inventory control c. accounts payable and accounts receivable d. purchasing and accounts receivable

52. In a firm with proper segregation of duties, adequate supervision is most critical

in a. purchasing *b. receiving c. accounts payable d. general ledger

53. The receiving department is not responsible to a. inspect shipments received b. count items received from vendors *c. order goods from vendors d. safeguard goods until they are transferred to the warehouse

54. The major risk exposures associated with the receiving department include all of

the following except a. goods are accepted without a physical count b. there is no inspection for goods damaged in shipment c. inventories are not secured on the receiving dock *d. the audit trail is destroyed

55. When searching for unrecorded liabilities at the end of an accounting period, the

accountant would search all of the files except a. the purchase requisition file *b. the cash receipts file c. the purchase order file d. the receiving report file

56. In regards to the accounts payable department, which statement is not true? a. The purchase requisition shows that the transaction was authorized. *b. The purchase order proves that the purchase was required. c. The receiving report provides evidence of the physical receipt of the goods. d. The supplier’s invoice indicates the financial value of the transaction.

57. Which of the following is not a control over the risk of unauthorized inventory

purchases? a. transaction authorization b. automated purchase approval *c. scanner technology d. All of the above are controls over the risk of unauthorized inventory purchases.

58. Firms can expect that proper use of a valid vendor file will result in all of the

following benefits except a. Purchases from unapproved vendors will be prevented. b. Purchases from fictitious vendors will be detected. *c. The most competitive price will be obtained. d. The risk of purchasing agents receiving kickbacks and bribes will be reduced.

59. The greatest risk of theft occurs a. in the receiving department b. in the warehouse c. in the mailroom *d. both a. and b.

60. The document which will close the open purchase requisition file is the a. purchase order

b. vendor invoice *c. receiving report d. payment voucher

61. Goods received are inspected and counted to a. determine that the goods are in good condition b. determine the quantity of goods received c. preclude payment for goods not received or received in poor condition *d. all of the above

62. If a company uses a standard cost system, inventory records can be updated

from the a. vendor invoice b. purchase order *c. receiving report d. purchase requisition

63. If a company uses an actual cost system, inventory records can first be updated

from the *a. vendor invoice b. purchase order c. receiving report d. purchase requisition

64. Copies of a purchase order are sent to all of the following except a. inventory control b. receiving *c. general ledger d. accounts payable

65. The receiving report a. is used to update the actual cost inventory ledger *b. accompanies the goods to the storeroom c. is sent to general ledger d. is returned to the vendor to acknowledge receipt of the goods

66. A copy of the purchase order (PO) is sent to the a. vendor b. accounts payable function

c. receive goods function *d. all of the above

67. The cash disbursement function is a. part of accounts payable b. an independent accounting function *c. a treasury function d. none of the above

68. Which internally generated document should be compared to the supplier’s invoice to verify the price of an item? Correct Answer:

purchase order 69. Which internally generated document should be compared to the supplier’s invoice to verify the quantity being billed for? Correct Answer:

receiving report 70. Discuss three specific physical controls to mitigate the risk of inaccurate record keeping. Correct Answer:

transaction authorization – AP authorizes cash disbursements to make paymentaccounting records – audit trail documents, journals, accounts, and files independent verification – inventory control, AP, cash disbursements, and GL

71. List specific jobs that should be segregated to prevent misappropriation of cash and inventory. Correct Answer:

cash disbursements, general ledger, AP function, warehouse, inventory records 72. To provide proper authorization control for inventory, what two departments should be segregated? Correct Answer:

The inventory control department should be segregated from the purchasing department, which executes the purchase transaction.

73. Describe an internal control procedure that would prevent payment of an invoice for goods that were never delivered. Correct Answer:

Accounts payable clerk should do a three-way match, reconciling the invoice, purchase order, and receiving report before preparing an AP packet. 74. What documents are involved in a three-way match and what role does each play in this control? Correct Answer:

1. The PO, which shows that the purchasing agent ordered needed items from a valid vendor. 2. The receiving report, which is evidence of the physical receipt of goods and their condition. The reconciliation of this document with the PO signifies the obligation to pay. 3. The supplier’s invoice, which provides the financial information needed to record the AP. The AP clerk verifies the prices are reasonable based on the information on the PO.

75. Explain why supervision is so important in the receiving department. Correct Answer:

Receiving departments are sometimes hectic and cluttered, exposing incoming inventories to theft until they are secured in the warehouse. Inadequate supervision can create an environment conducive to the theft of inventories in transit. 76. Explain the role that the GL plays in reducing the risk of inaccurately recording transactions in journals and ledgers. Correct Answer:

The GL function provides an important independent verification in the system by verifying that the total obligations recorded equal the total inventories received and that the total reductions in AP equals the total disbursements of cash. 77. What are some of the risks of placing the decision of what, when, and where to buy solely at the discretion of the purchasing agent? Correct Answer:

The result can be excessive inventory for some items, which ties up cash reserves, and stock-outs for other items, which leads to lost sales and manufacturing delays. Such discretion can also lead to frauds such as kickbacks to purchasing agents from unapproved suppliers who overcharge for their inventory. 78. What are the major differences between a basic technology purchasing system and an integrated purchases processing system? Correct Answer:

The level of departmental activity is significantly lower in an integrated system. Computer programs perform many clerical tasks. This arrangement is cheaper and less prone to error. Personnel responsibilities are refocused on financial analysis and exception-based problem solving, resulting in smaller and more efficient departments. 79. Why should the copy of a purchase order, which is sent to receiving, be a “blind” copy? Correct Answer:

The blind copy forces workers in receiving to count and inspect the goods received. 80. What is the purpose of maintaining a valid vendor file? Correct Answer:

Inventories should only be acquired from valid vendors. This control procedure helps to deter the purchasing agent from buying inventories at excessive costs and receiving kickbacks or from buying from an entity with which the purchasing agent has a relationship, such a relative or a friend. 81. An objective of segregation of duties is to structure the organization so that the perpetration of a fraud requires collusion between two or more individuals. What must a company do to achieve this objective? Why? Correct Answer:

Certain record-keeping tasks—subsidiary ledgers (AP and inventory), journals (purchases and cash disbursements, and the GL—should be separately maintained. An individual with total record-keeping responsibility, in collusion with someone with asset custody, is in a position to perpetrate a fraud. 82. What function or department typically initiates a purchase in a merchandising business? Correct Answer:

The inventory control function provides purchase authorization for merchandising firms. 83. Where is access control exercised in the purchasing/cash disbursement functions? Correct Answer:

A firm must limit access to documents that control physical assets—purchase requisitions, purchase orders and receiving reports—to help prevent fraudulent transactions and payments.

84. Explain why a three-way match may not be required for transactions covered by a trading partner agreement. Correct Answer:

Under a trading partner agreement, the parties contractually agree to terms of trade such as price, quantities to be shipped, discounts, and lead times. With these sources of potential discrepancy eliminated, financial information about purchases is known in advance and the vendor’s invoice provides no critical information that cannot be derived from the receiving report. Thus, a three-way match is unnecessary. 85. Name the key tasks associated with purchases procedures. Correct Answer:

Purchases procedures include the tasks of identifying inventory needs, placing the order, receiving the inventory, and recognizing the liability. 86. What is the purpose of the purchase requisition? Correct Answer:

When inventories drop to a predetermined reorder point, a purchase requisition is prepared and sent to the purchasing function to initiate the purchase process. While procedures will vary from firm to firm, typically a separate purchase requisition will be prepared for each inventory item as the need is recognized. 87. What is the purpose of the purchase order? Correct Answer:

The purchasing function receives the purchase requisitions and sorts them by vendor. Next, a purchase order (PO), comprising one or many purchase requisitions, is prepared for each vendor. These documents are then sent to their respective vendors to initiate the order process with the vendor. 88. What is a blind copy of a purchase order and what is its purpose? Correct Answer:

A blind copy of the PO contains no quantity or price information about the products being received. The purpose of the blind copy is to force the receiving clerk to count and inspect inventories prior to completing the receiving report. 89. What is the purpose of a receiving report? How are copies of the report distributed? Correct Answer:

Upon completion of the physical count and inspection of the items received, the receiving clerk prepares a receiving report stating the quantity and condition of the inventories. One copy of the receiving report accompanies the physical inventories to either the raw materials storeroom or finished goods warehouse for safekeeping. Another copy is filed in the open/closed PO file to close out the PO. A third copy is sent to the AP department, where it is filed in the AP pending file. A fourth copy is sent to inventory control for updating the inventory records. Finally, a copy of the receiving report is placed in the receiving report file.

90. What is the purpose of the supplier’s invoice? Correct Answer:

The supplier’s invoice triggers the three-way match and the AP recognition process. During the course of the transaction, the AP department has received and temporarily filed copies of the PO and receiving report. The organization has received inventories from the vendor and has realized an obligation to pay for them. The firm has not, however, received the supplier’s invoice which contains financial information needed to record the transaction. The firm will thus defer recording (recognizing) the liability until the invoice arrives. 91. What is the principle objective of the cash disbursement system? Correct Answer:

The principal objective of this system is to ensure that timely and accurate payments are made to only valid creditors. If the system makes payments early, the firm forgoes interest income that it could have earned on the funds. If obligations are paid late, however, the firm will lose purchase discounts or may damage its credit standing. 92. What are the six classes of physical internal controls? What is the purpose of these controls? Correct Answer:

The six classes of physical internal controls are: transaction authorization, segregation of duties, supervision, accounting records, access controls, and independent verification. Their purpose is to control the actions of people. 93. What is an AP packet? Correct Answer:

The AP packet consists of the supporting documents (PO, receiving report, and invoice). Once reconciled, the AP packet is the formal authority to record the liability and subsequently make payment.

94. Identify three IT controls in the expenditure cycle. Correct Answer:

Error messages, passwords, file backup. 95. What is the objective of automated purchase approval? Correct Answer:

The objective is to prevent unauthorized purchases from unapproved vendors. Computer logic, not a human being, decides what to buy, when to buy it, and where it is bought from. 96. Differentiate between a purchase requisition and a purchase order. Correct Answer:

A purchase requisition is completed by the inventory control department when a need for inventory items is detected. Purchase requisitions for office supplies and other materials may also be completed by staff departments such as marketing, finance, accounting, and personnel. The purchasing department receives the purchase requisitions, and if necessary, determines the appropriate vendor. If various departments have requisitioned the same items, the purchasing department may consolidate all requests into one order so that any quantity discounts and lower freight charges may be utilized. In any case, the purchasing department prepares the purchase order, which is sent to the vendor, accounts payable department, and the receiving department (blind copy). The vendor uses the PO to fulfill the order request. 97. Assuming the organization uses the perpetual inventory method, what general ledger journal entries are triggered by the purchases system? From which departments do these journal entries arise? Correct Answer:

(Accounts Payable)

Inventory Control

Debit Accounts Payable

(Cash Disbursements)

Credit

Accounts Payable

Debit Cash

Credit

98. The Soap Manufacturing Company has three employees who work in the warehouse. All of the warehouse workers are authorized to order inventory when it falls below the reorder level. The workers complete a purchase order and mail it to the supplier of their choice. The inventory is delivered directly to the warehouse. The workers send a memo to accounts payable reporting the receipt of inventory. Accounts payable compares the warehouse memo to the supplier’s invoice. Accounts payable prepares a check which the treasurer signs.

Discuss potential internal control risks inherent in this system. Correct Answer:

Placing this much authority in the hands of the warehouse workers can result in inappropriate inventory levels—too much inventory ties up cash reserves, too little can lead to manufacturing delays or lost sales. Such worker empowerment facilitates frauds (such as kickbacks from unapproved suppliers) or fraudulent transactions (because workers both perform record-keeping and have physical custody of the assets). Warehouse workers should prepare a purchase requisition and send it to purchasing to prepare the PO.

Inventory should be delivered to the receiving department where a receiving report is prepared using a blind copy of the original PO.

Accounts payable should receive a copy of the purchase requisition, PO, and receiving report and compare them to the supplier invoice. Cash disbursements, not AP, should prepare the check.

99. Explain how a voucher payable system works. How is the balance of AP determined? Correct Answer:

In place of a standard accounts payable system, many firms use a voucher payable system. The AP department prepares cash disbursement vouchers which are recorded in a voucher register. After a clerk performs the three-way match, a cash

disbursement voucher is prepared to approve payment. Vouchers provide improved control over cash disbursements and allow firms to consolidate several payments to the same supplier on a single invoice, reducing the number of checks written. The sum of all unpaid vouchers is the AP balance. 100. Discuss the steps taken in the purchasing department in a basic technology expenditure cycle. Correct Answer:

The purchasing department receives purchase requisitions, sorts them by vendor, and adds a record to the digital open purchase order file. The clerk prints a multipart PO for each vendor. Copies are sent to the vendor, inventory control, and AP. A blind copy is sent to the receiving department. The clerk files the last copy along with the purchase requisition in the department. 101. What are the steps taken in the basis technology cash disbursement system? Correct Answer:

Each day the AP clerk reviews the AP packets in the open AP file for items due and sends the supporting documents to the cash disbursements department. Cash disbursements reviews the documents for completeness and accuracy and prepares a three-part check, recording the check number, dollar amount and other pertinent data in the check register.

The check and supporting documents goes to the cash disbursements manager or treasurer for signature. Negotiable portion of the check is mailed to the supplier. The clerk returns the AP packet and check copy to AP and files the other copy of the check. Entries made to the check register are summarized and sent to the GL department as a journal voucher.

AP clerk removes the liability by debiting the vendor’s digital AP subsidiary record, files the AP packet, and sends an AP summary to GL.

Based on documents received from cash disbursements and AP, the GL clerk posts to the control account and files the documents.

102. What are steps taken in the receiving department under a basic technology expenditure cycle? Correct Answer:

The receiving department clerk receives the goods and packing slip from the vendor and reconciles the goods with the blind copy of the PO. Upon completion, the clerk adds a digital record to the receiving report file and prints a multipart hard copy report stating the quantity and condition of the inventories. One copy of the receiving report accompanies the goods to the storeroom. The blind copy and packing slip are filed in the receiving department. The other copies of the receiving report are sent to the purchasing department, inventory control, and the AP department.

103. Discuss the input data edits that are programmed into a system to minimize the risk of errors. Correct Answer:

Controls—including checks for missing data, numeric-alphabetic data, and invalid data values—will reduce the risk of undetected data entry errors by AP, inventory control, receiving, and cash disbursement clerks. Check digit control will provide control over accessing the wrong accounts. 104. Why do companies devote resources to a purchasing department? Could not individual departments make their own purchases more efficiently? Correct Answer:

The purchasing function is extremely important to a business. The members of the department work closely with suppliers to assure that the goods ordered are appropriately selected, priced, and delivered. One of the tasks of purchasing is to monitor the performance of vendors and maintain an approved vendor list. After a requesting department submits a purchase requisition, purchasing prepares a purchase order. Hence the authorization occurs outside of purchasing and separate from the processing of the purchase. Significant separation of duties is built into this system: the same party cannot authorize and initiate the transaction. Purchasing employees cannot initiate a purchase, thus reducing the possibility of vendors trying to influence the purchasing staff for favorable treatment.

105. What are the key authorization issues in purchasing and cash disbursements? Correct Answer:

Inventory control monitors inventory and authorizes restocking with a purchase requisition. Purchasing acts on the purchase requisition, it does not initiate the process. Accounts payable authorizes the cash disbursement. The cash disbursement function cannot produce checks on its own without authorization from accounts payable.

106. Identify six classes of physical controls employed in the expenditure cycle and give one example of each. Correct Answer:

1. Transaction Authorization a. When inventory levels drop to their predetermined reorder points, inventory control formally authorizes replenishment with a purchase requisition. b. The AP function authorizes cash disbursements via the AP packet. To provide effective control over the flow of cash from the firm, the cash disbursement function should not write checks without this explicit authorization. 2. Segregation of Duties a. Segregation of inventory control from the warehouse. Inventory control keeps the detailed records of the asset, while the warehouse (stores) has asset custody. b. Segregation of accounts payable from cash disbursements. An individual with responsibilities for establishing accounts payable and writing checks in payment of accounts payable could perpetrate a fraud. 3. Supervision a. Critical in the receiving department to ensure that receiving reports are completed correctly and that goods are physically counted and inspected. b. Supervision is also important to prevent theft from the time goods are received until they are secured in the warehouse. 4. Accounting Records a. The control objective of accounting records is to maintain an audit trail adequate for tracing a transaction from its source document to the financial statements. The expenditure cycle employs the following accounting records: AP subsidiary ledger, check register, and general ledger. 5. Access Controls a. A firm must limit access to documents that control its physical assets. 6. Independent Verification a. The receiving department verifies that goods received are correct in type and quantity and inspects them for condition. A blind PO forces clerks to physically count and inspect the goods. b. The general ledger function provides an important independent verification in the system. It receives journal vouchers and summary reports from inventory control, AP, and cash disbursements. From these sources, the general ledger function verifies that the total obligations recorded equal the total inventories received and that the total reductions in AP equal the total disbursements of cash.

107. Describe two areas where segregation of duties is important in the expenditure cycle. Correct Answer:

1. Segregation of inventory control from the warehouse. Inventory control keeps the detailed records of the asset, while the warehouse (stores) has asset custody. At any point, an auditor should be able to reconcile inventory records to the physical inventory.

2. Segregation of accounts payable from cash disbursements. An individual with responsibilities for establishing accounts payable and writing checks in payment of accounts payable could perpetrate a fraud.

108. Describe how the IT controls of automated purchase approval and automated postings to subsidiary and general ledger accounts help reduce risk. What is necessary to ensure these controls function properly? Correct Answer:

The objective of automated purchase approval is to prevent unauthorized purchases from unapproved vendors. Computer logic, not humans, makes the purchase decisions based on purchase requisitions and the valid vendor file. Proper functioning of this control depends on adequate procedures for identifying vendors and placing them on the valid vendor list. Automated postings eliminate the human element, reducing the possibility of errors and fraud. A computer application, which is not subject to situational pressures or ethical standards, decides which accounts to update and by how much. Since these are labor-intensive activities, automation greatly improves efficiency. These benefits depend upon the proper functioning of the computer application performing the tasks. The system development and program change process is critical to ensuring proper operation of the system.

109. Describe four tasks the purchases computer application performs automatically in the integrated purchases processing system. Correct Answer:

1. The system reads the purchases requisition file for items that need to be replenished. The requisitions are then sorted by the vendor and matched against the valid vendor file for vendor address and contact information. 2. Hardcopy purchase orders are prepared and sent to the vendor. 3. A record is added to the open PO file. 4. A digital transaction listing of POs is created, which is downloaded by the purchasing agent, reviewed, and filed in the department.

110. Describe four tasks the receiving computer application performs automatically in the integrated purchases processing system. Correct Answer:

1. A record is added to the receiving report file. 2. Quantities of items received are matched against the open PO record, and the PO is closed by placing the receiving report number in the PO closed flag. 3. The inventory subsidiary records are updated to reflect the receipt of the inventory items. 4. The general ledger inventory control account is updated.

111. Describe four tasks the accounts payable department computer application performs automatically in the integrated purchases processing system. Correct Answer:

1. Using the PO number as a common attribute, the system links the vendor invoice to the associated purchase order and receiving report records. 2. The system reconciles the supporting documents and creates a virtual AP packet to authorize payment. 3. The system displays the virtual AP packet on the AP clerk’s computer screen for review. 4. Assuming no discrepancies that demand the AP clerk’s intervention, the system automatically approves payment and sets a payment due date.

112. Describe the five procedures that are performed on items that are due in the integrated cash disbursements system. Correct Answer:

1. Checks are automatically printed, signed, and distributed to the mail room for mailing to vendors. Checks above a preset materiality threshold will receive additional signatures prior to being mailed. 2. The payments are automatically recorded in the check register file. 3. Vendor invoices are closed by placing the check number in the closed flag field. 4. The general ledger AP control and cash accounts are updated. 5. Reports detailing these transactions are transmitted via a terminal to the AP and cash disbursements departments for management review and filing.

Chapter 6 1. Time cards are used by cost accounting to allocate direct labor charges to work in process. a. True *b. False

2. The personnel department authorizes changes in employee pay rates. *a. True b. False

3. Most small organizations integrate payroll processing with the human resource management (HRM) system. a. True *b. False

4. To improve internal control, paychecks should be distributed by the employee’s supervisor. a. True *b. False

5. Employee paychecks should be drawn against a special checking account. *a. True b. False

6. Because a time clock is used, no supervision is required when employees enter and leave the work place. a. True *b. False

7. Inventory control performs the formal record keeping function for fixed assets. a. True *b. False

8. The depreciation schedule shows when assets are fully depreciated. *a. True b. False

9. Authorization to dispose of fixed assets should be issued by the user of the asset. a. True *b. False

10. Work-in-process records are updated by payroll personnel. a. True *b. False

11. Ideally, payroll checks are written on a special bank account used only for payroll. *a. True b. False

12. The supervisor is the best person to determine the existence of a “phantom employee” and should distribute paychecks. a. True *b. False

13. Payroll processing can be automated easily because accounting for payroll is very simple. a. True *b. False

14. Timekeeping is part of the personnel function. a. True *b. False

15. Fixed asset accounting systems include cost allocation and matching procedures that are not part of routine expenditure systems. *a. True b. False

16. Asset maintenance involves only the recording of depreciation charges. Physical improvements are always expensed. a. True *b. False

17. Fixed asset systems must keep track of the physical location of each asset to promote accountability. *a. True b. False

18. Time cards capture the total time an individual worker spends on each production job. a. True *b. False

19. Accounting conventions and IRS rules sometime specify the depreciation parameters to be used. *a. True b. False

20. The fixed asset disposal report authorizes the user department to dispose of a fixed asset. a. True *b. False

21. Work centers provide the personnel action form, which triggers the payroll process. a. True *b. False

22. The payroll department is responsible for both updating the employee records and writing paychecks. *a. True b. False

23. The paymaster distributes paychecks to work center supervisors. a. True *b. False

24. Inventory control authorizes fixed asset purchases with a purchase requisition. a. True

*b. False

25. When fixed assets are received, the receiving clerk sends copies of the receiving report to the inventory control clerk and the AP clerk. a. True *b. False

26. The document that captures the total amount of time that individual workers

spend on each production job is called a a. time card *b. job ticket c. personnel action form d. labor distribution form

27. An important reconciliation in the payroll system is *a. general ledger compares the labor distribution summary from cost accounting to the disbursement voucher from accounts payable b. personnel compare the number of employees authorized to receive a paycheck to the number of paychecks prepared c. production compares the number of hours reported on job tickets to the number of hours reported on time cards d. payroll compares the labor distribution summary to the hours reported on time cards

28. Which internal control is not an important part of the payroll system? a. Supervisors verify the accuracy of employee time cards. b. Paychecks are distributed by an independent paymaster. *c. Accounts payable verifies the accuracy of the payroll register before transferring payroll funds to the general checking accounting. d. General ledger reconciles the labor distribution summary and the payroll disbursement voucher.

29. Which transaction is not processed in the fixed asset system? a. purchase of building b. improvement of equipment *c. purchase of raw materials d. sale of company van

30. Depreciation a. is calculated by the department that uses the fixed asset

*b. allocates the cost of the asset over its useful life c. is recorded weekly d. results in book value approximating fair market value

31. Depreciation records include all of the following information about fixed assets

except *a. the economic benefit of purchasing the asset b. the cost of the asset c. the depreciation method being used d. the location of the asset

32. Which control is not a part of the fixed asset system? a. formal analysis of the purchase request b. review of the assumptions used in the capital budgeting model *c. development of an economic order quantity model d. estimates of anticipated cost savings

33. Objectives of the fixed asset system do not include a. authorizing the acquisition of fixed assets b. recording depreciation expense c. computing gain and/or loss on disposal of fixed assets *d. maintaining a record of the fair market value of all fixed assets

34. Which of the following is not a characteristic of the fixed asset system? *a. Acquisitions are routine transactions requiring general authorization. b. Retirements are reported on an authorized disposal report form. c. Acquisition cost is allocated over the expected life of the asset. d. Transfer of fixed assets among departments is recorded in the fixed asset subsidiary ledger.

35. In the payroll subsystem, which function should distribute paychecks? a. personnel b. timekeeping *c. paymaster d. payroll

36. Where does the responsibility lie for reconciling the labor distribution summary

and the payroll disbursement voucher? a. cash disbursements b. cost accounting c. personnel *d. general ledger

37. Which of the following statements is not true? a. Routine payroll processing begins with the submission of time cards. *b. Payroll clerks must verify the hours reported on the time cards. c. Payroll reconciles personnel action forms with time cards and prepares paychecks. d. Cash disbursements signs paychecks and forwards them to the paymaster for distribution.

38. In a manufacturing firm, employees use time cards and job tickets. Which of the

following statements is not correct? a. Job tickets are prepared by employees for each job worked on, so an employee may have more than one job ticket on a given day. b. An individual employee will have only one time card. c. The time reported on job tickets should reconcile with the time reported on time cards. *d. Paychecks should be prepared from the job tickets.

39. Which department is responsible for approving changes in pay rates for

employees? a. payroll b. treasurer *c. personnel d. cash disbursements

40. Which of the following situations represents an internal control weakness? a. Timekeeping is independent of the payroll department. *b. Paychecks are distributed by the employees’ immediate supervisor. c. Time cards are reconciled with job tickets. d. Personnel is responsible for updating employee records, including creation of records for new hires.

41. Why would an organization require the paymaster to deliver all unclaimed

paychecks to the internal audit department? *a. to detect a “phantom employee” for whom a check was produced b. to prevent an absent employee’s check from being lost c. to avoid paying absent employees for payday d. to prevent the paymaster from cashing unclaimed checks

42. Which of the following is not a reasonable control for fixed assets? a. Proper authorization is required for acquisition and disposal of fixed assets. b. Fixed asset records show the location of each asset. *c. Fully depreciated assets are immediately disposed of. d. Depreciation policies are in writing.

43. Cost accounting updates work-in-process accounts from a. time cards b. the labor distribution summary *c. job tickets d. personnel action forms

44. Payroll uses time card data to do all of the following except a. prepare the payroll register b. update employee payroll records *c. prepare the labor distribution summary d. prepare paychecks

45. Payroll checks are typically drawn on a. the regular checking account *b. a payroll imprest account c. a wages payable account d. petty cash

46. The personnel action form provides authorization control by a. preventing paychecks for terminated employees b. verifying pay rates for employees c. informing payroll of new hires *d. all of the above

47. Accounting records that provide the audit trail for payroll include all of the

following except

a. time cards b. job tickets c. payroll register *d. accounts payable register

48. Personnel action forms are used to do all of the following except a. activate new employees b. terminate employees *c. record hours worked d. change pay rates

49. The payroll department performs all of the following except a. prepares the payroll register *b. distributes paychecks c. updates employee payroll records d. prepares paychecks

50. The document that records the total amount of time spent on a production job is

the a. time card b. job ticket *c. labor distribution summary d. personnel action form

51. A control technique that can reduce the risk of a terminated employee being

paid is a. a security camera viewing the time clock b. the supervisor taking attendance during the shift *c. paychecks being distributed by an independent paymaster d. reconciliation of time cards and job tickets

52. Accounts payable a. signs paychecks *b. prepares the payroll voucher c. reconciles time cards and employee records d. distributes paychecks to employees

53. All of the following are processed by the fixed asset system except a. sale of unneeded equipment

*b. purchase of raw materials c. repair of production equipment d. purchase of a new plant

54. The fixed asset system performs all of the following except *a. determines the need for new assets b. maintains depreciation records c. records retirement and disposal of assets d. tracks the physical location of fixed assets

55. The payroll department performs all of the following except a. prepares paychecks *b. transfers adequate funds to the payroll imprest account c. updates employee payroll records d. prepares the payroll register

56. Depreciation a. assures that assets are reported at fair market value b. is discretionary for many firms *c. allocates the cost of an asset over its useful life d. is the responsibility of the department using the asset

57. The fixed asset system is similar to the expenditure cycle except a. fixed asset transactions are non-routine and require special authorization and controls b. fixed assets are capitalized, not expensed *c. both a and b d. none of the above

58. Asset maintenance involves a. the recording of periodic depreciation b. adjusting the asset records to reflect the cost of physical improvements c. keeping track of the physical location of the assets *d. all of the above

59. The fixed asset systems does all of the following except a. records acquisition of assets b. records improvements to assets *c. estimates the fair market value of assets in service

d. records the disposal of assets

60. Asset disposal a. occurs as soon as an asset is fully depreciated b. requires no special authorization c. automatically initiates the purchase of a replacement asset *d. must follow formal authorization procedures

61. Which of the following uses fingerprint or hand-vein scan technology to produce

the time and attendance file? *a. Biometric time clocks b. Magnetic swipe ID cards c. Mobile remote devices d. Proximity cards

62. Which of the following works like a credit card with the time clock? a. Biometric time clocks *b. Magnetic swipe ID cards c. Mobile remote devices d. Proximity cards

63. Which of the following works through wallets, purses and card holders? a. Biometric time clocks b. Magnetic swipe ID cards c. Mobile remote devices *d. Proximity cards

64. Which of the following is popular among businesses with employees in the field

who travel between clients and companies with foreign-based employees? a. Biometric time clocks b. Magnetic swipe ID cards *c. Mobile remote devices d. Proximity cards

65. Which of the following is not an input control to reduce the risks of data entry

errors and payroll fraud for a company with a mobile or distributed work force? a. limit tests that detect excessive hours b. check digits that detect transcription errors in employee identification c. biometric scanners, swipe cards, and PINs

*d. multilevel security that achieves segregation of duties

66. Describe an internal control procedure that would prevent an employee from punching the time clock for another, absent employee. Correct Answer:

supervision of the time clock at the start of the shift 67. Why should the employee’s supervisor not distribute paychecks? Correct Answer:

A form of payroll fraud involves a supervisor submitting fraudulent time cards for nonexistent employees. The resulting paychecks, when returned to the supervisor, are then cashed by the supervisor. 68. Describe an internal control procedure that would prevent a supervisor from stealing the unclaimed paychecks of employees who have been terminated. Correct Answer:

This type of fraud can be reduced or eliminated by using a paymaster to distribute paychecks to employees in person. Any uncollected paychecks are then returned to payroll. Also, mail final paychecks to terminated employees. 69. Why should employee paychecks be drawn against a special checking account? Correct Answer:

A separate imprest account is established for the exact amount of the payroll based on the payroll summary. When the paychecks are cashed, this account should clear, leaving a zero balance. Any errors in checks (additional checks or abnormal amounts) would result in a non-zero balance in the imprest account and/or some paycheck would not clear. This will alert management to the problem so corrective action can be taken. 70. Why should employees clocking on and off the job be supervised? Correct Answer:

A form of payroll fraud involves employees clocking the time cards of absent employees. By supervising the clocking in and out process, this fraud can be reduced or eliminated. 71. What is a personnel action form? Correct Answer:

The personnel action form provides the payroll department with a list of currently active employees, so that any submission of time cards by supervisors for fictitious or ex-employees will not be processed. 72. In a manufacturing firm, employees typically fill out two different documents regarding their time worked. What are they? Why are there two? Correct Answer:

The two documents are the time card and the job ticket. Two are required because the time card records all the time worked by an employee during the period while the job ticket details the time by project or job. 73. List two types of authorization required in the fixed asset system. Correct Answer:

authorization to purchase the asset and to dispose of the asset 74. List four types of data that appear on a depreciation schedule. Correct Answer:

item description, depreciation method, useful life, date acquired, cost, salvage value, accumulated depreciation, depreciation expense per period, book value 75. Which documents prompt the fixed asset department to create a fixed asset record? Correct Answer:

the receiving report and the cash disbursement voucher 76. Describe an internal control that would prevent an employee from stealing a computer and then reporting it as scrapped. Correct Answer:

Supervisors must authorize the disposal of the computer. Unless so authorized, the record will continue to show that the employee is responsible for the computer. 77. Describe an internal control that would prevent the payment of insurance premiums on an automobile that is no longer owned by thecompany. Correct Answer:

Perform an annual physical inventory of fixed assets and adjust the records to reflect assets no longer on hand. Prepare reports about the disposal of assets.

78. Describe an internal control that would prevent the charging of depreciation expense to the maintenance department for a sweeper that is now located in and used by the engineering department. Correct Answer:

Prepare reports about the transfer of fixed assets. Perform an annual physical inventory and note the location of assets. Budget and then hold each department accountable for depreciation expense for assets located in each department. 79. Describe an internal control that would prevent the acquisition of office equipment which is not needed by the firm. Correct Answer:

A higher organizational level or other appropriate person authorizes fixed asset acquisitions; part of the authorization is showing that a need for the asset exists. 80. What negative consequences can result from miscalculated depreciation? Correct Answer:

Miscalculated depreciation can result in the material misstatement of operating expenses, reported earnings, and asset values. It may result in premature disposal of otherwise serviceable assets.

81. Explain the purpose of each of the following documents used in the payroll system:the personnel action form, the job ticket, the time card. Correct Answer:

The personnel action form is a document that identifies employees who should receive a paycheck; reflects changes in pay rates, payroll deductions, and job classifications. The job ticket collects information on the time individual workers spend on each production job. The time card captures the total time that an employee is at work.

82. How do fixed asset systems differ from the expenditure cycle? Correct Answer:

The fixed asset system processes non-routine transactions for a wider group of users in the organization than the expenditure cycle. Further, the expenditure cycle processes routine acquisitions of raw materials inventories for the production function and finished goods inventories for the sales function. The expenditure cycle transactions are often automatically approved by the system, while fixed asset transaction approvals typically demand individual attention due to the uniqueness of the transactions.

83. What is recorded by the asset maintenance part of the fixed asset system? Correct Answer:

periodic depreciation following an approved depreciation schedule and physical improvements to the asset to increase the subsidiary account and to adjust the depreciation schedule 84. How are the following carried out in the fixed asset system: authorization, supervision, independent verification? Correct Answer:

Independent authorization is required to acquire an asset and to formalize the depreciation schedule. Supervision must be exercised over the physical assets. Independent verification must confirm the location, existence, and condition of the assets.

85. Which department authorizes changes to employee pay rates? Correct Answer:

The personnel department via the personnel action form 86. Erroneous data in the payroll system can corrupt WIP, employee records, and the payroll register. What edit controls will minimize this risk? Correct Answer:

1. Controls including checks for missing data, numeric-alphabetic data, and invalid data values will reduce the risk of undetected data entry errors by clerks in the cost accounting, personnel, payroll, accounts payable, and cash disbursements departments.2. Check digit control will provide control over accessing the wrong employee records by payroll and personnel clerks.

87. Describe three process controls that pertain to payroll application logic. Correct Answer:

1. Error messages. Any mismatch when posting time card or personnel action data to employee records should produce an error message to the computer operator. 2. Passwords. Password control should be implemented on department computers to reduce the risk of unauthorized access to payroll files. The system logic should require, and prompt, users to change passwords periodically. Only strong passwords consisting of six to eight alphabetic and numeric characters should be accepted.

3. File Backup. Backup procedures need to be in place to reduce the risk of data loss due to file destruction and/or corruption.

88. The Golf Club Company makes custom golf clubs. The manufacturing supervisor interviews people who have specialized manufacturing skills, and then informs payroll when an employee is hired. The employees use a time clock to record the hours they work. The employees are also required to keep a record of the time they spend working on each order. The supervisor approves all time cards. The accountant analyzes the job tickets and prepares a labor distribution summary. Payroll prepares the payroll register and paychecks. The supervisor distributes the paychecks to the employees. Payroll informs cash disbursement of the funds required to cover the entire payroll amount. The cash disbursements clerk ensures that there are adequate funds in the company’s regular checking account to cover the payroll.

Describe at least three internal control weaknesses; for each weakness suggest an improvement to internal control. Correct Answer:

Weakness: The supervisor could be creating fictitious employees. The supervisor has too many incompatible duties; he/she hires workers, approves the time cards, and distributes the paychecks. Improvement: Segregate duties. Personnel should hire employees and a paymaster should distribute paychecks.

Weakness: Employees could be paid for time they do not work; a co-worker could record an absent worker as present (punch the time clock). Improvement: Supervise the time clock. Reconcile time cards and job time tickets.

Weakness: Payroll has authorization and transaction processing responsibilities. Payroll is authorizing the disbursement to fund the entire payroll. Accounts payable is not part of the system. Improvement: Segregate duties; accounts payable should verify the accuracy of the payroll register and create a disbursement voucher.

Weakness: Payroll is funded through the general checking account. Improvement: Paychecks should be written on a separate payroll account.

89. Explain the integration of payroll with the human resource management (HRM) system that often happens in moderate- and large-sized organizations. Correct Answer:

The HRM system captures and processes a wide range of personnel-related data, including employee benefits, labor resource planning, employee relations, employee skills, internal training, personnel actions (pay rates, deductions and so on), and payroll processing. HRM systems provide real-time access to personnel files for purposes of direct inquiries and making changes in employee status as they occur. Human resources clerks enter data into the employee record file in real time from terminals. 90. Three major tasks are handled by the fixed asset system. What is the purpose of each? What special control issues affect each? Correct Answer:

Asset acquisition handles the steps leading to the acquisition of new fixed assets: recognition of need, authorization and approval, possible capital investment analysis, and selection of supplier. Because of the value of fixed assets, special approvals are needed. Asset maintenance involves adjusting the subsidiary account balances for depreciation, improvements, and tracking location. Control involves accountability by keeping track of the physical location of each asset.

Asset disposal handles the removal of assets from the subsidiary ledger when the asset is taken out of service. This requires special approval and preparation of a disposal report.

91. The Baccus Corp. manufactures medical equipment. This is a capitalintensive industry and investments in fixed assets exceed $5 million a year. The minimum cost for production equipment is $75,000. When supervisors want new production machinery, they contact the plant manager. The plant manager approves or denies the request based on discussions with the production supervisor, the repair and maintenance supervisor, and the quality control supervisor. A purchase order is prepared by the purchasing department and sent to one of the three major suppliers of production machinery for medical equipment. The equipment is delivered immediately to the production floor and put into service. At the end of the month, the production supervisor informs the general ledger clerk about the receipt of the machinery. The general ledger clerk establishes an asset record for the machine. At the end of the year, the general ledger clerk computes straight-line depreciation based on a 10-year life with a 10 percent salvage value. Depreciation expense is recorded as a direct reduction of the asset cost.

The repair department performs routine maintenance on all of the production equipment. Occasionally the repair department rebuilds a machine to extend its useful life. All of the costs associated with the repair department are charged to manufacturing overhead. When a machine becomes obsolete, production employees move it to a corner of the factory floor and break it down so that parts can be used in other machines. Production employees routinely remove parts for personal use. Some smaller machines have disappeared completely from the factory floor.

The general ledger clerk takes a physical inventory every three years. About 75 percent of the fixed assets can be located and identified. Other assets have serial numbers that are inaccessible, so the item cannot be matched to a fixed asset record. Some fixed asset records cannot be traced to an actual item. Several machines that have been scrapped and are being used for spare parts were matched to fixed asset records. At the last inventory, the general ledger clerk did not make any adjustments to the fixed asset records, explaining that 75 percent accuracy in the fixed asset physical inventory was excellent.

Describe five internal control weaknesses and explain how to correct them. Correct Answer:

Weakness: There is no written documentation of the approval for purchase. Improvement: Fixed asset acquisitions should be formal and explicitly authorized. Each transaction should be initiated by a written request from the user or department. For high-value items, the authorization process should include a formal cost-benefit analysis and the solicitation of bids from suppliers.

Weakness: Fixed assets are delivered directly to the factory floor. Improvement: All purchases should go through the receiving department before delivery.

Weakness: The production supervisor notifies the general ledger clerk about the receipt of fixed assets. Improvement: The receiving department should send a copy of the receiving report to the fixed asset department.

Weakness: The general ledger clerk is maintaining fixed asset records. Improvement: The fixed asset department should maintain fixed asset records.

Weakness: Depreciation is computed using a standard method, asset life, and salvage value.

Improvement: The method of depreciation used should reflect, as closely as possible, the asset’s actual decline in utility. The internal auditor should also review and verify the depreciation periodically.

Weakness: Depreciation is recorded as a direct reduction of the asset cost. Improvement: Depreciation should be recorded in an accumulated depreciation account for each asset.

Weakness: Costs to rebuild a machine is charged to manufacturing overhead. Improvement: Physical improvements that increase an asset’s value or extend its useful life should be treated as new asset acquisitions (an adjustment to the asset account).

Weakness: There is no authorization to scrap an obsolete machine. Improvement: Obtain written authorization from management before a machine is scrapped.

Weakness: Employees remove equipment and equipment parts from the premises without authorization. Improvement: Employees should receive explicit approval from a supervisor before removing parts or equipment from the factory.

Weakness: The general ledger clerk is conducting the physical inventory and maintaining the record keeping. Improvement: The internal auditor, not the general ledger clerk, should be taking the physical inventory count. Also, the physical count should occur more frequently.

Weakness: Fixed assets cannot be matched with records. Improvement: Apply easily accessible labels to identify fixed assets.

Weakness: Fixed assets cannot be located and are not removed from the books. Improvement: Fixed assets that cannot be located must be removed from the fixed asset records.

Weakness: Fixed assets that are scrapped remain on the books. Improvement: Assets that are scrapped should be removed from the fixed asset records.

Weakness: The clerk regards 75% accuracy as excellent.

Improvement: Acceptance of 75% accuracy is poor. Any variation should be investigated and records updated. This should be done by the internal auditor.

92. Discuss outsourcing the payroll function. What are the advantages and risks? Correct Answer:

Many organizations outsource their payroll function by transferring all payroll processing tasks to a third-party provider. The service provider performs all the payroll functions and may receive data either from the firm or directly from the workers. The service provider must have access to sensitive internal information such as Social Security numbers and bank account information. The primary advantage of outsourcing is cost savings. The client organization avoids the salaries and benefit cost of an in-house payroll department, as well as continuing education required to keep up with ever-changing payroll laws.

The risks are significant. An outside organization will have access to confidential employee data and the client firm’s financial resources. The service provider may have poor internal controls or act incompetently, which could result in material errors or fraud. Outsourcing payroll does not relieve the client organization of its responsibility for implementing adequate internal controls.

93. Discuss the fundamental risk and control issues associated with fixed assets that are different from raw materials and finished goods. Correct Answer:

Authorization Controls. Because fixed assets are requested and employed by end-users, asset acquisitions should be formal and explicitly authorized. Each transaction should be initiated by a written request from the user or department. In the case of high-value items, there should be an independent approval process that evaluates the merits of the request. Supervision Controls. Because capital assets are widely distributed around the organization, they are more susceptible to theft and misappropriation than inventories that are secured in a warehouse. Therefore, management supervision is an important element in the physical security of fixed assets. Supervisors must ensure that fixed assets are being used in accordance with the organization’s policies and business practices. Assets should not be removed from company premises without explicit approval.

Independent Verification Controls. 1. Periodically, the internal auditor should review the asset acquisition and approval procedures to determine the reasonableness of factors including: the useful life of the asset, the original financial cost, proposed cost savings as a result of acquiring the asset, the discount rate used, and the capital budgeting method used in the analysis.

2. The internal auditor should verify the location, condition, and fair value of the organization’s fixed assets against the fixed asset records in the subsidiary ledger. 3. The depreciation charges calculated by the fixed asset system should be reviewed and verified for accuracy and completeness. Miscalculated depreciation can result in the material misstatement of operating expenses, reported earnings, and asset values, and may result in the premature disposal of otherwise serviceable assets.

94. Outline the key steps taken in a basic technology payroll system when preparing the weekly payroll for a manufacturing firm. Correct Answer:

Personnel action and time and attendance information from the personnel and production departments respectively, initiate the payroll process. The payroll department reconciles this information, calculates the payroll, and sends the paychecks to the paymaster for distribution to employees.

Cost accounting receives information regarding the time spent on each job from production. This is used for posting to accounts in the WIP subsidiary ledger.

AP receives payroll summary information (payroll register) from the payroll department and authorizes the cash disbursements department to deposit a single check, in the amount of the total payroll, in a bank imprest account on which the payroll is drawn.

The general ledger department reconciles summary information from cost accounting and AP. GL accounts are updated to reflect these transactions.

95. Describe several technologies developed for producing the time and attendance file in a modern business with telecommuting employees working from multiple locations. Correct Answer:

Biometric time clocks verify employees’ identities by using fingerprint or hand-vein scan technology. To protect employee privacy, these devices use a mathematical algorithm for verification rather than storing actual fingerprints in a database. Magnetic swipe ID cards work like a credit card. Each employee is issued an ID card that has a magnetic strip containing employee information. The employee swipes the card through the time clock to record start and end time on the job. For additional verification, the employee may be asked to enter a password or PIN.

Proximity cards are similar to swipe cards but don’t require the user to slide the card through a reader. Instead, the employee places the card in front of the reader to record attendance time. The advantage is that these cards can be read through wallets, purses, and card holders.

Mobile remote devices allow employees to clock in using handheld devices (PDA or cell phone) or web browsers from laptop computers. This option is popular among businesses with employees in the field who travel between clients and with companies engaged in global business with foreign-based employees.

Chapter 7 1. The philosophy of customer satisfaction permeates the world-class firm. *a. True b. False

2. Reports generated by the cost accounting system include performance reports and budget reports. *a. True b. False

3. The cost accounting system authorizes the release of raw materials into production. a. True *b. False

4. Batch processing creates a homogeneous product through a continuous series of standard procedures. a. True *b. False

5. The bill of materials specifies the types and quantities of the raw materials and subassemblies used in producing a single unit of finished product. *a. True b. False

6. A purchase requisition authorizes the storekeeper to release materials to individuals or work centers in the production process. a. True *b. False

7. Cement and petrochemicals are produced by the batch manufacturing method. a. True *b. False

8. The objective of the economic order quantity model is to reduce total inventory costs by minimizing carrying costs and ordering costs.

*a. True b. False

9. The work-in-process file is the subsidiary ledger for the work-inprocess control account. *a. True b. False

10. Move tickets authorize the storekeeper to release materials to work centers. a. True *b. False

11. Typically the only allocated cost in the value stream is a charge per square foot for the value stream production facility. *a. True b. False

12. Computer-integrated manufacturing (CIM) focuses on reducing the complexity of the physical manufacturing layout of the shop floor. a. True *b. False

13. The only objective of the just-in-time philosophy is to reduce inventory levels. a. True *b. False

14. Accounting in a world-class manufacturing environment emphasizes standard cost and variance analysis. a. True *b. False

15. ABC assigns cost to cost objects based on their use of activities. *a. True b. False

16. The complexities of ABC have caused many firms to abandon this method in favor of value stream accounting. *a. True b. False

17. A company’s value stream includes all steps in a process, both essential and non-essential, for which the customer is willing to pay. a. True *b. False

18. Lean manufacturing evolved from the Toyota Production System (TPS), which is based on the just-in-time (JIT) production model. *a. True b. False

19. The two subsystems of a traditional conversion cycle are the production system and the delivery system. a. True *b. False

20. Manufacturing resources planning (MRP II) has evolved into enterprise resource planning (ERP). *a. True b. False

21. Pull processing involves pulling products from the consumer end (demand), rather than pushing them from the production end (supply). *a. True b. False

22. The inventory control function updates and maintains both raw materials and finished goods inventory subsidiary ledgers. *a. True b. False

23. An excess materials requisition is a control that signals that a greater than standard quantity of materials is being ordered from the vendor. a. True

*b. False

24. Cost accounting initiates a WIP account upon receiving the first move ticket of a batch. a. True *b. False

25. A company’s value stream map depicts only the value-added activities needed to complete a process or product. *a. True b. False

26. Which statement is not true? a. World-class companies must maintain strategic agility and be able to turn on a dime. b. World-class companies motivate and treat employees like appreciating assets. c. Manufacturing firms that achieve world-class status do so by following a philosophy

of lean manufacturing. *d. All world-class companies use ERP to integrate all company functions.

27. Which function is not a part of the batch production process? a. plan and control production *b. prepare purchase orders c. maintain inventory control d. perform cost accounting

28. Lead time times daily demand is a. the economic order quantity b. safety stock *c. the reorder point d. total inventory

29. Which process creates a homogeneous product through a continuous series of

standard procedures? a. batch process b. make-to-order process *c. continuous process d. none of the above

30. An example of a continuous process is the production of

a. wedding invitations *b. milk products c. jet aircraft d. all of the above

31. All of the following are characteristics of batch processing except a. each item in the batch is similar *b. batches are produced in accordance with detailed customer specifications c. batches are produced to replenish depleted inventory levels d. setting up and retooling is required for different batches

32. When one of the following statements is true? a. ERP evolved directly from MRP. b. ERP evolved into MRP and MRP evolved into MRP II. *c. MRP II evolved from MRP and MRP II evolved into ERP. d. None of the above is true.

33. The production schedule is a. the expected demand for the firm’s finished goods for a given year *b. the formal plan and authority to begin production c. a description of the type and quantity of raw materials and subassemblies used to produce a single unit of finished product d. the sequence of operations during manufacturing

34. A move ticket a. is the formal plan and authority to begin production b. specifies the materials and production required for each batch *c. records the work done in each work center d. authorizes the storekeeper to release materials to work centers

35. The internal control significance of the excess materials requisition is that it a. indicates the amount of material released to work centers *b. identifies materials used in production that exceed the standard amount allowed c. indicates the standard quantities required for production d. documents the return to raw materials inventory of unused production materials

36. Inventory control performs all of the following tasks except it a. provides production planning and control with the inventory status report of finished goods b. updates the raw material inventory records *c. prepares a materials requisition for each production batch d. records the completed production as an increase to finished goods inventory

37. The storekeeper releases raw materials based on the a. production schedule *b. materials requisition c. work order d. bill of materials

38. Which of the following is not an assumption of the economic order quantity

model? a. demand for the product is known with certainty *b. total cost per year of placing orders is fixed c. lead time is known and is constant d. there are no quantity discounts

39. Firms hold safety stock to compensate for a. mathematical weaknesses of the economic order quantity model *b. variations in lead time or daily demand c. fluctuations in carrying costs d. uncertainty in the estimation of ordering costs

40. What is the economic order quantity if the annual demand is 10,000 units, set

up cost of placing each order is $3 and the holding cost per unit per year is $2? *a. 174 b. 123 c. 245 d. 116

41. If the daily demand is 40 units and the lead time is 12 days, the reorder point is a. 40 units b. 48 units *c. 480 units d. none of the above

42. Which statement is not correct? *a. General ledger creates a new cost record upon receipt of a work order from production planning and control. b. Cost accounting updates the cost record with data gathered from the materials requisition. c. General ledger posts summary information about the manufacturing process based on a journal voucher prepared by cost accounting. d. Cost accounting computes variances and applies overhead to individual cost records.

43. Which of the following is not a problem associated with standard cost

accounting? *a. Standard costing discourages management from producing large batches of products and build inventory. b. Applying standard costing leads to product cost distortions in a lean environment. c. Standard cost data are associated with excessive time lags that reduce its usefulness. d. The financial orientation of standard costing may promote bad decisions.

44. Computer integrated manufacturing includes all of the following technologies

except a. robotics *b. materials requirements planning c. automated storage and retrieval systems d. computer-aided design

45. Which of the following would not be included as a value stream cost? a. Labor costs of employees who simply transport the product from cell to cell. b. Labor costs of employees who design the product. c. A charge per square foot for the value stream production facility including cost of rent and building maintenance. *d. All of the above are value stream costs.

46. Which situation violates the segregation of functions control procedure? a. production planning and control is located apart from the work centers *b. inventory control maintains custody of inventory items c. cost accounting has custody of and makes entries on cost records d. work centers record direct labor on job tickets

47. All of the following are internal control procedures that should be in place in the

conversion cycle except a. calculation and analysis of direct material and direct labor variances *b. retention of excess materials by work centers c. physical count of inventory items on hand d. limited access to raw material and finished goods inventories

48. Which of the following is not true regarding ABC? a. ABC is too time-consuming and complicated for practical applications over a sustained period. b. ABC identifies the most and least profitable products and customers. *c. ABC promotes the lean manufacturing philosophies of process simplification and waste elimination. d. All of the statements are true.

49. A manufacturing process that is organized into group technology cells utilizing

no human labor is called a. islands of technology b. process simplification *c. computer-integrated manufacturing d. traditional manufacturing

50. An example of automation of manufacturing design is *a. computer-aided engineering b. automated storage and retrieval systems c. computer numerical control d. robotics

51. An example of automation of manufacturing planning is a. computer-aided engineering b. automated storage and retrieval systems *c. materials requirements planning d. computer numerical control

52. Which of the following is not true? a. The complexities of ABC have caused many firms to pursue value stream accounting.

*b. Value stream accounting captures costs related to value-added activities within a specified department or activity. c. An essential aspect in implementing value stream accounting is defining the product family. d. Value stream accounting makes no distinction between direct costs and indirect costs.

53. Characteristics of lean manufacturing include all of the following except *a. push manufacturing b. zero defects c. reduced setup time and small lot sizes d. reliable vendors

54. The cost of poor quality includes all of the following except a. cost of rework b. warranty claims c. scheduling delays *d. proceeds from the sale of scrap

55. A flexible manufacturing system a. creates bottlenecks in the process b. leads to an “us” versus “them” attitude among workers *c. shortens the physical distance between activities d. is organized along functional lines

56. Deficiencies of the traditional cost accounting information system include all of

the following except a. an emphasis on financial performance b. inaccurate cost allocations c. an emphasis on standard costs *d. immediate feedback about deviations from the norm

57. Which statement is not correct? a. cost objects are the reasons for performing activities *b. cost object describes the work performed in a firm c. activities cause costs d. cost objects create a demand for activities

58. Firms are abandoning activity-based costing (ABC) because a. it does not facilitate the analysis of variances

*b. it is complex and time consuming c. it does not recognize the importance of direct labor as a component of total manufacturing cost d. the financial nature of the reports does not permit comparisons to be made among different types of products

59. Which of the following is not an example of waste? a. overproduction of products b. safety hazards that cause injury c. stand-alone processes that are not linked to upstream or downstream processes *d. All of the above are examples of waste.

60. Which of the following statements about the EOQ inventory model assumptions

is incorrect? a. Demand for the product is constant and known with certainty. *b. The lead time is a variable. c. All inventories in the order arrive at the same time. d. Total ordering cost is a variable.

61. Which statement is not correct? *a. Inventories provide a competitive advantage. b. Inventories can invite overproduction. c. Inventories are expensive to maintain. d. Inventories may conceal problems.

62. All of the following are documents in batch process production systems except a. production schedule b. route sheet c. materials requisition *d. bill of manufacturing

63. Transaction authorization occurs in a traditional manufacturing environment in

all of the following ways except a. production planning and control initiates production with a work order b. movement of the work through the production process follows the move ticket *c. the sales department modifies work orders to match changes in demand d. the materials requisition authorizes the storekeeper to release materials to the work centers

64. Which of the following is not a principle of lean manufacturing? *a. Products are pushed from the production end to the customer. b. All activities that do not add value and maximize the use of scarce resources must be eliminated. c. A goal is the achievement of a high inventory turnover rate. d. A lean manufacturing firm must have established and cooperative relationships with vendors.

65. Which of the following is not a problem with traditional accounting information? a. Managers in a lean setting require immediate information. b. The measurement principle tends to ignore standards other than money. c. Standard costing motivates nonlean behavior in operations. *d. All of the above are problems associated with traditional accounting information.

66. Which type of manufacturing creates a homogeneous product through a continuous series of standard procedures? Correct Answer:

continuous process manufacturing 67. What information is contained in the bill of materials (BOM)? Correct Answer:

The BOM specifies the types and quantities of raw materials and subassemblies used in producing a single unit of finished product. 68. What is the difference between a materials requisition and a purchase requisition? Correct Answer:

A materials requisition authorizes the storekeeper to release materials and subassemblies to the production process. A purchase requisition authorizes the purchasing department to place an order with an external vendor to acquire goods or services. 69. List one authorization control in the traditional manufacturing environment. Correct Answer:

work orders prepared by production planning and control; move tickets signed by the supervisor; materials requisitions and excess materials requisitions

70. Explain the conversion cycle. Correct Answer:

A company’s conversion cycle transforms (converts) input resources, such as raw materials, labor, and overhead, into finished products or services for sale. 71. What is one benefit of the flexible production system? Correct Answer:

A flexible production system shortens the physical distance between activities, reducing setup time, processing time, handling costs, and inventories. 72. List two disadvantages of using a traditional cost accounting system. Correct Answer:

Cost allocations may be inaccurate; there is a time lag in reporting; information is reported in financial terms; there is an emphasis on standard cost. 73. In activity-based costing, distinguish between activities and cost objects. Correct Answer:

Activities describe the work performed in a firm, while cost objects are the reasons for performing activities. For example, operating a lathe is an activity, while customers are cost objects. 74. Discuss inventory control objectives. Correct Answer:

Inventory control minimizes total inventory cost while ensuring that adequate inventories exist to meet current demand. Various inventory models are used to help answer two fundamental questions:1. When should inventory be purchased? 2. How much inventory should be purchased?

75. Describe the primary goal of lean manufacturing. Correct Answer:

The goal of lean manufacturing is improved efficiency and effectiveness in every area, including product design, supplier interaction, factory operations, employee management, and customer relations. 76. What is meant by the term “islands of technology”?

Correct Answer:

Islands of technology describes an environment where modern automation exists in the form of islands that stand alone within the traditional setting. 77. In a traditional manufacturing environment, cost accounting provides independent verification of what information? What are the benefits? Correct Answer:

Cost accounting reconciles materials and labor usage, from the materials requisitions and job tickets, with prescribed standards and identifies significant departures. Such variance analysis is important for control of the manufacturing process. 78. How are cost structures fundamentally different between the traditional and CIM environments? Correct Answer:

In the traditional manufacturing environment, direct labor is a much larger component of total manufacturing costs than in the CIM environment. Overhead, on the other hand, is a far more significant element of cost in advanced technology manufacturing. 79. What are the key segregation of duties issues in the conversion cycle? Correct Answer:

Production planning and control department is organizationally segregated from the work centers. Inventory control must be separated from materials storeroom and FG warehouse. Cost accounting must be separate from the work centers. GL must be separate from departments keeping subsidiary accounts. GL is organizationally segregated from inventory control and cost accounting. 80. Traditional accounting assumes that ABC assumes that cause costs.

cause costs.

Correct Answer:

products, activities 81. Differentiate between essential and non-essential activities. Correct Answer:

Essential activities add value to the organization either through adding value to the customer or to the organization. Non-essential activities do not add value.

82. What is a company’s value stream? Correct Answer:

A company’s value stream includes all the steps in the process that are essential to producing a product. These are the steps for which the customer is willing to pay. 83. What document signals the completion of the production process? Correct Answer:

The receipt by cost accounting of the last move ticket for a batch from the work center signals the completion of the production process. 84. What document triggers the beginning of the cost accounting process for a given production run? Correct Answer:

The work order from the production planning and control department triggers the cost accounting process. 85. Name five documents associated with batch production systems. Correct Answer:

Sales forecast, production schedule, bill of materials, route sheet, work order, move ticket, and materials requisition. 86. How do lean manufacturing companies use electronic data interchange (EDI)? Correct Answer:

It allows firms to electronically receive customer’s sales orders and cash receipts, to send invoices to customers, to send purchase orders to vendors, to send and receive shipping documents and to receive invoices from vendors and pay them. 87. Itemize the disadvantages of ABC that have caused some firms to abandon this technique. Correct Answer:

1. ABC has been criticized for being too time consuming and complicated for practical applications over a sustained period. 2. Critics charge that rather than promoting continuous improvement, ABC creates complex bureaucracies within organizations that are in conflict with the lean manufacturing philosophies of process simplification and waste elimination. 3. The task of identifying activity costs and cost drivers can be a significant and ongoing undertaking. As products and processes change so do the associated activity costs and drivers.

4. Unless significant resources are committed to maintaining the accuracy of activity costs and the appropriateness of drivers, cost assignments become inaccurate.

88. Discuss the documents used in a batch processing system. Correct Answer:

The production schedule is the formal plan and authorization to begin production. It describes the specific products to be made, quantities per batch, and manufacturing timetable. The bill of materials (BOM) specifies the types and quantities of the RM and subassemblies used to produce one unit of finished product.

A route sheet shows the production path that a particular batch of product follows during manufacturing (sequence of operations and standard time of each task).

The work order draws from BOMs and route sheets to specify the materials and production for each batch. These, together with move tickets, initiate the manufacturing process.

A move ticket records work done in each work center and authorizes the movement of the job or batch from one work center to the next.

A materials requisition authorizes the storekeeper to release materials to individuals or work centers in the production process, usually at standard quantities.

89. Discuss the assumptions of the economic order quantity (EOQ) model and its objective. Correct Answer:

1. Demand for the product is constant and known with certainty. 2. The lead time is known and constant. 3. All inventories in the order arrive at the same time. 4. The total cost per year of placing orders is a variable that decreases as quantities ordered increases. 5. The total cost per year of holding inventories (carrying costs) is a variable that increases as the quantities ordered increase. 6. There are no quantity discounts.

The objective of the EOQ model is to reduce total inventory costs.

90. Outline the characteristics of a world-class company. Correct Answer:

1. World-class companies must maintain strategic agility and be able to turn on a dime. Top management must be intimately aware of customer needs and not become rigid and resistant to paradigm change. 2. World-class companies motivate and treat employees like appreciating assets. To activate the talents of everyone, decisions are pushed to the lowest level in the organization. The result is a flat and responsive organizational structure. 3. A world-class company profitably meets the needs of its customers. Its goal is not simply to satisfy customers, but to positively delight them. This is not something that can be done once and then forgotten. With competitors aggressively seeking new ways to increase market share, a world-class firm must continue to delight its customers. 4. The philosophy of customer satisfaction permeates the world-class firm. All of its activities, from the acquisition of raw materials to selling the finished product, form a “chain of customers.” Each activity is dedicated to serving its customer, which is the next activity in the process. The final paying customer is the last in the chain. 5. Finally, manufacturing firms that achieve world-class status do so by following a philosophy of lean manufacturing. This involves doing more with less, eliminating waste, and reducing production cycle time.

91. How does automation assist with the lean manufacturing philosophy? Correct Answer:

Automation is at the heart of the lean manufacturing philosophy. By replacing labor with automation, a firm can reduce waste, improve efficiency, increase quality, and improve manufacturing flexibility. 92. How does MRP II (manufacturing resource planning) expand on MRP (materials requirements planning)? Correct Answer:

MRP is an automated production planning and control system used to support inventory management. It is a calculation method geared towards determining how much of which raw materials are required and when they should be ordered. MRP II is an extension of MRP that has evolved beyond inventory management. It is both a system and a philosophy for coordinating a wide range of manufacturing activities. MRP II integrates product manufacturing, product engineering, sales order processing, customer billing, human resources, and related accounting functions. 93. Discuss the importance of the move ticket to the cost accounting department.

Correct Answer:

The various work centers send cost accounting completed move tickets. The move ticket, along with job tickets and standards provided by the standard cost file, enable cost accounting to update the affected WIP accounts with the standard charges for manufacturing overhead. The receipt of the last move ticket for a particular batch signals the completion of the production process and the transfer of products from WIP to the finished goods inventory. At that point cost accounting closes the WIP account. 94. Discuss the purpose and key features of a value stream map (VSM). Correct Answer:

The value stream map (VSM) graphically represents a business process to identify aspects of it that are wasteful and should be removed. A VSM identifies all of the actions required to complete processing on a product, along with key information about each action item. Specific information may include total hours worked, overtime hours, cycle time to complete a task, and error rates.

The VSM shows the total time required for each processing step, shows the time required between steps, and identifies the types of time spent between steps such as the outbound batching time, transit time, and inbound queue time.

95. Discuss the principles underlying the lean manufacturing approach. Correct Answer:

Pull Processing. Products are pulled from the consumer end (demand), not pushed from the production end (supply). Perfect Quality. Success of the pull processing model requires zero defects in raw material, work in process, and finished goods inventory.

Waste Minimization. All activities that do not add value and maximize the use of scarce resources must be eliminated. Waste involves financial, human, inventory, and fixed assets.

Inventory Reduction. The hallmark of lean manufacturing firms is their success in inventory reduction. Such firms often experience annual inventory turnovers of 100 times per year.

Production Flexibility. Long machine setup procedures cause delays in production and encourage overproduction. Lean companies strive to reduce setup time to a

minimum, which allows them to produce a greater diversity of products quickly, without sacrificing efficiency at lower volumes of production.

Established Supplier Relations. A lean manufacturing firm must have established and cooperative relationships with vendors. Late deliveries, defective raw materials, or incorrect orders will shut down production immediately since this production model allows no inventory reserves to draw upon.

Team Attitude. Lean manufacturing relies heavily on the team attitude of all employees involved in the process. Each employee must be vigilant of problems that threaten the continuous flow operation of the production line.

96. Discuss three common problems associated with inventories. Correct Answer:

1. Inventories cost money. They are an investment in materials, labor, and overhead that cannot be realized until sold. Inventories also contain hidden costs. They must be transported throughout the factory. They must be handled, stored, and counted. In addition, inventories lose value through obsolescence. 2. Inventories camouflage production problems. Bottlenecks and capacity imbalances in the manufacturing process cause WIP inventory to build up at the choke points. Inventories also build up when customer orders and production are out of sync.

3. Willingness to maintain inventories can precipitate overproduction. Because of setup cost constraints, firms tend to overproduce inventories in large batches to absorb the allocated costs and create the image of improved efficiency. The true cost of this dysfunctional activity is hidden in the excess inventories.

97. Automation is at the heart of the lean manufacturing philosophy. Discuss its stages and its distinguishing features. Correct Answer:

Automation of the manufacturing process can be viewed as a gradual progression. The stages are: Traditional manufacturing, which consists of many different types of machines that require a lot of setup time, each controlled by a single operator. The WIP follows a circuitous route through the different operations.

Islands of technology, in which stand-alone islands employ computer numerical controlled (CNC) machines that can perform multiple operations with less human involvement and less set up time.

Computer integrated manufacturing (CIM), a completely automated environment which employs automated storage and retrieval systems (AS/RS) and robotics.

98. How can a firm control against excessive quantities of raw materials being used in the manufacturing process? Correct Answer:

The use of standard quantities provides a type of access control. If the materials requisition document specifies standard quantities, excess materials require separate requisitions that may be identified explicitly as excess materials requisitions. 99. Explain the relationship between MRP, MRP II, and ERP. Correct Answer:

Manufacturing resources planning (MRP II) is an extension of a simpler concept still in use called materials requirements planning (MRP). MRP is an automated version of a traditional production planning and control process. On the other hand, MRP II is a reengineering technique that integrates several business processes. MRP II is not confined to the management of inventory. It is both a system and a philosophy for coordinating the activities of the entire firm. As such, MRP II has evolved into the large suites of software called enterprise resource planning (ERP) systems. These huge commercial packages support the information needs of the entire organization, not just the manufacturing functions. Similarities in functionality between ERP and MRP II systems are quite apparent. Some argue that very little real functional difference exists between the two concepts. Indeed, the similarities are most noticeable when comparing top-end MRP II systems with low-end ERP packages. 100. Explain how CAD can contribute to a firm’s move toward world-class status. Correct Answer:

Engineers use computer-aided design (CAD) to design better products faster. CAD systems increase productivity, improve accuracy, and allow firms to be more responsive to market demands. Product design has been revolutionized through CAD technology. Advanced CAD systems can design both product and process simultaneously. Thus, aided by CAD, management can evaluate the technical feasibility of the product and determine its “manufacturability.” CAD technology greatly shortens the time frame between initial and final design. This allows firms to adjust their

production quickly to changes in market demand. It also allows them to respond to customer requests for unique products. The CAD system’s external communication link permits the world-class manufacturer to share its product design specifications with its vendors and customers. This communications link also allows the worldclass manufacturer to receive product design specifications electronically from its customers and suppliers for its review.

101. Explain how CAM can contribute to a firm’s move toward world-class status. Correct Answer:

Computer-aided manufacturing (CAM) is the use of computers to assist the manufacturing process. CAM focuses on the shop floor and the control of the physical manufacturing process. The output of the CAD system is fed to the CAM system. Thus, the CAD design is converted by CAM into a sequence of processes. CAM systems monitor and control the production process and routing of products through cells. Benefits from deploying a CAM system include improved process productivity, improved cost and time estimates, improved process monitoring, improved process quality, decreased setup times, and reduced labor costs. 102. Explain why traditional cost allocation methods do not work well in a CIM environment. Correct Answer:

Traditional accounting systems do not accurately trace costs to products and processes. An assumption of standard costing is that all overhead needs to be allocated to products and that overhead directly relates to the amount of labor required to make the product. In the traditional environment, direct labor is a much larger component of total manufacturing costs than in the CIM environment. With automated manufacturing, overhead is a far more significant cost component. Applying standard costing leads to product cost distortions and poor decisions regarding pricing, valuation, and profitability. 103. What is meant by the term “product family” and what is its relationship to value stream accounting? Correct Answer:

Most organizations produce more than one product, which fall into natural lines or families. Product families share common processes from the point of placing the order to shipping the finished goods to the customer. Value stream accounting cuts across functional and departmental lines to include costs related to the product family such as marketing, selling expenses, product design, engineering, materials purchasing, distribution, and more, but makes no distinction between direct costs and indirect costs.

Chapter 8 1. The most common means of making entries in the general ledger is via the journal voucher. *a. True b. False

2. Individuals with access authority to general ledger accounts should not prepare journal vouchers. *a. True b. False

3. The journal voucher is the document that authorizes entries to be made to the general ledger. *a. True b. False

4. Each account in the chart of accounts has a separate record in the general ledger master file. *a. True b. False

5. The responsibility center file is primarily used by the financial reporting system. a. True *b. False

6. Management reporting is often called discretionary reporting because, unlike financial reporting, it is not mandated. *a. True b. False

7. Primary recipients of financial statement information are internal management. a. True *b. False

8. The management reporting system is a nondiscretionary system. a. True

*b. False

9. When evaluating decision alternatives, one option is to take no action. *a. True b. False

10. In most cases intangible decision criteria can be quantified. a. True *b. False

11. Strategic decisions are subordinate to tactical planning decisions. a. True *b. False

12. Responsibility refers to an individual’s obligation to achieve desired results. *a. True b. False

13. A firm using a wide span of control tends to have relatively more layers of management. a. True *b. False

14. The control function entails evaluating a process against a standard and, if necessary, taking corrective action. *a. True b. False

15. Standards are the basis for evaluating actual performance. *a. True b. False

16. A report is said to have information content if it eliminates uncertainty associated with a problem facing the decision maker. a. True *b. False

17. An inventory out-of-stock report is an example of a programmed, ondemand report. *a. True b. False

18. A principle of responsibility accounting is that managers are responsible for controllable and uncontrollable costs. a. True *b. False

19. The manager of a cost center is responsible for cost control and revenue generation. a. True *b. False

20. Designing an effective management reporting system does not require an understanding of the information managers need to deal with the problems they face. a. True *b. False

21. The formalization of tasks principle suggests that management should structure the firm around the unique skills sets of key individuals. a. True *b. False

22. If a manager delegates responsibility to a subordinate, he or she must also grant the subordinate authority to make decisions. *a. True b. False

23. Operational control involves motivating managers at all levels to use resources, including materials, personnel, and financial assets, as productively as possible. a. True *b. False

24. XBRL taxonomies are classification schemes that are compliant with the XBRL specifications to accomplish a specific information exchange. *a. True b. False

25. An income statement is an example of an XBRL instance document. *a. True b. False

26. The verification model uses data mining to discover previously unknown information that is hidden in the data. a. True *b. False

27. Firms use prescriptive analytics to recommend the best action to take in response to a specific question. *a. True b. False

28. Which statement is not true? a. The journal voucher is the only source of input into the general ledger. b. A journal voucher can be used to represent summaries of similar transactions or a single unique transaction. *c. Journal vouchers are not used to make adjusting entries and closing entries in the general ledger. d. Journal vouchers offer a degree of control against unauthorized general ledger entries.

29. Entries into the general ledger system (GLS) can be made using information

from a. the general journal b. a journal voucher which represents a summary of similar transactions c. a journal voucher which represents a single, unusual transaction *d. all of the above

30. Which statement is not correct? The general ledger master file a. is based on the firm’s chart of account

b. contains a record for control accounts *c. is an output of the financial reporting system (FRS) d. supplies information for management decision making

31. What type of data is found in the general ledger master file? a. a chronological record of all transactions *b. the balance of each account in the chart of accounts c. budget records for each account in the chart of accounts d. subsidiary details supporting a control account

32. Which report is not an output of the financial reporting system (FRS)? *a. variance analysis report b. statement of cash flows c. tax return d. comparative balance sheet

33. Which steps in the financial accounting process are in the correct sequence? a. record the transaction, post to the ledger, prepare the adjusted trial balance, enter adjusting entries, prepare financial statements b. record the transaction, prepare the unadjusted trial balance, record adjusting journal entries, record closing entries, prepare financial statements c. record the transaction, post to the ledger, record adjusting entries, prepare the unadjusted trial balance, prepare financial statements *d. record the transaction, post to the ledger, prepare the adjusted trial balance, prepare financial statements, record closing entries

34. Which statement is not correct? a. the post-closing trial balance reports the ending balance of each account in the general ledger b. one purpose of preparing the unadjusted trial balance is to ensure that debits equal credits *c. financial statements are prepared based on the unadjusted trial balance d. the unadjusted trial balance reports control account balances but omits subsidiary ledger detail

35. What account appears on the post-closing trial balance? a. income summary *b. machinery

c. rent expense d. interest income

36. Financial statements are prepared from the a. trial balance *b. adjusted trial balance c. general ledger d. general journal

37. Risk exposures in the general ledger and financial reporting systems include all

of the following except a. defective audit trail b. unauthorized access to the general ledger *c. loss of physical assets d. general ledger account is out of balance with the subsidiary account

38. Which situation indicates an internal control risk in the general ledger/financial

reporting systems (GL/FRS)? a. the employee who maintains the cash journal computes depreciation expense b. the cash receipts journal voucher is approved by the Treasurer c. the cash receipts journal vouchers are prenumbered and stored in a locked safe *d. the employee who maintains the cash receipts journal records transactions in the accounts receivable subsidiary ledger

39. With a limited work force and a desire to maintain strong internal control, which

combination of duties performed by a single individual presents the least risk exposure? a. maintaining the inventory ledger and recording the inventory journal voucher in the general ledger b. recording the inventory journal voucher in the general ledger and maintaining custody of inventory *c. maintaining the cash disbursements journal and recording direct labor costs applied to specific jobs d. preparing the accounts payable journal voucher and recording it in the general ledger

40. Operational control decisions a. set the goals and objectives for the firm

b. involve motivating managers to use resources as productively as possible *c. are more focused than tactical decisions d. have a fairly high degree of uncertainty

41. Which of the following is not a report attribute needed to make a report

effective? a. relevance b. accuracy *c. detailed d. exception orientation

42. XBRL a. is the basic protocol that permits communication between Internet sites b. controls web browsers that access the web c. is the document format used to produce web pages *d. was designed to provide the financial community with a standardized method for preparing reports

43. An XBRL taxonomy a. is the document format used to produce web pages b. is the final product (report) *c. is a classification scheme d. is a tag stored in each database record

44. A characteristic of the management reporting system (MRS) is a. that it operates in conformity with generally accepted accounting principles b. it is a legal requirement that the MRS be installed and functioning properly c. that it implements SEC requirements *d. that it focuses on internal decision-making information

45. Which statement is not true? *a. Authority refers to an individual’s obligation to achieve desired results. b. If an employee is given the responsibility for a task, that employee should be given authority to make decisions within the limits of that task. c. The level of detail provided to an employee is a function of the employee’s position with the firm. d. All of the above are true.

46. Which statement is not true? The manager’s span of control *a. is narrow for routine and repetitive tasks b. is related to the number of layers of management c. affects the amount of detail provided to a manager d. can affect employee morale and motivation

47. Short-range planning involves a. setting goals and objectives of the firm *b. planning the production schedule for the next quarter c. planning the growth of the firm d. deciding on the degree of diversification among the firm’s products

48. Long-range planning involves a. planning the marketing and promotion for a product b. presenting department heads with budgetary goals for the next year c. preparing a work force utilization budget for the next quarter *d. deciding the optimum size of the firm

49. The level of management that makes tactical planning decisions is a. top management *b. middle management c. operations management d. front-line management

50. The decision to enter a new market is an example of *a. strategic planning b. tactical planning c. management control d. operational control

51. All of the following are elements of operational control decisions except *a. determining the scope of the activity b. setting operating standards c. evaluating performance d. taking corrective action when necessary

52. In contrast to tactical planning decisions, management control decisions, and

operational control decisions, strategic planning decisions usually a. are more focused b. have a shorter time frame *c. are unstructured d. have a high degree of certainty

53. Which of the following management principles affects the management

reporting system? a. formalization of tasks b. authorization c. span of control *d. all of the above

54. All of the following are elements of problem structure except *a. certainty b. data c. procedures d. objectives

55. All of the following are examples of programmed reports except a. cash flow reports for Division B *b. year-to-date local income tax payments made by all employees living in City X and working in City Y c. inventory exception reports for Division G d. equipment utilization reports for Plant M

56. A fundamental principle of responsibility accounting is that *a. managers are accountable only for items they control b. a manager’s span of control should not exceed eight people c. structured reports should be prepared weekly d. the information flow is in one direction, top-down

57. Which statement is not true? Responsibility accounting a. involves both a top-down and bottom-up flow of information *b. acknowledges that some economic events cannot be traced to any manager c. creates a budget d. compares actual performance with budget

58. What mechanism is used to convey to managers the standards by which their

performance will be measured? a. the responsibility report b. the scheduled report *c. the budget d. all of the above

59. All of the following concepts encourage goal congruence except *a. detailed information reporting b. authority c. formalization of tasks d. responsibility

60. Which of the following statements is not true? *a. XML stands for eXperimental Markup Language. b. XML is a meta-language for describing markup languages. c. Unlike HTML, XML is capable of storing data in relational form. d. Any markup language can be created using XML.

61. Which file has as its primary purpose to present comparative financial reports

on a historic basis? a. journal voucher history file b. budget master file c. responsibility file *d. general ledger history file

62. All of the following are characteristics of the strategic planning process except *a. the emphasis on both the short and long run b. the review of the attributes and behavior of the organization’s competition c. the analysis of external economic factors d. the analysis of consumer demand

63. Using ROI as a performance measure is most appropriate for the manager of a a. profit center b. cost center *c. investment center d. merchandise control center

64. Which of the following best describes a profit center? *a. authority to make decisions affecting the major determinants of profit, including the power to choose its markets and sources of supply b. authority to make decisions affecting the major determinants of profit, including the power to choose its markets and sources of supply, and significant control over the amount of invested capital c. authority to make decisions over the most significant costs of operations, including the power to choose the sources of supply d. authority to provide specialized support to other units within the organization

65. XBRL reporting: a. must be used by banks to file required quarterly “call reports” b. is used substantially both in the US and internationally c. facilitates the fulfillment of legal requirements stipulated in SOX *d. all of the above

66. Which of the following is not an example of data security? a. firewalls b. password control c. system audit trails *d. volume controls

67. Big data analytics are characterized by *a. volume, velocity, and variety of data b. volume, variance, and velocity of data c. verification, variance, and variety of data d. velocity, volume, and verification of data

68. List, in order, the steps in the financial reporting process. 1. 2. 3. 4. 5.

6. 7. 8. 9. 10. 11.

Correct Answer:

1. Capture the transaction.2. Record in special journals. 3. Post to subsidiary ledger. 4. Post to general ledger (using journal vouchers). 5. Prepare unadjusted trial balance. 6. Make adjusting entries. 7. Journalize and post adjusting entries. 8. Prepare adjusted trial balance. 9. Prepare financial statements. 10. Journalize and post the closing entries. 11. Prepare the post-closing trial balance.

69. List two duties that individuals with access authority of GL accounts should not have. Correct Answer:

record-keeping responsibility for special journals or subsidiary ledgers;preparation of journal vouchers; custody of physical assets

70. Explain the purpose and contents of the general ledger master file. Correct Answer:

The general ledger master file is the main file on the general ledger database. It is based on the firm’s chart of accounts. Each record is either a general ledger account (e.g., sales) or a control account (e.g., the accounts payable control) for one of the subsidiary ledgers. The general ledger master file contains the following for each account: the account number, description, account class (e.g., asset), the normal

balance (debit or credit), beginning balance, total debits for period, total credits for period, and current balance. 71. What is XML? Correct Answer:

XML (eXtensible Markup Language) is a meta-language for describing markup languages. The term extensible means that any markup language can be created using XML. This includes the creation of markup languages capable of storing data in relational form, where tags (formatting commands) are mapped to data values. 72. Define and discuss the journal voucher. Correct Answer:

The source of input to the general ledger is the journal voucher. A voucher which can be used to represent summaries of similar transactions or a single unique transaction, it identifies the financial amounts and affected GL accounts. Routine transactions, adjusting entries, and closing entries are all entered into the GL via journal vouchers. Because a responsible manager must approve journal vouchers, the manager offers a degree of control against unauthorized GL entries. 73. What are the major exposures in the general ledger/financial reporting system? Correct Answer:

The primary exposures are: a defective or lost audit trail, unauthorized access, GL accounts out of balance with subsidiary ledger accounts, and incorrect account balances due to unauthorized or incorrect entries. 74. Why is the audit trail necessary? Correct Answer:

The audit trail is needed for several reasons: to provide the ability to answer inquiries from customers and suppliers, to reconstruct files if lost, to provide historical data to auditors, to satisfy government regulations, and for error control. 75. The principle suggests that management should structure the firm around the work it performs rather than around individuals with unique skills. Correct Answer:

formalization of tasks 76. Employees who are responsible for a task must have the to make decisions within the limits of the responsibility delegated.

Correct Answer:

authority 77. refers to the number of subordinates directly under a manager’s control. Correct Answer:

Span of control 78. The difference between the actual performance and the standard is called the . Correct Answer:

variance 79. How does the management by exception principle affect the management reporting system? Correct Answer:

Reports should focus on differences between actual and expected numbers in key factors that are symptomatic of potential problems. Reports that provide unnecessary details about routine in control items should be avoided. 80. For reports to be useful they must have information content. Describe a reporting objective which gives reports information content. Correct Answer:

Reports must reduce the level of uncertainty associated with a problem facing the decision maker, and must influence the behavior of the decision maker in a positive way. 81. What is information overload? How does it affect decision-making? Correct Answer:

Information overload refers to a situation in which a manager receives more information than can be assimilated. A natural response to this is to ignore information or select only some. In addition, intuition can displace logic. 82. Explain the phrase “span of control.” What are the implications for the management reporting system of this principle? Correct Answer:

A manager’s span of control is the number of subordinates he/she supervises directly. The broader a manager’s span of control, the more autonomy his/her subordinates enjoy—the less involved the manager is in their specific tasks. This

impacts the MRS in terms of the level of detail a manager requires. If the span is wide, less detail; if narrow, more. 83. Explain the three types of responsibility centers. Correct Answer:

Cost centers are organizational units with responsibility for cost management.Profit centers have responsibility for both cost management and revenue generation. Investment centers have responsibility for cost management, revenue generation, and also the investment and use of assets.

84. Describe at least three characteristics of strategic planning decisions and their information requirements. Correct Answer:

have long time frames—create a need for information that supports forecastingrequire summarized information—not encumbered by detail tend to be nonrecurring—thus having little historical data in support involve a lot of uncertainty—i.e., are unstructured decisions are broad in scope—thus requiring broad based information often require significant external information—generated beyond the information system itself

85. What three elements must be present for a problem to be “structured?” Correct Answer:

data, procedures, objectives 86. How does management by exception help to alleviate information overload by a manager? Correct Answer:

The principle of management by exception is that managers should limit their attention to potential problem areas rather than being involved with every activity or decision. Thus, only situations which are not proceeding as scheduled are highlighted by the reports and analyzed by the manager. Thus, the manager does not have to weed through multiple reports to find the situations which need attention. 87. What is a data warehouse?

Correct Answer:

A data warehouse is a relational database management system that has been designed specifically to meet the needs of data mining. The warehouse contains operational data about current events as well as events that have transpired over many years. 88. What is XBRL? Correct Answer:

XBRL (Extensible Business Reporting Language) is an XML-based language that was designed to provide the financial community with a standardized method for preparing, publishing, and automatically exchanging financial information, including financial statements of publicly held companies. 89. What is the XBRL taxonomy? Correct Answer:

XBRL taxonomies are classification schemes that are compliant with the XBRL specifications, to accomplish a specific information exchange or reporting objectives. 90. What distinguishes big data analytics from small data analytics? Correct Answer:

Big data analytics is characterized by the extremely high volumes of data that must be processed very quickly and has great variety of unstructured data. Given these characteristics, the data cannot be easily processed using the traditional technologies used in small data analytics. 91. Give an example of a management question that would require a verification model of data mining. Correct Answer:

Any example that shows that the manager’s hypothesis is confirmed or denied by the results of data mining is acceptable. Examples include: the best target market for a direct ad campaign, the best delivery method for rural customers, and the best supplier based on price, quality, and on-time delivery. 92. List and explain the six basic files in the general ledger database. Correct Answer:

The general ledger master file is the main file on the general ledger database. It is based on the firm’s chart of accounts. Each record is either a separate general ledger account (e.g., sales) or a control account (e.g., the accounts payable control) for one of the subsidiary ledgers.

The general ledger history file contains the same information for prior periods.

The journal voucher file contains all of the journal vouchers processed in the current period.

The journal voucher history file contains journal vouchers for past periods.

The responsibility center file contains the revenues, expenses, and other data for individual responsibility centers.

The budget master file contains budgeted amounts for responsibility centers.

93. Describe the three elements of problem structure. Contrast a structured problem to an unstructured problem. Describe which levels of management typically deal with structured problems and with unstructured problems. Correct Answer:

Problem structure has three elements: (1) Data—the values used to represent factors that are relevant to the problem; (2) Procedures—the sequence of steps or decision rules used in solving the problem; and (3) Objectives—the results the decision maker desires to attain by solving the problem. When all three elements of problem structure are known with certainty, the problem is structured. In unstructured problems the data requirements are uncertain, and/or the procedures are not specified, and/or the solution objectives have not been fully developed.

In general, structured problems are handled at the operations level and partially structured problems are handled by operations, tactical, and strategic management. Usually, strategic management handles unstructured problems.

94. Many financial reports produced by organizations are nondiscretionary—publicly traded firms have no choice but to prepare income statements, tax returns, etc. Management reporting is often called discretionary reporting because it is not mandated, as is financial reporting. Is this a valid statement? Why or why not? Correct Answer:

It can be argued that an effective MRS is mandated by SOX legislation which requires that all public companies monitor and report on the effectiveness of internal controls over financial reporting. Management reporting has long been recognized

as a critical element of an organization’s internal control structure. An MRS that directs management’s attention to problems on a timely basis promotes effective management and thus supports the organization’s business objectives. 95. Describe at least three attributes of an effective report. Correct Answer:

Effective reports tend to share several attributes:Relevance – Relevant data supports the manager’s decision needs. Summarization – Data should be at the appropriate level of summarization for the manager receiving it. Exception orientation – This highlights what is not going as planned. Accuracy – Information in reports must be free from material errors. Completeness –No essential piece of information should be missing. Timeliness – Information that is reasonable complete and accurate in a reasonable time frame is more valuable than perfect information received too late. Conciseness – Information should be presented as concisely as possible.

96. What is the implication for the management reporting system of an organization that implements the formalization of tasks principle? Correct Answer:

Information requirements are defined by a position, not by the person filling that position. When there is a personnel change, there should be no major changes in the information needed by the new employee; it will be essentially the same as that needed by the former employee. Internal control is strengthened because information is provided based on the requirements of the position (a need-to-know basis). 97. Discuss three control implications of XBRL Correct Answer:

Control implications include: Taxonomy Creation. Taxonomy may be generated incorrectly, resulting in an incorrect mapping between data and taxonomy elements that could result in material misrepresentation of financial data. Controls must be designed and in place to ensure the correct generation of XBRL taxonomies.

Taxonomy Mapping Error. The process of mapping the internal database accounts to the taxonomy tags needs to be controlled. Correctly generated XBRL tags may be

incorrectly assigned to internal database accounts, resulting in material misrepresentations of financial data.

Validation of Instance Documents. As noted, once the mapping is complete and tags have been stored in the internal database, XBRL instance documents (reports) can be generated. Independent verification procedures need to be established to validate the instance documents to ensure that appropriate taxonomy and tags have been applied before posting to web server.

98. Discuss the primary advantage of XBRL over traditional HTML as a means of online reporting of financial information to users. Correct Answer:

Online reporting of financial data has become a competitive necessity for publicly traded organizations. Most organizations originally accomplished this by placing their financial statements and other financial reports on their respective websites as HTML (Hyper Text Markup Language) documents. These documents could then be downloaded by users such as the SEC, financial analysts, and other interested parties. The HTML reports, however, could not be conveniently processed through IT automation. Performing any analysis on the data contained in the reports required them to be manually entered into the user’s information system. XBRL became the solution to this problem. XBRL (eXtensible Business Reporting Language) is the Internet standard specifically designed for business reporting and information exchange. The objective of XBRL is to facilitate the publication, exchange, and processing of financial and business information. XBRL documents can thus be downloaded, interpreted, and analyzed using computer software with no additional manual data input necessary. 99. Contrast the four decision types: strategic planning, tactical planning, management control and operational control, by the five decision characteristics: time frame, scope, level of details, recurrence, and certainty. Correct Answer:

Strategic planning decisions are 1) typically long-term in nature, 2) have a high impact on the firm, 3) require highly summarized information, 4) typically nonrecurring problems/opportunities, and 5) uncertain in nature. Tactical planning decisions are 1) typically medium-term in nature, 2) have a medium impact on the firm, 3) require detailed information, 4) typically are periodically recurring problems/opportunities, and 5) highly certain in nature.

Management control decisions are 1) typically medium-term in nature, 2) have a low impact on the firm, 3) require moderately summarized information, 4) typically are periodically recurring problems/opportunities, and 5) uncertain in nature.

Operational control decisions are 1) typically short-term in nature, 2) have a low impact on the firm, 3) require highly detailed information, 4) typically are periodically recurring problems/opportunities, and 5) highly certain in nature.

100. Discuss inappropriate performance measures and how to avoid them. Correct Answer:

When inappropriate performance measures are used, managers may take actions that are dysfunctional to the organization. The actions may succeed in the short run. By the time the problem surfaces, the manager who took the action may be promoted or gone, leaving the problem to his or her successor. The use of any single-criterion performance measure can impose personal goals on managers that conflict with organizational goals and result in dysfunctional behavior.

Performance measures should consider all relevant aspects of a manager’s responsibility. In addition to measures of general performance, such as ROI, management should measure trends in key variables such as sales, cost of goods sold, operating expenses, and asset levels. Nonfinancial measures such as product leadership, personnel development, employee attitudes, and public responsibility may also be relevant in assessing management performance.

101. Identify the primary risks to a firm’s strategic (big) data and discuss at least four techniques to maintain data security. Correct Answer:

The primary risks to a firm’s strategic data are misappropriation, theft, and corruption. These risks may be both internal and external. To secure its data firms use the following: Firewalls are used to mitigate threats from external hackers. A firewall insulates a company’s internal network and stored data from outside intruders.

Access privileges provide a level of control over access to the data. Organizations develop formal procedures for assigning access privileges.

Password control is a formalized system that allows access to data only by authorized persons. Passwords should be strong and should change periodically.

System audit control tracks activity on the data system down to the specific user. Audit logs provide high-level monitoring of the data.

Outsourcing controls are formalized assessments of third-party vendors who may perform data analysis. Third-party vendors must comply with the high standards of data security. External auditors serve an important function in assuring that these high standards are met and maintained.

Chapter 9 1. The database approach to data management is sometimes called the flat-file approach. a. True *b. False

2. The database management system provides a controlled environment for accessing the database. *a. True b. False

3. To the user, data processing procedures for routine transactions, such as entering sales orders, appear to be identical in the database environment and in the traditional environment. *a. True b. False

4. An important feature associated with the traditional approach to data management is the ability to produce ad hoc reports. a. True *b. False

5. The data definition language is used to insert special database commands into application programs. a. True *b. False

6. There is more than one conceptual view of the database. a. True *b. False

7. In the database method of data management, access authority is maintained by systems programming. a. True *b. False

8. The physical database is an abstract representation of the database. a. True

*b. False

9. A customer name and an unpaid balance is an example of a one-to-many relationship. a. True *b. False

10. In the relational model, a data element is called a relation. a. True *b. False

11. The normalization process involves identifying and removing structural dependencies from the tables being modeled. *a. True b. False

12. Under the database approach, data is viewed as proprietary or owned by users. a. True *b. False

13. The data dictionary describes all of the data elements in the database. *a. True b. False

14. A join builds a new table from two tables consisting of all concatenated pairs of rows from each table. *a. True b. False

15. The deletion anomaly is the least important of the problems affecting unnormalized databases. a. True *b. False

16. A deadlock is a phenomenon that prevents the processing of transactions.

*a. True b. False

17. Timestamping is a control that is used to ensure database partitioning. a. True *b. False

18. A lockout is a software control that prevents multiple users from simultaneous access to data. *a. True b. False

19. Task-data dependency is directly related to data redundancy. a. True *b. False

20. An entity is any physical thing about which the organization wishes to capture data. a. True *b. False

21. An ER diagram is a graphical representation of a data model. *a. True b. False

22. The term occurrence is used to describe the number of items associated with an entity. *a. True b. False

23. Cardinality describes the number of possible occurrences in one table that are associated with a single occurrence in a related table. *a. True b. False

24. Foreign keys physically connect logically related tables to achieve the associates described in the data model.

*a. True b. False

25. Improperly normalized databases are associated with three types of anomalies: the update anomaly, the insertion anomaly, and the deletionanomaly. *a. True b. False

26. If an organization uses a commercial database management system, its systems developers will likely use a bottom-up approach to data modeling. *a. True b. False

27. Task-data dependency is a. failure to update the files of all users affected by a change b. another term for data redundancy *c. user’s inability to obtain additional information as needs change d. none of the above

28. The task of searching the database to locate a stored record for processing is

called a. data deletion b. data storage c. data attribution *d. data retrieval

29. Which of the following is not a problem usually associated with the flat-file

approach to data management? a. data redundancy *b. restricting access to data to the primary user c. data storage d. currency of information

30. Which characteristic is associated with the database approach to data

management? *a. data sharing b. multiple storage procedures c. data redundancy

d. excessive storage costs

31. Which characteristic is not associated with the database approach to data

management? a. the ability to process data without the help of a programmer b. the ability to control access to the data c. constant production of backups *d. the inability to determine what data is available

32. Which of the following is not one of four interrelated components of the

database concept? a. the database management system b. the database administrator c. the physical database *d. the conceptual database

33. The formal name for a row in the physical database table is a. attribute b. schema *c. tuple d. link

34. A description of the physical arrangement of records in the database is *a. the internal view b. the conceptual view c. the subschema d. the external view

35. Which of the following may provide many distinct views of the database? a. the schema b. the internal view *c. the user view d. the conceptual view

36. Users access the database *a. by direct query b. by developing operating software c. by constantly interacting with systems programmers d. all of the above

37. The data definition language *a. identifies, for the database management system, the names and relationships of all data elements, records, and files that comprise the database b. inserts database commands into application programs to enable standard programs to interact with and manipulate the database c. permits users to process data in the database without the need for conventional programs d. describes every data element in the database

38. The data manipulation language a. defines the database to the database management system b. transfers data to the buffer area for manipulation *c. enables application programs to interact with and manipulate the database d. describes every data element in the database

39. Which statement is not correct? A query language like SQL a. is written in a fourth-generation language *b. requires user familiarity with COBOL c. allows users to retrieve and modify data d. reduces reliance on programmers

40. Which duty is not the responsibility of the database administrator? a. to develop and maintain the data dictionary b. to implement security controls *c. to design application programs d. to design the subschema

41. In a hierarchical model a. links between related records are implicit *b. the way to access data is by following a predefined data path c. an owner (parent) record may own just one member (child) record d. a member (child) record may have more than one owner (parent)

42. Which term is not associated with the relational database model? a. tuple b. attribute *c. collision d. relation

43. In the relational database model a. relationships are explicit b. the user perceives that files are linked using pointers *c. data is represented on two-dimensional tables d. data is represented as a tree structure

44. In the relational database model all of the following are true except a. data is presented to users as tables b. data can be extracted from specified rows from specified tables c. a new table can be built by joining two tables *d. only one-to-many relationships can be supported

45. Properly designed physical database tables must a. have a unique name for each column that may not be repeated in other tables *b. confirm to the rules of normalization c. Both a. and b. d. Neither a. nor b.

46. The update anomaly in unnormalized databases *a. occurs because of data redundancy b. complicates adding records to the database c. may result in the loss of important data d. often results in excessive record insertions

47. The most serious problem with unnormalized databases is the a. update anomaly b. insertion anomaly *c. deletion anomaly d. none of the above

48. The deletion anomaly in unnormalized databases a. is easily detected by users *b. may result in the loss of important data c. complicates adding records to the database d. requires the user to perform excessive updates

49. Which statement is correct? a. In a normalized database, data about vendors occur in several locations. b. The accountant is responsible for database normalization. c. In a normalized database, deletion of a key record could result in the destruction of the audit trail. *d. Connections between M:M tables are provided by a link table.

50. Which of the following is not a common form of conceptual database model? a. hierarchical b. network *c. sequential d. relational

51. Which of the following is a relational algebra function? a. restrict b. project c. join *d. all are relational algebra functions

52. Which statement is false? a. The DBMS is special software that is programmed to know which data elements each user is authorized to access. b. User programs send requests for data to the DBMS. c. During processing, the DBMS periodically makes backup copies of the physical database. *d. The DBMS does not control access to the database.

53. All of the following are elements of the DBMS which facilitate user access to the

database except a. query language *b. data access language c. data manipulation language d. data definition language

54. Which of the following is a level of the database that is defined by the data

definition language? a. user view b. schema c. internal view *d. all are levels or views of the database

55. An example of a distributed database is *a. partitioned database b. centralized database c. networked database d. all are examples of distributed databases

56. Data currency is preserved in a centralized database by a. partitioning the database *b. using a lockout procedure c. replicating the database d. implementing concurrency controls

57. Which procedure will prevent two end users from accessing the same data

element at the same time? a. data redundancy b. data replication *c. data lockout d. none of the above

58. The advantages of a partitioned database include all of the following except a. user control is enhanced *b. data transmission volume is increased c. response time is improved d. risk of destruction of entire database is reduced

59. A replicated database is appropriate when a. there is minimal data sharing among information processing units *b. there exists a high degree of data sharing and no primary user c. there is no risk of the deadlock phenomenon d. most data sharing consists of read-write transactions

60. What control maintains complete, current, and consistent data at all information

processing units? a. deadlock control b. replication control *c. concurrency control d. gateway control

61. Data concurrency a. is a security issue in partitioned databases *b. is implemented using timestamping c. may result in data lockout d. occurs when a deadlock is triggered

62. Entities are *a. nouns that are depicted by rectangles on an entity relationship diagram b. data that describe the characteristics of properties of resources c. associations among elements d. sets of data needed to make a decision

63. A user view a. presents the physical arrangement of records in a database for a particular user b. is the logical abstract structure of the database c. specifies the relationship of data elements in the database *d. defines how a particular user sees the database

64. All of the following are advantages of a partitioned database except a. increased user control by having the data stored locally *b. deadlocks are eliminated c. transaction processing response time is improved d. partitioning can reduce losses in case of disaster

65. Each of the following is a relational algebra function except a. join b. project *c. link d. restrict

66. A table is in first normal form when it is *a. free of repeating group data b. free of transitive dependencies c. free of partial dependencies d. free of update anomalies

67. A table is in second normal form when it is a. free of repeating group data b. free of transitive dependencies *c. free of partial dependencies d. free of insert anomalies

68. A table is in third normal form when it is a. free of repeating group data *b. free of transitive dependencies c. free of partial dependencies d. free of deletion anomalies

69. Use the following words to complete the sentences.

database administrator

data dictionary

data redundancy

index sequential access method

query language

schema

sequential structure

subschema

occurs when a specific file is reproduced for each user who needs access to the file. Correct Answer:

Data redundancy

70. Use the following words to complete the sentences.

database administrator

data dictionary

data redundancy

index sequential access method

query language

schema

sequential structure

subschema

The conceptual view of the database is often called .

Correct Answer:

schema

71. Use the following words to complete the sentences.

database administrator

data dictionary

data redundancy

index sequential access method

query language

schema

sequential structure

subschema

The easily.

allows users to retrieve and modify data

Correct Answer:

query language

72. Use the following words to complete the sentences.

database administrator

data dictionary

data redundancy

index sequential access method

query language

schema

sequential structure

subschema

The

authorizes access to the database.

Correct Answer:

database administrator

73. Use the following words to complete the sentences.

database administrator

data dictionary

data redundancy

index sequential access method

query language

schema

sequential structure The database.

subschema describes every data element in the

Correct Answer:

data dictionary 74. What are the three data management problems caused by data redundancy? Correct Answer:

data storage, date updating, and currency of information 75. What is the relationship between a database table and a user view? Correct Answer:

User views are derived database tables. A single table may contribute data to several different views. On the other hand, simple views may be constructed from a single table. 76. How does the database approach solve the problem of data redundancy? Correct Answer:

Data redundancy is not a problem with the database approach because individual data elements need to be stored only once yet be available to multiple users. 77. Explain how linkages between relational tables are accomplished. Correct Answer:

Logically related tables need to be physically connected to achieve the associations described in the data model. This is accomplished by using foreign keys. The degree of cardinality between the related tables determines the method used for assigning foreign keys. Where a 1:M (or 1:0,M) association exists, the primary key of the 1 side is embedded in the table of the M side.

To represent the M:M association between tables, a link table needs to be created that has a combined (composite) key consisting of the primary keys of two related tables.

78. Explain the basic results that come from the restrict, project, and join functions. Correct Answer:

A restrict extracts selected rows from a table (records that satisfy prescribed conditions) to create a new table.A project extracts selected attributes (columns) from a table to create a new table. A join builds a new table from two existing tables by matching rows on a value of a common attribute.

79. Explain the purpose of an ER diagram in database design. Correct Answer:

The entity relationship (ER) diagram is the graphical representation technique used to depict a data model. Each entity in a ER diagram is named in the singular noun form such as Customer rather than Customers. The labeled line connecting two entities describes the nature of the association between them. This association is represented with a verb such as shipped, requests, or receives. The ER diagram also represents cardinality (the degree of association between two entities). Four basic forms of cardinality are possible: zero or one (0,1), one and only one (1,1), zero or many (0,M), and one or many (1,M). These are combined to represent logical associations between entities such as 1:1, 1:0,M, and M:M. 80. What are two types of distributed databases? Correct Answer:

Partitioned and replicated databases. 81. Describe an environment in which a firm should use a partitioned database. Correct Answer:

A partitioned database approach works best in organizations that require minimal data sharing among its information processing units and when a primary user of the data can be identified. 82. Explain how to link tables in (1:1) association. Why may this be different in a (1:0,1) association? Correct Answer:

Where a true 1:1 association exists between tables, either (or both) primary keys may be embedded as foreign keys in the related table. On the other hand, when the lower cardinality value is zero (1:0,1) a more efficient table structure can be achieved by placing the one-side (1:) table’s primary key in the zero-or-one (:0,1) table as a foreign key. Assume that a company has 1000 employees but only 100 of them are sales staff. Assume also that each salesperson is assigned a company car.

Therefore, every occurrence in the Employee entity is associated with either zero or one occurrence in the Company Car entity. If we assigned the Company Car (:0,1) side primary to the Employee (:1) table as a foreign key, then most of the foreign will have null (blank) values. While this approach would work, it could cause some technical problems during table searches. Correctly applying the key-assignment rule solves this problem because all Company Car records will have an employee assigned and no null values will occur. 83. Why are the hierarchical and network models called navigational databases? Correct Answer:

These are called navigational models because traversing or searching them requires following a predefined path which is established through explicit linkages between related records. 84. What is view integration? Correct Answer:

A modern company uses hundreds or thousands of views and associated tables. Combining the data needs of all users into a single schema or enterprise-wide view is called view integration. 85. What is a database lockout? Correct Answer:

To achieve data currency, simultaneous access to individual data elements by multiple sites needs to be prevented. The solution to this problem is to use a database lockout, which is a software control that prevents multiple simultaneous accesses to data. 86. What is the partitioned database approach and what are its advantages? Correct Answer:

The partitioned database approach splits the central database into segments or partitions that are distributed to their primary users. The advantages of this approach are:Storing data at local sites increases users’ control. Permitting local access to data and reducing the volume of data that must be transmitted between sites improves transaction processing response time. Partitioned databases can reduce the potential for disaster. By having data located at several sites, the loss of a single site cannot terminate all data processing by the organization.

87. What is a replicated database and what are the advantages of this approach? Correct Answer:

The entire database is replicated at each distributed site. Replicated databases are effective in companies where there exists a high degree of data sharing but no primary user. Since common data are replicated at each site, the data traffic between sites is reduced considerably.

88. What is repeating group data? Correct Answer:

Repeating group data is the existence of multiple values for a particular attribute in a specific record. 89. What is a partial dependency? Correct Answer:

A partial dependency occurs when one or more nonkey attributes are dependent on (defined by) only part of the primary key, rather than the whole key. This can occur only in tables that have composite (two or more attribute) primary keys. 90. What is a transitive dependency? Correct Answer:

A transitive dependency occurs in a table where nonkey attributes are dependent on another nonkey attribute and independent of the table’s primary key. 91. What is the update anomaly? Correct Answer:

The update anomaly results from data redundancy in an unnormalized table. The data attributes pertaining to particular entity (for example Vendor Name, Address, and Tele Num) are repeated in every record pertaining to the vendor. Any change in the supplier’s name, address, or telephone number must then be made to each of these records. This causes an update problem that results in excessive overhead costs. 92. What is the insertion anomaly? Correct Answer:

When a table is unnormalized, certain types of new records cannot be added to it. 93. When is a table in third normal form (3NF)?

Correct Answer:

A table is in third normal form when it meets the two conditions below:1. All nonkey (data) attributes in the table are dependent on (defined by) the primary key. 2. All nonkey attributes are independent of the other nonkey attributes.

94. What is the normal cardinality between a Customer entity and a Sales order entity? What does it signify? Why is it the only logical cardinality? Correct Answer:

The normal cardinality is 1:M which signifies that one customer may place many orders during a sales period. The cardinality would never be 1:1 because that would mean that each customer was restricted to a single sale. 95. Explain the three types of anomalies associated with database tables that have not been normalized. Correct Answer:

The update anomaly is the result of data redundancy. If a data element is stored in more than one place, it must be updated in all places. If this does not happen, the data are inconsistent. The insertion anomaly occurs when data is stored together, such as when vendor information is only stored with specific inventory items. Until items are purchased from a given vendor, the vendor cannot be added to the database.

The deletion anomaly involves the unintentional deletion of data from a table. If a vendor supplies only one item, and the firm discontinues that item, all information on the vendor is lost when vendor information is only stored with specific inventory items.

96. What are the four elements of the database approach? Explain the role of each. Correct Answer:

Users are the individuals in the organization who access the data in the database. This may happen via user programs or by direct query. The database management system is a set of programs that control access to the database and that manage the data resource through program development, backup and recovery functions, usage reporting, and access authorization.

The database administrator is a function (which may involve part of one individual’s duties or an entire department) which manages the database resources through database planning, design, implementation, operation and maintenance, and growth and change.

The physical database is the lowest level of the database and consists of magnetic spots on magnetic media. The other levels of the database are abstract representations of the physical level. At the physical level, the database is a collection of records and files.

97. Explain the three views of a database. Correct Answer:

The unique internal view of the database is the physical arrangement of records which describes the structure of data records, the linkages between files, and the physical arrangement and sequence of records in the file. The unique conceptual view (or schema) represents the database logically and abstractly. This view allows users’ programs to call for data without knowing or needing to specify how the data are arranged or where the data reside in the physical database.

The many user views (or subschema) define the portion of a database that an individual user is authorized to access. To the user, the user view is the database.

98. Explain a database lockout and the deadlock phenomenon. Contrast that to concurrency control and the timestamping technique. Describe the importance of these items in relation to database integrity. Correct Answer:

In a centralized database, a database lockout is used to ensure data currency. It is a software control that prevents multiple simultaneous access to data. Upon receiving a data access request, the central site DBMS places a lock on the requested data to prevent additional access until the lock is removed. In a distributed environment it is possible that multiple sites will lock each other out, preventing each from processing its transactions. This results in a deadlock because there is mutual exclusion to data and the transactions are in a wait state until the locks are removed. A deadlock is a permanent condition that must be resolved by special software that analyzes each deadlock to determine the best solution.

In a replicated database, a large volume of data flows between sites, and temporary inconsistencies in the database may occur. Database concurrency is the presence of

complete and accurate data at all remote sites. A commonly used method for concurrency control is to serialize and timestamp transactions that are in conflict.

Both database lockouts and concurrency controls are designed to ensure that the transactions are completely processed and that all transactions are accurately reflected in the firm’s databases. Failure to implement these controls can result in transactions being lost, being partially processed, or inconsistent databases.

99. How is a database deadlock usually resolved? What are factors that influence the decision made regarding the transactions? Correct Answer:

Resolving a deadlock usually involves sacrificing one or more transactions which must be terminated to complete the processing of other transactions in the deadlock. Preempted transactions must be reinitiated. Some of the factors to consider in the transaction decision are: (1) the resources currently invested in the transaction, (2) the transaction’s stage of completion, and (3) the number of deadlocks associated with the transaction. 100. In a distributed data processing system, a database can be centralized or distributed. Explain each. Correct Answer:

When the database is centralized, the entire database is stored at a central site which processes requests from users at remote locations. The central site performs the functions of a file manager that services the data needs of the remote users. Distributed databases can be partitioned or replicated. The partitioned approach splits the central database into segments or partitions that are distributed to their primary users. When the database is partitioned, users have more control over data stored at local sites, transaction processing time is improved, and the potential of data loss is reduced. When the database is replicated, the entire database is stored at multiple locations. Replicated databases are effective where there is a high degree of data sharing but no primary user. Data traffic between sites is reduced considerably. The primary justification for a replicated database is to support readonly queries.

101. What are the four characteristics of a properly designed database table? Correct Answer:

1. The value of at least one attribute in each tuple (row) must be unique. This is the primary key. 2. All attribute values in any column must be of the same class.

3. Each column in a given table must be uniquely named. Different tables may contain columns with the same name. 4. Tables must conform to the rules of normalization, they should be free from structural dependencies, partial dependencies and transitive dependencies.

102. What are the problems with the flat-file approach? How does the database approach solve them? Correct Answer:

Data redundancy causes significant data management problems in three areas: data storage, data updating, and currency of information. Data storage is a problem because if multiple users need the data, it must be collected and stored multiple times at multiple costs. When multiple users hold the same information, changes must be updated in all locations or data inconsistency results. Failure to update all occurrence of a data item can affect the currency of the information. If update messages are not properly disseminated, some users may not record the change and will perform their duties and make decisions based on outdated data. Another problem is task-data dependency, which is the user’s inability to obtain additional information as needs change.

With a database system, these problems are solved. There is no data redundancy since a data item is stored only once. Hence changes require only a single update, thus leading to current value. A common database is shared by all users, eliminating the problem of task-data dependency.

103. What typical features are provided by a database management system (DBMS)? Correct Answer:

1. Program development which permits both programmers and end users to create applications to access the database. 2. Backup and recovery is built in, reducing the likelihood of total data destruction. 3. Database usage reporting captures statistics on what data is being used, when, and by whom. The database administrator uses this information to assign user authorization and maintain the database. 4. Database access to authorized users is the most important feature of a DBMS.

104. Define repeating groups, partial dependencies and transitive dependencies and discuss how they are dealt with in the process of normalizing tables. Correct Answer:

Repeating group data occurs when multiple values for a particular attribute exist in a specific tuple (row). To avoid data redundancy, repeating group data needs to be removed from the table and placed in a separate table. A partial dependency occurs when one or more nonkey attributes are dependent on (defined by) only part of the primary key rather than the whole key. This can only occur in tables that have composite (two or more attributes) primary keys. This is resolved by splitting the table in two.

A transitive dependency occurs in a table where nonkey attributes are dependent on another nonkey attribute and independent of the table’s primary key. This is resolved by splitting out the independent data and placing it in a new table.

105. List the steps involved in creating a relational database using a top-down approach. Correct Answer:

1. Identify the views to be modeled. 2. Normalize the data model and add primary keys. 3. Determine cardinalities and add foreign keys. 4. Construct the physical database. 5. Prepare the physical user views.

106. Discuss the accountant’s role in data modeling and potential problems caused by anomalies. Correct Answer:

Most accountants will not be directly responsible for normalizing an organization’s databases, but they should have an understanding of the process and be able to determine whether financial data are properly normalized to avoid anomalies. The conduct of many financial audit procedures involves accessing data stored in normalized tables. An organization’s financial database may consist of thousands of normalized tables; navigating the network requires an understanding of data structures. The update anomaly can generate conflicting and/or obsolete database values in accounts, the insertion anomaly can result in unrecorded transactions and incomplete audit trails, and the deletion anomaly can cause the loss of accounting records and destruction of audit trails.

107. APPENDIX QUESTION Discuss the hierarchical database model. What limitation(s) of the hierarchical database model are solved by the network database model?

Correct Answer:

The earliest DBMS were based on the hierarchical data model. This was a popular approach to data representation because it reflected many aspects of an organization that are hierarchical in relationship. It was an efficient data processing tool for highly structured problems. The hierarchical model is constructed of sets of files. Each set contains a parent and a child. Files at the same level with the same parent are called siblings. The hierarchical data model is a navigational database because traversing it requires following a predefined path, established through pointers.

A parent record may have one or more child records, but no child record can have more than one parent which is restrictive and limits the usefulness of the model. Many firms need a view that permits multiple parents. That limitation is solved by the network database model which allows a child record to have multiple parents.

Chapter 10 1. According to the REA philosophy, information systems should support only the needs of accounting professionals. a. True *b. False

2. Many believe that the accounting profession should shift away from financial statement reporting and toward providing information that assists decision-making. *a. True b. False

3. Modern managers need both financial and nonfinancial information that traditional GAAP-based accounting systems are incapable of providing. *a. True b. False

4. The REA model is an alternative accounting framework for modeling an organization’s critical resources, events, and accounts. a. True *b. False

5. In REA, resources are assets that include accounts receivable. a. True *b. False

6. REA modeling embraces two classes of events: economic events and support events. *a. True b. False

7. At least two REA agents participate in each economic event. *a. True b. False

8. The events depicted on an REA diagram are transformed into computer processes while the resources and agents become relational database tables.

a. True *b. False

9. Under the REA approach, support events may directly effect a change in resources. a. True *b. False

10. An example of an economic event is checking customer credit prior to processing a sale. a. True *b. False

11. The duality association in an REA diagrams signifies that each economic transaction involves two agents. a. True *b. False

12. A difference between ER and REA diagrams is that ER diagrams present a static picture of the underlying business phenomena. *a. True b. False

13. ER diagrams always label entity names in the singular noun form. *a. True b. False

14. When modeling M:M associations, it is conventional to include link tables in the REA diagram so that the model reflects closely the actual database. a. True *b. False

15. Where a 1:M association exists between tables, the primary key of the 1 side is embedded in the table of the M side. *a. True b. False

16. The REA approach generates an information system based on a single holistic user view. a. True *b. False

17. Four basic forms of cardinality are possible: zero or one (0,1), one and only one (1,1), one or many (1,M), and many and only many (M,M). a. True *b. False

18. When one side of a 1:1 association has a minimum cardinality of zero, the primary key of the table with the 0,1 cardinality should be embedded as a foreign key in the table with the 1,1 cardinality. a. True *b. False

19. Most companies implementing an REA model also maintain a traditional general ledger system for financial reporting. *a. True b. False

20. Modeling economic transactions under the REA approach always includes depicting both internal and external agents. *a. True b. False

21. The letters ‘R,’ ‘E,’ and ‘A’ in the term “REA model” stand for resources, events, and actions. a. True *b. False

22. A semantic data model captures the operational meaning of the user's data and provides a concise description of it. *a. True b. False

23. Support events include control, planning, and management activities that directly effect a change in resources.

a. True *b. False

24. REA resources are those things of economic value under the control of the enterprise including physical assets and employees. a. True *b. False

25. Value chain analysis distinguishes between primary activities and support activities. *a. True b. False

26. Which statement is not true? REA resources are: a. assets *b. affected by support events c. scarce d. under the control of agents

27. The concept of duality means that a REA diagram must consist of: a. two events, one of them economic and the other support b. two agents, one of them internal and the other external c. two resources, one increased and the other decreased by the same event *d. none of the above

28. In a REA diagram each economic event is always a. linked to at least two resource entities b. linked to two external agents *c. linked to another economic event d. linked to two internal agents

29. Which of the following are characteristics of internal agents? a. They participate in economic events, but do not assume control of the resources. *b. They are employees of the company whose system is being modeled. c. They participate in economic events, but not in support events. d. All of the above.

30. Which of the following is true? a. REA diagram entities are arranged in constellations by entity class. b. ER diagrams present a static picture of the underlying business phenomena. c. Events entity names in REA diagrams are in the verb form. *d. All of the above are true statements.

31. The ‘R’ in REA stands for a. ratios b. relationships *c. resources d. reserves

32. The ‘E’ in REA stands for *a. events b. estimates c. economics d. entities

33. The ‘A’ in REA stands for a. assets b. apportionment c. allocation *d. agents

34. Which of the following events would be least likely to be modeled in a REA

diagram? a. customer inquiries *b. posting accounts payable c. receiving cash d. sales to a customer

35. All of the following are examples of economic events except a. receiving raw materials from a supplier *b. checking a customer’s credit prior to processing a sales order c. disbursing cash for inventories received d. shipping product to a customer

36. REA diagrams include all of the following entities except a. support events b. economic events c. internal agents *d. users

37. Which of the following associations would most likely describe the relationship

between an internal agent and an economic event? *a. 1:M b. 1:1 c. 0:M d. none of the above

38. Which of the following statements is correct? a. The REA model requires that phenomena be characterized in a manner consistent with the development of a single user view. b. The REA model requires that phenomena be characterized in a manner consistent with the development of a selected user view. c. The REA model requires that phenomena be characterized in a manner consistent with the development of a unique user view. *d. The REA model requires that phenomena be characterized in a manner consistent with the development of a multiple user view.

39. Which of the following associations requires a separate link table? a. 1:1 b. 1:M *c. M:M d. none of the above

40. Which of the following tables would most likely have a composite key? a. Take Order b. Cash c. Ship Product *d. Inventory Ship Link

41. When developing an REA model: a. accounting artifacts are represented as support events b. the same resource is both increased and decreased by the duality association c. link tables are explicitly depicted

*d. events are organized in sequence of occurrence

42. In an REA model, events are described from the perspective of *a. the organization b. the designer c. the user d. the customer

43. Which of the following is not an example of an economic event? a. Ship goods b. Receive goods c. Get employee time *d. Prepare cash disbursements voucher

44. When assigning foreign keys in a 1:M association, a. the primary key of each table should be embedded as a foreign key in the related table b. the primary key on the (0,M) side of the relation should be embedded as the foreign key on the (1,1) side *c. the primary key on the (1,1) side of the relation should be embedded as the foreign key on the (0,M) side d. none of the above is true

45. When assigning foreign keys in a 1:1 association, a. the primary key of each table should be embedded as a foreign key in the related table b. the primary key on the (0,1) side of the relation should be embedded as the foreign key on the (1,1) side *c. the primary key on the (1,1) side of the relation should be embedded as the foreign key on the (0,1) side d. none of the above is true

46. What is a user view? Correct Answer:

A user view is the set of data that a particular user needs to achieve his or her assigned tasks. For example, a production manager’s view may include finished goods inventory, free manufacturing capacity, and vendor performance. 47. What do the letters ‘R,’ ‘E,’ and ‘A’ stand for in the term “REA model”? Correct Answer:

resources, events, and agents 48. What is a semantic data model? Correct Answer:

It is a framework for designing accounting information systems that captures the operational meaning of the user's data and provides a concise description of it. 49. What are support events? Correct Answer:

Support events include control, planning, and management activities that are related to economic events, but do not directly effect a change in resources. 50. Define resources, economic events, and agents. Correct Answer:

Resources are those things of economic value that are both scarce and under the control of the enterprise. Economic events are phenomena that effect changes (increase or decrease) in resources. Agents are individuals and departments that participate in an economic event. 51. Explain the rule for assigning foreign keys in a (1:M) association? Correct Answer:

The primary key of the 1 side table is embedded as a foreign key in the table of the M side. 52. What are the two categories the REA model uses to describe events? Correct Answer:

economic events and support events 53. Define the value chain. Correct Answer:

These are the activities that add value or usefulness to an organization’s products and services. 54. Define duality. Correct Answer:

Each economic event in an exchange is mirrored by an associated economic event in the opposite direction.

55. Describe the rule for assigning foreign keys in a (1:1) association Correct Answer:

Typically one of the tables in a 1:1 association has a minimum cardinality of zero. When this is the case, the primary key of the table with the (1, 1) cardinality should be embedded as a foreign key in the table with the (0, 1) cardinality. 56. Explain the relationship between cardinality and association. Correct Answer:

The upper cardinalities for each of the two related entities define the overall association between them. For example, if the cardinality at one end of the association line is (0, 1) and at the other end it is (1, M) then the association between them is one-to-many (1:M). 57. Explain how events, resources and agents are linked in a REA diagram. Correct Answer:

Each event must be linked to at least one resource and a least two agents: One of the agents is internal to the organization and the other is usually external. In some types of transactions, however, the second agent may also be internal. 58. What are the minimum number and type of event entities that an REA diagram must include? Correct Answer:

An REA model must, as a minimum, include the two economic events that constitute the give and receive activities that reduce and increase economic resources in the exchange. In addition, it may include support events, which do not change resources directly. 59. Why would a company adopt the REA approach to database design? Correct Answer:

The REA approach leads to the development of a database which collects data needed to support the information needs of all users, not just the financial information traditionally collected by accounting systems. 60. Define view integration? Correct Answer:

It is the process of combining multiple individual REA diagram into an integrated global or enterprise model.

61. Define cardinality. Correct Answer:

Cardinality describes the number of possible occurrences in one entity that are associated with a single occurrence in a related entity. 62. Define association. Correct Answer:

Association is the nature of the relationship between two entities and is represented by the labeled line connecting them. 63. Why are journals and ledgers not modeled in an REA diagram? Correct Answer:

Accounting activities such as recording a sale in the journal and setting up an account receivable are not value chain activities and need not be modeled. Capturing transaction data in sufficient detail adequately serves traditional accounting requirements. 64. What are the four basic forms of cardinality? Correct Answer:

The four basic forms of cardinality are: zero or one (0,1), one and only one (1,1), zero or many (0,M), and one or many (1,M). 65. How are tables in a (M:M) association physically linked? Correct Answer:

Tables in an M:M association cannot accept an embedded foreign key from the related table. Instead, a separate link table must be created to contain the foreign keys. 66. List and explain the steps involved in preparing an REA model of a business process. Correct Answer:

The preparation of an REA model of a business process can be described in four steps: 1. Identify the events that are to be included in the model. These are the economic events and support events that add value and achieve the strategic objectives of the organization. Organize the events in order of occurrence. Events entities are described in verb form. 2. Identify the resources affected in each event. 3. Identify the agents involved in each event. 4. Assign the cardinalities to the resources/events/agents entity relationships.

67. What is the REA model? What does it mean for accountants? Correct Answer:

The REA model is an alternative accounting framework for modeling an organization’s critical resources, events, and agents, and the relationships between them. Both accounting and non-accounting data can be identified, captured, and stored in a centralized database which can provide information to all users in the organization. 68. How does the REA approach improve efficiency? Correct Answer:

The REA approach can help improve operating efficiency in several ways. It can help managers identify nonvalue-added activities for elimination, as well as reduce the need for multiple data collection, storage, and maintenance by combining both financial and nonfinancial data in a common database. Structuring data in this way permits a wider support of management decision-making. 69. How do the entity relationship (ER) and the REA diagrams differ? Correct Answer:

ER and REA diagrams differ visually in a significant way. Entities in ER diagrams are of one class and their proximity to other entities is determined by their cardinality and by what is visually pleasing to keep the diagrams readable. Entities on REA diagram, however, are divided into three classes (Resources, Events, and Agents) and organized into constellations by class on the diagram. A second difference between ER and REA diagrams involves the sequencing of events. ER diagrams present a static picture of the underlying business phenomena. REA diagrams, however, are typically organized from top to bottom within the constellations to focus on the sequence of events. The third difference between ER and REA diagrams pertains to naming conventions for entities. In ER diagrams, entity names are always represented in the singular noun form. REA modeling applies this rule when assigning names to resource and agent entities. Event entities, however, are given verb (action) names such as Sell Inventory, Take Order, or Receive Cash. 70. Since REA databases do not employ journals and ledgers, how can they support financial statement reporting? Correct Answer:

Journals, ledgers, and double-entry bookkeeping are the traditional mechanisms for formatting and transmitting accounting data, but they are not essential elements of an accounting database. REA systems capture the essence of what accountants account for by modeling the underlying economic phenomena directly from the transaction data. Organizations employing REA can thus produce financial statements, journals, and ledgers.

71. Explain how Take Order can be either an economic or a support event. Correct Answer:

Taking an order typically involves only a commitment for the seller to sell goods to the customer. It may involve adjusting inventory available for sale to prevent it from being sold to another customer. The commitment is not an economic exchange because the customer may cancel the order before shipment. However, if Take Order results in resources being obtained or manufacturing to occur, then an economic event will have occurred. 72. Describe the two economic events that occur for payroll procedures. Correct Answer:

The Get Time event captures the daily time-giving instances of employees through a time-keeping mechanism, such as an electronic time clock. For salaried employees, the time-capturing process may simply involve the passage of time. The Disburse Cash event is the give half of the economic exchange and involves distributing cash to an employee (the external agent) for services rendered. The payroll clerk (internal agent) participates in this event, which reduces the cash resource.

73. Explain the difference between producing financial statements in a traditional system and in a REA model. Correct Answer:

In a traditional system, financial statements are usually prepared from general ledger accounts, whose values are derived from journal voucher postings. With REA, traditional accounting mechanisms are reproduced from the event tables. Accounting figures extracted from REA tables can be used to prepare income statements, balance sheets, and even journal entries. 74. Discuss why adherence by the accounting profession to a single, GAAP-based view is inappropriate. Correct Answer:

Modern managers need both financial and non-financial information in formats and at levels of aggregation that the traditional GAAP-based accounting systems architecture is generally incapable of providing. Information customers have shown quite clearly that they are willing to obtain the information they require elsewhere. The result has been a growing perception that accounting information is not as useful as it once was.

75. Discuss how adopting a value chain perspective reveals advantages of adopting an REA approach to information system development. Correct Answer:

Decision makers need to look at far more than the internal operations and functions of the organization. Value chain analysis distinguishes between primary activities— those that create value—and support activities—those that assist achievement of the primary activities. Through applying the analysis, an organization is able to look beyond itself and maximize its ability to create value by, for example, incorporating the needs of its customers within its products, or the flexibility of its suppliers in scheduling its production. It would be impossible to incorporate much of the value chain activities within a traditional information system. Those organizations that have applied value chain analysis have generally done so outside the accounting information system, providing such information separately to the decision makers. Frequently, this would involve the establishment of other distinct information systems, such as marketing information systems, with all the resulting problems inherent in operating multiple information systems, including data duplication, data redundancy, and data inconsistency. It is fairly obvious that the adoption of a single information system framework that encompassed all this information, such as one based upon the REA approach, would be preferable.

76. Discuss the concept of duality as it relates to modeling an economic transaction. Correct Answer:

The rationale behind an economic transaction is that two agents each give the other a resource in exchange for another resource. In actuality, the exchange is a pair of economic events, which is expressed via the duality association in an REA diagram. Each economic event is mirrored by an associated economic event in the opposite direction. These dual events are the give event and receive event. From the perspective of the organization function being modeled, the give half of the exchange decreases the economic resource, as represented by the outflow association. The receive half of the exchange increases the economic resources, represented by an inflow association. Note that an economic exchange does not require duality events to occur simultaneously. For example, inventory is reduced immediately by the sale to a customer, but cash may not be increased by the customer's remittance for several weeks.

Chapter 11 1. The primary goal of installing an ERP system is reducing system maintenance costs. a. True *b. False

2. The recommended data architecture for an ERP includes separate operational and data warehouse databases. *a. True b. False

3. A closed database architecture shares data easily. a. True *b. False

4. ERP systems support a smooth and seamless flow of information across organizations. *a. True b. False

5. OLAP stands for online application processing. a. True *b. False

6. The primary goal of installing an ERP system is achieving business process reengineering to improve customer service, reduce production time, increase productivity, and improve decision-making. *a. True b. False

7. Day-to-day transactions are stored in the operational database. *a. True b. False

8. Data mining typically focuses on the operational databases. a. True *b. False

9. Companies typically modify an ERP to accommodate the existing business processes. a. True *b. False

10. If a chosen ERP cannot handle a specific company process bolt-on software may be available. *a. True b. False

11. Core applications are also called OLAP. a. True *b. False

12. The client/server model is a form of network topology in which user computers, called clients, access ERP programs and data via a host computer called a server. *a. True b. False

13. A data warehouse is a relational or multi-dimensional database that may require hundreds of gigabytes of storage. *a. True b. False

14. Drill-down capability is an OLAP feature of data mining tools. *a. True b. False

15. Supply-chain management software is a type of program that supports efforts related to moving goods from the raw material stage to the customer. *a. True b. False

16. In two-tier architecture, the database and application functions are separated. a. True

*b. False

17. Slicing and dicing permits the disaggregation of data to reveal underlying details. a. True *b. False

18. Data entered into the data warehouse must be normalized. a. True *b. False

19. OLAP includes decision support, modeling, information retrieval, and what-if analysis. *a. True b. False

20. Efficient supply-chain management provides firms with a competitive advantage. *a. True b. False

21. The big-bang approach involves converting from old legacy systems to the new ERP in one implementation step. *a. True b. False

22. A two-tier architecture approach is used primarily for wide area network (WAN) applications. a. True *b. False

23. Data cleansing is a step performed by external auditors to identify and repair invalid data prior to the audit. a. True *b. False

24. Organizations using ERP systems employ an internal control tool called a role.

*a. True b. False

25. In spite of the high technology employed in ERP systems, critical business controls such as a three-way match are always performed manually. a. True *b. False

26. The role model assigns specific access privileges directly to individuals. a. True *b. False

27. An access control list specifies the user-ID, the resources available to the user, and the level of permission granted. *a. True b. False

28. RBAC assigns access permissions to the role an individual plays in the organization rather than directly to the individual. *a. True b. False

29. A problem with RBAC is that managers tend to create unnecessary roles. *a. True b. False

30. The implementation of an ERP creates an environment with a single point of failure, which places the organization at risk. *a. True b. False

31. Goals of ERP include all of the following except a. improved customer service *b. improvements of legacy systems c. reduced production time d. increased production

32. Core applications are a. sales and distribution b. business planning c. shop floor control and logistics *d. all of the above

33. Data warehousing processes do not include a. modeling data *b. condensing data c. extracting data d. transforming data

34. Which of the following is usually not part of an ERP’s core applications? a. OLTP applications b. sales and distribution applications c. business planning applications *d. OLAP applications

35. Which of the following is usually not part of an ERP’s OLAP applications? *a. logistics b. decision support systems c. ad hoc analysis d. what-if analysis

36. Which of the following statements is least likely to be true about a data

warehouse? a. It is constructed for quick searching and ad hoc queries. *b. It was an original part of all ERP systems. c. It contains data that are normally extracted periodically from the operating databases. d. It may be deployed by organizations that have not implemented an ERP.

37. Which of the following statements is not true? a. In a typical two-tier client server system, the server handles both application and database duties. b. Client computers are responsible for presenting data to the user and passing user input back to the server.

*c. In three-tier client server architecture, one tier is for user presentations, one is for database and applications, and the third is for Internet access. d. The database and application functions are separate in the three-tier model.

38. Which statements about data warehousing is not correct? a. The data warehouse should be separate from the operational system. b. Data cleansing is a process of transforming data into standard form. c. Drill-down is a data-mining tool available to users of OLAP. *d. Normalization is a requirement of databases included in a data warehouse.

39. Which statement about ERP installation is least accurate? a. For the ERP to be successful, process reengineering must occur. b. ERP fails because some important business process is not supported. *c. When a business is diversified, little is gained from ERP installation. d. The phased-in approach is more suited to diversified businesses.

40. Which statement is true? a. ERPs are infinitely scalable. b. Performance problems usually stem from technical problems, not business process reengineering. c. The higher-end ERP can handle any problems an organization can have. *d. ERP systems can be modified using bolt-on software.

41. The big bang method a. is more ambitious than the phased-in method b. has been associated with many failures *c. both a. and b. d. neither a. nor b.

42. Legacy systems are a. old manual systems that are still in place *b. flat file mainframe systems developed before client-server computing became standard

c. stable database systems after debugging d. advanced systems without a data warehouse

43. A data mart is a. another name for a data warehouse b. a database that provides data to an organization’s customers c. an enterprise resource planning system *d. a data warehouse created for a single function or department

44. Most ERPs are based on which network model? a. peer to peer *b. client-server c. ring topology d. bus topology

45. Online transaction processing programs a. are bolt-on programs used with commercially available ERPs b. are available in two models—two-tier and three-tier *c. handle large numbers of relatively simple transactions d. allow users to analyze complex data relationships

46. Supply chain management software a. is typically under the control of external partners in the chain *b. links all of the partners in the chain, including vendors, carriers, third-party firms, and information systems providers c. cannot be integrated into an overall ERP d. none of the above

47. The setup of a data warehouse includes a. modeling the data b. extracting data from operational databases c. cleansing the data *d. all of the above

48. Extracting data for a data warehouse a. cannot be done from flat files b. should only involve active files *c. requires that the files be out of service d. all of the above

49. Data cleansing involves all of the following except a. filtering out or repairing invalid data *b. summarizing data for ease of extraction c. transforming data into standard business terms d. formatting data from legacy systems

50. Which of the following is not a risk associated with ERP implementation? a. opposition to changes in the business culture b. choosing the wrong ERP c. choosing the wrong consultant *d. All of these are risks associated with ERP implementations.

51. Closed database architecture is a. a control technique intended to prevent unauthorized access from trading partners *b. a limitation inherent in traditional information systems that prevents data sharing c. a data warehouse control that prevents unclean data from entering the warehouse d. a database structure that many of the leading ERPs use to support OLTP applications

52. Which of the following is not a risk associated with ERP implementation? a. A drop in firm performance after implementation because the firm looks and works differently than it did while using a legacy system. b. Implementing companies have found that staff members, employed by ERP consulting firms, do not have sufficient experience in implementing new systems. c. The selected system does not adequately meet the adopting firm’s economic growth. *d. ERPs are too large, complex, and generic for them to be well integrated into most company cultures.

53. Which statement is least accurate? a. Implementing an ERP system has as much to do with changing the way an organization does business as it does with technology. b. The big bang approach to ERP implementation is generally riskier than the phased-in approach. c. To take full advantage of the ERP process, reengineering will need to occur.

*d. A common reason for ERP failure is that the ERP does not support one or more important business processes of the organization.

54. Which of the following is a reason that data warehouses are created and

maintained separately from operational databases? a. The data is used in different ways that requires it to be physically separate. b. No ERP system incorporates data warehousing capability. c. Audit controls require that data for management analysis be kept separate from transaction data. *d. A separate centralized data warehouse is an effective means of collecting data from diverse sources.

55. The big bang approach *a. is more ambitious and risky than the phased-in approach b. is a popular alternative to the phased-in approach c. reduces the chance of system failure d. all of the above

56. Auditors of ERP systems a. need not be concerned about segregation of duties because these systems possess strong computer controls b. focus on output controls such as independent verification to reconcile batch totals *c. are concerned that managers fail to exercise adequate care in assigning permissions d. need not review access levels granted to users because these are determined when the system is configured and never change

57. Define ERP. Correct Answer:

Enterprise resource planning systems are multiple module systems designed to integrate the key processes in an organization—order entry, manufacturing, procurement, human resources, etc. 58. Define the term core applications and give some examples. Correct Answer:

Core applications are those applications that support the day-to-day activities of the business, e.g., sales, distribution, shop floor control, logistics. 59. Define OLAP and give some examples.

Correct Answer:

Online analytical processing (OLAP) includes decision support, modeling, information retrieval, ad hoc reporting and analysis, and what-if analysis, e.g., determining sales within each region, determining relationship of sales to certain promotions. 60. What is bolt-on software? Correct Answer:

Bolt-on software is software produced by third-party vendors which can be added onto an ERP to provide function not built into the ERP. 61. What is SCM software? Correct Answer:

Supply-chain management software is designed to manage the activities that get the product to the customer. This software typically handles procurement, production scheduling, order processing, inventory management, etc. 62. What is a data warehouse? Correct Answer:

A data warehouse is a database constructed for quick searching, retrieval, ad hoc queries, and ease of use. A data warehouse is composed of both detail and summary data which are normally extracted periodically from an operational database or from a public information service. A data warehouse is an effective means of collecting, standardizing, and assimilating data from diverse sources, and may consume hundreds of gigabytes or even terabytes of disk storage. Most organizations implement a data warehouse as part of a strategic IT initiative that involves an ERP system. The creation of a data warehouse separate from operational systems is a fundamental data warehousing concept. 63. What is the big bang approach? Correct Answer:

The big bang approach to conversion to an ERP is the approach which converts from old legacy systems to the new in one step that implements the ERP across the entire company. 64. Describe the two-tier client server model. Correct Answer:

65. What is the client-server model? Correct Answer:

The client-server model is a form of network topology in which the user’s computer or terminal (the client) accesses the ERP’s programs and data via a host computer called the server. While the servers may be centralized, the clients are usually located at multiple locations throughout the enterprise. 66. What is scalability? Correct Answer:

System scalability refers to the ability of a system to grow as the organization itself grows. This can involve four factors: size, speed, workload, and transaction cost. 67. What is data mining? Correct Answer:

Data mining is the process of selecting, exploring, and modeling large amounts of data to uncover unknown relationships and patterns. 68. Why do ERP systems need bolt-on software? Give an example. Correct Answer:

Depending on the unique characteristics of a company, an ERP may not be designed to drive all processes needed, e.g., supply chain management software is a common bolt-on. 69. How can a firm acquire bolt-on software? What are the options? Correct Answer:

When a firm needs additional functions not provided by the ERP, bolt-on applications may be available. These can often be obtained from third-party vendors with which the ERP provider has a partnership arrangement. The riskier alternative is to seek an independent source. 70. What is data cleansing? Correct Answer:

Data cleansing involves filtering out or repairing invalid data prior to its being stored in the data warehouse. It also involves standardizing the format. 71. What are the basic stages of the data warehousing process? Correct Answer:

modeling data for the data warehouse,extracting data from the operational databases, cleansing the extracted data, transforming data into the warehouse model, and loading the data into the data warehouse database

72. Describe the three-tier client server model. Correct Answer:

The database and application functions are separated in the three-tier model. This architecture is typical of large production ERP systems that use wide area networks (WANs) for connectivity. Satisfying a client requests requires two or more network connections. Initially, the client establishes communications with the application server. The application server then initiates a second connection to the database server. 73. Why must a data warehouse include both detail and summary data? Correct Answer:

Many decision makers need similar information and need it regularly. Prepared summary data and standard reports can take the pressure off the data warehouse and speed up the provision of regularly needed information. 74. What are the three key internal control concerns for managers and auditors regarding ERP roles? Correct Answer:

1. The creation of unnecessary roles 2. The rule of least access should apply to permission assignments 3. Monitor role creation and permission-granting activities

75. What is the closed database architecture? Correct Answer:

The closed database architecture is similar in concept to the basic flat-file model. Under this approach a database management system is used to provide minimal technological advantage over flat-file systems. The DBMS is little more than a private but powerful file system. Each function has a private database. 76. What is meant by the OLAP term: consolidation? Correct Answer:

Consolidation is the aggregation or roll-up of data. For example, sales offices data can be rolled up to districts and districts rolled up to regions. 77. What is meant by the OLAP term: drill-down? Correct Answer:

Drill-down permits the disaggregation of data to reveal the underlying details that explain certain phenomena. For example, the user can drill down from total sales returns for a period to identify the actual products returned and the reasons for their return. 78. What is meant by the OLAP term: slicing and dicing? Correct Answer:

Slicing and dicing enables the user to examine data from different viewpoints. One slice of data might show sales within each region. Another slice might present sales by product across regions. Slicing and dicing is often performed along a time axis to depict trends and patterns. 79. What should management do to assess the potential benefits from implementing an ERP? Correct Answer:

To assess benefits, management first needs to know what they want and need from the ERP. They should establish key performance measures such as reductions in inventory levels, inventory turnover, stockouts, and average order fulfillment time that reflect their expectations. To monitor performance in such key areas, they should establish an independent value assessment group that reports to top management. 80. Internal efficiency is cited as one reason for separating the data warehouse from the operational database. Explain. Correct Answer:

The structural and operational requirements of transaction processing and data mining systems are fundamentally different, making it impractical to keep both operational (current) and archive data in the same database. Transaction processing systems need a data structure that supports performance, whereas data mining systems need data organized in a manner that permits broad examination and the detection of underlying trends. 81. Why are data in a data warehouse stored in unnormalized tables? Correct Answer:

Normalizing data in an operational database is necessary to reflect accurately the dynamic interactions among entities. While a fully normalized database provides the

flexible model needed for supporting multiple users in operations environment, it also adds to complexity that translates into performance inefficiency. Because of the vast size of a data warehouse, such inefficiency can be devastating. A three-way join between tables in a large data warehouse may take an unacceptably long time to complete and may be unnecessary. In the data warehouse model, the relationship among attributes does not change. Because historical data are static in nature, nothing is gained by constructing normalized tables with dynamic links. 82. What is the purpose of role-based governance software? Correct Answer:

It monitors role creation and permission granting to ensure compliance with internal control objectives. It verifies role compliance across all applications and users in an ERP environment. 83. What is a role? Correct Answer:

A role is the task an individual plays within the organization and is associated with specific access privileges. 84. What is an access control list? Correct Answer:

It is a technique for assigning specific access permissions directly to the individual user. 85. How is the access control list approach different from RBAC? Correct Answer:

The access control list approach assigns access directly to the individual. RBAC assigns permissions to a role and the individual is assigned to the role. It is a way of dealing efficiently with the many-to-much relationship between individuals and permissions. 86. Briefly explain the two general approaches to contingency planning for ERPs. Correct Answer:

Centralized organizations may employ two linked servers in redundant backup mode. All production processing is done on one server. If it fails, processing is automatically transferred to the other server.Companies whose organizational units are autonomous often choose to install regional servers. This approach permits independent processing and spreads the risk associated with server failure.

87. How are OLTP and OLAP different? Give examples of their use. Correct Answer:

Online transaction processing (OLTP) involves large numbers of relatively simple day-to-day transactions. For example, this may involve order entry which collects data on customers and detail of sales. Online analytical processing (OLAP) involves large amounts of data used to analyze relationships, involving aggregate data that can be analyzed, compared, and dissected.

88. Why does the data warehouse need to be separate from the operational databases? Correct Answer:

The conclusion that a data warehouse must be maintained separately from the operational database reflects several issues. The transaction processing system needs a data structure that supports performance. A normalized database aids users but adds complexity that can yield performance inefficiency. Data mining systems need an organization that permits broad queries. The data warehouse permits the integration of data still maintained in legacy systems. And the complexities of modern business can benefit from the ability to analyze data extensively in ways not permitted in traditional databases. 89. If an auditor suspected an unusual relationship between a purchasing agent and certain suppliers, how could drill-down be used to collect data? Correct Answer:

Drill-down capability permits a user to repeatedly extract detailed data at increasing levels of detail. An auditor would be able to examine purchasing transactions to determine any pattern of purchases with the supplier in question that were approved by the purchasing agent and tie such transactions to other characteristics like price variations relative to other vendors at the same time. 90. Why must an organization expect the implementation of an ERP to disrupt operations? Correct Answer:

Successful implementation of an ERP requires that many business processes be reengineered. Once done, everything is different. If the organizational culture is not responsive to the changes, many problems can arise. 91. Scalability has several dimensions. What are they? What do they mean for ERP installation?

Correct Answer:

Most organizations want to grow. When a new system of any type is installed, it should be expected to be able to handle a reasonable amount of growth. ERP systems are no different. Several dimensions of scalability can be considered. If size of the database doubles, access time may double. If system speed is increased, response time should decrease proportionately. If workload is increased, response time can be maintained by increasing hardware capacity accordingly. Transaction costs should not increase as capacity is increased. 92. Distinguish between the two-tier and three-tier client server model. Describe when each would be used. Correct Answer:

In a two-tier architecture, the server handles both application and database duties. Some ERP vendors use this approach for local area network (LAN) applications. Client computers are responsible for presenting data to the user and passing user input back to the server. In the three-tier model the database and application functions are separated. This architecture is typical of large production ERP systems that use wide area networks (WANs) for connectivity. Satisfying a client requests requires two or more network connections. Initially, the client establishes communications with the application server. The application server then initiates a second connection to the database server. 93. Data in a data warehouse are in a stable state. Explain how this can hamper data mining analysis. What can an organization do to alleviate this problem? Correct Answer:

Typically, transaction data are loaded into the warehouse only when the activity on them has been completed—they are stable. Potentially important relationships between entities may, however, be absent from data that are captured in their stable state. For example, information about cancelled sales orders will probably not be reflected among the sales orders that have been shipped and paid for before they are placed in the warehouse. One way to reflect these dynamics is to extract the operations data in slices of time. These slices provide snapshots of business activity. 94. This chapter stressed the importance of data normalization when constructing a relational database. Why then is it important to denormalize data in a data warehouse? Correct Answer:

Wherever possible, normalized tables pertaining to selected events should be consolidated into de-normalized tables. Because of the vast size of a data warehouse, inefficiency caused by joining normalized data can be very detrimental to the performance of the system. A three-way join between tables in a large data warehouse may take an unacceptably long time to complete and may be unnecessary. Since historical data are static in nature, nothing is gained by constructing normalized tables with dynamic links.

95. ERP implementations are at risk for extensive cost overruns. Discuss three of the more commonly experienced problems area. Correct Answer:

Training. Training costs are invariably higher than estimated because management focuses primarily on the cost of teaching employees the new software. This is only part of the needed training. Employees also need to learn new procedures, which is often overlooked during the budgeting process. System Testing and Integration. In theory, ERP is a holistic model in which one system drives the entire organization. The reality, however, is that many organizations use their ERP as a backbone system that is attached to legacy systems and other bolt-on systems, which support unique needs of the firm. Integrating these disparate systems with the ERP may involve writing special conversion programs or even modifying the internal code of the ERP. Integration and testing are done on a case-by-case basis; thus, the cost is extremely difficult to estimate in advance.

Database Conversion. A new ERP system usually means a new database. Data conversion is the process of transferring data from the legacy system’s flat files to the ERP’s relational database. When the legacy system’s data are reliable, the conversion process may be accomplished through automated procedures. Even under ideal circumstances, however, a high degree of testing and manual reconciliation is necessary to ensure that the transfer was complete and accurate. More often, the data in the legacy system are not reliable (sometimes called dirty). Empty fields and corrupted data values cause conversion problems that demand human intervention and data rekeying. Also, and more importantly, the structure of the legacy data is likely to be incompatible with the reengineered processes of the new system. Depending on the extent of the process reengineering involved, the entire database may need to be converted through manual data entry procedures.

96. Explain the risks associated with the creation of unnecessary roles and why it can happen. Correct Answer:

Managers in ERP environments have significant discretion in creating new roles for individuals. This may be done for employees who need access to resources for special and/or one-time projects. Such access-granting authority needs to be tempered with judgment to prevent the number of roles from multiplying to the point of becoming dysfunctional and thus creating a control risk. Indeed, an oft-cited problem in ERP environments is that roles tend to proliferate to a point where their numbers actually exceed the number of employees in the organization. Policies need to be in place to prevent the creation of unnecessary new roles and to ensure that temporary role assignments are deleted when the reason for them terminates.

97. What is the fundamental concept behind the rule of least access? Explain why this is a potential problem in an ERP environment. Correct Answer:

Access privileges (permissions) should be granted on a need-to-know basis only. Nevertheless, ERP users tend to accumulate unneeded permissions over time. This is often due to two problems: (1) Managers fail to exercise adequate care in assigning permissions as part of their role granting authority. Since, managers are not always experts in internal controls, they may not recognize when excessive permissions are awarded to an individual. (2) Managers tend to be better at issuing privileges than removing them. As a result, an individual may retain unneeded access privileges from a previous job assignment that creates a segregation of duties violation when combined with a newly assigned role.

Chapter 12 1. Electronic commerce refers only to direct consumer marketing on the Internet. a. True *b. False

2. The standard format for an e-mail address is DOMAIN NAME@USER NAME. a. True *b. False

3. The network paradox is that networks exist to provide user access to shared resources while one of their most important objectives is to control access. *a. True b. False

4. Business risk is the possibility of loss or injury that can reduce or eliminate an organization’s ability to achieve its objectives. *a. True b. False

5. IP spoofing is a form of masquerading to gain unauthorized access to a web server. *a. True b. False

6. The rules that make it possible for users of networks to communicate are called protocols. *a. True b. False

7. A factor that contributes to computer crime is the reluctance of many organizations to prosecute criminals for fear of negative publicity. *a. True b. False

8. Cookies are files created by user computers and stored on web servers.

a. True *b. False

9. Because of network protocols, users of networks built by different manufacturers are able to communicate and share data. *a. True b. False

10. Sniffing is the unauthorized transmitting of information across an intranet. a. True *b. False

11. The phrase .com has become an Internet buzz word. It refers to a top-level domain name for communications organizations. a. True *b. False

12. The client-server model can only be applied to ring and star topologies. a. True *b. False

13. Only two types of motivation drive DoS attacks: 1) to punish an organization with which the perpetrator had a grievance; and 2) to gain bragging rights for being able to do it. a. True *b. False

14. A distributed denial of service (DDoS) attack may take the form of a SYN flood but not a smurf attack. a. True *b. False

15. The bus topology connects the nodes in parallel. *a. True b. False

16. A network topology is the physical arrangement of the components of the network. *a. True b. False

17. Business-to-consumer is the largest segment of Internet commerce. a. True *b. False

18. A digital signature is a digital copy of the sender’s actual signature that cannot be forged. a. True *b. False

19. A bus topology is less costly to install than a ring topology. *a. True b. False

20. A smurf attack involves three participants: a zombie, an intermediary, and the victim. a. True *b. False

21. In a hierarchical topology, network nodes communicate with each other via a central host computer. *a. True b. False

22. Polling is one technique used to control data collisions. *a. True b. False

23. The more individuals that need to exchange encrypted data, the greater the chance that the key will become known to an intruder. To overcome this problem, private key encryption was devised. a. True *b. False

24. The most frequent use of EDI is in making vendor payments. a. True *b. False

25. EDI is the intercompany exchange of computer processible business information in standard format. *a. True b. False

26. A certification authority is an independent and trusted third party empowered with responsibility to vouch for the identity of organizations and individuals engaging in Internet commerce. *a. True b. False

27. The intermediary in a smurf attack is also a victim. *a. True b. False

28. A ping is used to test the state of network congestion and determine whether a particular host computer is connected and available on the network. *a. True b. False

29. HTML controls web browsers that access the web. a. True *b. False

30. Cookies are created by the web server of a visited site and are stored on the hard drive of the visitor’s computer. *a. True b. False

31. Cloud computing is the technology that has unleashed virtualization. a. True *b. False

32. Cloud computing is decreasing as hardware resources become cheaper because acquisition of resources is slow and not scalable. a. True *b. False

33. What do you call a system of computers that connects the internal users of an

organization that is distributed over a wide geographic area? a. LAN b. decentralized network c. multidrop network *d. intranet

34. Network protocols fulfill all of the following objectives except a. facilitate physical connection between network devices b. provide a basis for error checking and measuring network performance c. promote compatibility among network devices *d. creation of inflexible standards

35. To physically connect a workstation to a LAN requires a a. file server *b. network interface card c. multiplexer d. bridge

36. Packet switching a. combines the messages of multiple users into one packet for transmission. At the receiving end, the packet is disassembled into the individual messages and distributed to the intended users. b. is a method for partitioning a database into packets for easy access where no identifiable primary user exists in the organization. *c. is used to establish temporary connections between network devices for the duration of a communication session. d. is a denial of service technique that disassembles various incoming messages to targeted users into small packages and then reassembles them in random order to create a garbled message.

37. Protocols a. facilitate the physical connection between the network devices

b. synchronize the transfer of data between physical devices c. provide a basis for error checking and measuring network performance *d. all of the above

38. A virtual private network a. is a password-controlled network for private users rather than the general public *b. is a private network within a public network c. is an Internet facility that links user sites locally and around the world d. defines the path to a facility or file on the web

39. Which topology has a large central computer with direct connections to a

periphery of smaller computers? Also in this topology, the central computer manages and controls data communications among the network nodes. *a. star topology b. bus topology c. ring topology d. client/server topology

40. A ping signal is used to initiate a. URL masquerading b. digital signature forging c. Internet protocol spoofing *d. a smurf attack

41. In a star topology, when the central site fails a. individual workstations can communicate with each other *b. individual workstations can function locally but cannot communicate with other workstations c. individual workstations cannot function locally and cannot communicate with other workstations d. the functions of the central site are taken over by a designated workstation

42. Which of the following statements is correct? The client-server model a. is best suited to the token-ring topology because the randomaccess method used by this model detects data collisions *b. distributes both data and processing tasks to the server’s node c. is most effective used with a bus topology d. is more efficient than the bus or ring topologies

43. Sniffer software is a. software used by malicious websites to sniff data from cookies stored on the user’s hard drive *b. used by network administrators to analyze network traffic c. used by bus topology intranets to sniff for a carrier before transmitting a message to avoid data collisions d. an illegal program downloaded from the Internet to sniff passwords from the encrypted data of Internet customers

44. In a ring topology, all of the following are true except a. all nodes are of equal status b. nodes manage private programs and databases locally c. shared resources are managed by a file server which is a node on the ring *d. a central computer is designated to control traffic between the peers

45. The client-server topology a. increases the amount of data that is transmitted between the central file and the network node b. eliminates the need for nodes to communicate with each other *c. reduces the number of records that must be locked by having the file server perform record searches d. functions only with a ring and bus topology

46. The primary difference between a LAN and a WAN is *a. the geographical area covered by the network b. the transmission technology used c. the type of workstation used d. the size of the company

47. A star topology is appropriate *a. for a wide area network with a mainframe for a central computer b. for centralized databases only c. for environments where network nodes routinely communicate with each other d. when the central database does not have to be concurrent with the nodes

48. In a ring topology

a. the network consists of a central computer which manages all communications between nodes b. a host is computer connected to several levels of subordinate computers *c. all nodes are of equal status; responsibility for managing communications is distributed among the nodes d. information processing units rarely communicate with each other

49. A distributed denial of service (DDoS) attack a. is more intensive that a DoS attack because it emanates from single source *b. may take the form of either a SYN flood or smurf attack c. is so named because it effects many victims simultaneously, which are distributed across the Internet d. turns the target victims’ computers into zombies that are unable to access the Internet

50. Which method does not manage or control data collisions that might occur on a

network? *a. multiplexing b. polling c. carrier sensing d. token passing

51. All of the following are true about the Open System Interface (OSI) protocol

except a. within one node different layers communicate with other layers at that node *b. one protocol is developed and applied to all the OSI layers c. specific layers are dedicated to hardware tasks and other layers are dedicated to software tasks d. layers at each node communicate logically with their counterpart layers across nodes

52. NNTP a. is the document format used to produce web pages b. controls web browsers that access the web *c. is used to connect to Usenet groups on the Internet d. is used to transfer text files, programs, spreadsheets, and databases across the Internet

53. Which of the following statements is correct about TCP/IP?

*a. It is the basic protocol that permits communication between Internet sites. b. It controls web browsers that access the Internet. c. It is the file format used to produce web pages. d. It is a low-level encryption scheme used to secure transmissions in HTTP format.

54. FTP a. is the document format used to produce web pages b. controls web browsers that access the web c. is used to connect to Usenet groups on the Internet *d. is used to transfer text files, programs, spreadsheets, and databases across the

Internet

55. IP spoofing a. combines the messages of multiple users into a “spoofing packet” where the IP addresses are interchanged and the messages are then distributed randomly among the targeted users *b. is a form of masquerading to gain unauthorized access to a web server c. is used to establish temporary connections between network devices with different IP addresses for the duration of a communication session d. is a temporary phenomenon that disrupts transaction processing and resolves itself when the primary computer completes processing its transaction and releases the IP address needed by other users

56. HTML *a. is the document format used to produce web pages b. controls web browsers that access the web c. is used to connect to Usenet groups on the Internet d. is used to transfer text files, programs, spreadsheets, and databases across the Internet

57. Which one of the following statements is correct? a. Cookies always contain encrypted data. b. Cookies are text files and never contain encrypted data. *c. Cookies contain the URLs of sites visited by the user. d. Web browsers cannot function without cookies.

58. A message that is made to look as though it is coming from a trusted source but

is not is called a. a denial of service attack b. digital signature forging *c. Internet protocol spoofing d. URL masquerading

59. An IP address a. defines the path to a facility or file on the web *b. is the unique address that every computer node and host attached to the Internet must have c. is represented by a 64-bit data packet d. is the address of the protocol rules and standards that govern the design of Internet hardware and software

60. A digital signature is a. the encrypted mathematical value of the message sender’s name *b. derived from the digest of a document that has been encrypted with the sender’s private key c. the computed digest of the sender’s digital certificate d. a tool that allows digital messages to be sent over analog telephone lines

61. HTTP a. is the document format used to produce web pages *b. controls web browsers that access the web c. is used to connect to Usenet groups on the Internet d. is used to transfer text files, programs, spreadsheets, and databases across the Internet

62. The provision of computing power and disk space to client firms who access it

from desktop PCs is known as a. computing-as-a-service *b. infrastructure-as-a-service c. platform-as-a-service d. software-as-a-service

63. This class of cloud computing enables client firms to develop and deploy onto

the cloud infrastructure consumer-generated applications using facilities provided by the vendor. a. computing-as-a-service

b. infrastructure-as-a-service *c. platform-as-a-service d. software-as-a-service

64. Which of the following is not a key feature of cloud computing? a. Acquisition of resources is rapid and infinitely scalable. b. Client firms can acquire IT resources from vendors on demand and as needed. c. Computing resources are pooled to meet the needs of multiple client firms. *d. Individual clients have control over the physical location of the service being provided.

65. What is packet switching? Correct Answer:

Packet switching is a transmission whereby messages are divided into small packets. Individual packets of the same message may take different routes to their destinations. Each packet contains address and sequencing codes so they can be reassembled into the original complete message at the receiving end. 66. What is an extranet? Correct Answer:

An extranet is a variant on Internet technology. This is a password-controlled network for private users rather than the general public. Extranets are used to provide access between trading partner internal databases. 67. What is a URL? Correct Answer:

A URL is the address that defines the path to a facility or file on the web. URLs are typed into the browser to access website homepages and individual web pages, and can be embedded in web pages to provide hypertext links to other pages. 68. What is an IP address? Correct Answer:

Every computer node and host attached to the Internet must have a unique Internet protocol (IP) address. For a message to be sent, the IP addresses of both the sending and the recipient nodes must be provided. 69. What is spoofing? Correct Answer:

Spoofing is a form of masquerading to gain unauthorized access to a web server to perpetrate an unlawful act without revealing one’s identity. 70. Name the three types of addresses used on the Internet. Correct Answer:

The three types of addresses used on the Internet are: e-mail addresses of individuals, website (URL) addresses of pages, and IP addresses of individual computers attached to the Internet. 71. What is a ping? Correct Answer:

It is an internet maintenance tool that is used to test the state of network congestion and determine whether a particular host computer is connected and available on the network. 72. What is an IRC? Correct Answer:

It is a popular interactive service on the Internet that lets thousands of people from all around the world engage in real-time communications via their computers. 73. Name the three parties involved in a smurf attack. Correct Answer:

the perpetrator, the intermediary, and the victim 74. Explain the parts of an e-mail address and give an example (your own?). Correct Answer:

The two parts of an e-mail address are the user name and the domain name. For example, hsavage@cc.ysu.edu is the address of Helen Savage at the computer center site at Youngstown State University. 75. What are cookies and why are they used? Correct Answer:

Cookies are files containing user information that are created by the web server of the site being visited and are then stored on the visitor’s own computer hard drive. They can contain the addresses of sites visited by the user. If the site is revisited, the browser sends the cookie(s) to the web server. This was originally intended to enhance efficiency. Many questions now exist about the use of cookies, especially with regard to user privacy and the security of user information such as passwords.

76. List at least five top-level domain names used in the United States and what they indicate. Correct Answer:

Among the top-level domain names used in the U.S. are:.com—a commercial entity .net—a network provider .org—a non-profit organization .edu—an educational or research entity .gov—a government entity

77. When are a bridge and a gateway used to connect networks? Correct Answer:

Bridges connect LANs of the same type; gateways connect LANs of different manufacturers and different types. 78. Describe an advantage to the client-server topology. Correct Answer:

Client-server technology reduces the number of records that have to be locked and reduces the amount of data that is transmitted over the network. 79. Describe one primary advantage of polling as a network control method. Correct Answer:

Polling is non-contentious, so data collisions are prevented. Firms can prioritize data communications by polling important nodes more frequently than less important nodes. 80. Describe one disadvantage to carrier sensing as a network control method. Correct Answer:

Collisions can occur when two messages are sent simultaneously. 81. Why is network control needed? What tasks are performed? Correct Answer:

Network control establishes a communication session between sender and receiver, manages the flow of data across the network, detects and resolves data collisions, and detects errors in data caused by line failure or signal degeneration. 82. Define WAN, LAN, and VAN. Correct Answer:

A WAN is a wide area network, a LAN is a local area network, and a VAN is a valueadded network. 83. What are the five basic network architectures? Correct Answer:

The five basic network architectures are: star, hierarchical, ring, bus, and clientserver. 84. Discuss the private key encryption technique and its shortcomings. Correct Answer:

To encode a message, the sender provides the encryption algorithm with the key, which produces the ciphertext message. This is transmitted to the receiver’s location, where it is decoded using the same key to produce a cleartext message. Because the same key is used for coding and decoding, control over the key becomes an important security issue. The more individuals that need to exchange encrypted data, the greater the chance that the key will become known to an intruder who could intercept a message and read it, change it, delay it, or destroy it. 85. Discuss the public key encryption technique. Correct Answer:

This approach uses two different keys: one for encoding messages and the other for decoding them. The recipient has a private key used for decoding that is kept secret. The encoding key is public and published for everyone to use. Receivers never need to share private keys with senders, which reduces the likelihood that they fall into the hands of an intruder. One of the most trusted public key encryption methods is Rivest-Shamir-Adleman (RSA). This method is, however, computationally intensive and much slower than private key encryption. 86. What is a digital signature? Correct Answer:

A digital signature is an electronic authentication technique that ensures the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied. The digital signature is derived from a mathematically computed digest of the document that has been encrypted with the sender’s private key.

87. What is a digital certificate? Correct Answer:

A digital certificate is like an electronic identification card that is used in conjunction with a public key encryption system to verify the authenticity of the message sender. Trusted third parties known as certification authorities (CAs) (for example, Verisign, Inc.) issue digital certificates, also called digital IDs. The digital certificate is actually the sender’s public key that the CA has digitally signed. The digital certificate is transmitted with the encrypted message to authenticate the sender. 88. What is a seal of assurance? Correct Answer:

In response to consumer demand for evidence that a web-based business is trustworthy, a number of trusted third-party organizations are offering seals of assurance that businesses can display on their website home pages. To legitimately bear the seal, the company must show that it complies with certain business practices, capabilities, and controls. Examples of seals are: Better Business Bureau (BBB), TRUSTe, Verisign, Inc., International Computer Security Association (ICSA), AICPA/CICA WebTrust, and AICPA/CICA SysTrust. 89. Describe a denial of service (DoS) attack and identify three common forms. Correct Answer:

A denial of service attacks (DoS) is an assault on a web server to prevent it from servicing its legitimate users. While such attacks can be aimed at any type of website, they are particularly devastating to business entities that are prevented from receiving and processing business transactions from their customers. Three common types of DoS attacks are: SYN flood, smurf, and distributed denial of service (DDoS). 90. What is cloud computing? Correct Answer:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 91. Describe virtualization. Correct Answer:

Virtualization is the technology that has unleashed cloud computing. Virtualization multiplies the effectiveness of the physical system by creating virtual (software)

versions of the computer with separate operating systems that reside in the same physical equipment. In other words, virtualization is the concept of running more than one “virtual computer” on a single physical computer. Since each virtual system runs its own application, total computing power is multiplied with no additional hardware investment. 92. Discuss common risks to consumers from cyber criminals that impact electronic commerce. Correct Answer:

The perception that the Internet is not safe for credit card purchases is considered to be the biggest barrier to electronic commerce. Some Internet companies are negligent or even fraudulent in the way they collect, use, and store credit card information. Another form of Internet fraud involves establishing a website to steal a visitor’s password. To access the page, the visitor is asked to register with an e-mail address and password. Because many people use the same password for different applications, cybercriminals use the password given to break into the victim’s other accounts.

Consumer privacy concerns discourage many consumers from engaging in Internet commerce. One aspect involves the way websites capture and use cookies in areas such as online marketing.

93. Describe the basic differences between the star, ring, and bus topologies. Correct Answer:

The star topology is a configuration of IPUs with a large central computer (the host) at the hub (or center) that has connections to a number of smaller computers. Communication between nodes is managed from the host. The ring topology connects many computers of equal status. There is no host. Management of communication is distributed among the nodes.

In the bus topology, all nodes are connected to a common cable, the bus. Communication and file transfer are controlled centrally by one or more servers.

94. What security questions must be considered with regard to Internet commerce? Correct Answer:

Security questions that must be answered to safeguard Internet commerce relate to: private or confidential financial data stored on a host or server that could be accessed by unauthorized individuals, interception of private information sent between sites, such as credit card numbers, and the risk of destruction of data and programs by virus attacks and other malice. 95. What is the World Wide Web? Correct Answer:

The World Wide Web is an Internet facility that links user sites locally and around the world. It was originally developed to share scientific information over the Internet. Although the web is the part of the Internet that is most familiar to average users, it is just a part. Other Internet tools include file transfer using FTP; remote connection to another computer using Telnet; and mail protocols such as SNMP, POP, and IMAP. Its popularity is in part due to the ease of access that is provided by Internet browser software. The basic web document is written in hypertext markup language that contains numerous links to other pages, thus permitting easy movement. 96. Discuss the three levels of Internet business models. Correct Answer:

How much benefit an organization gains from the Internet depends on how much of its function is used. Three levels of uses can be made: a. At the simplest level, the information level, the organization uses the Internet to display information about the company, its products, services, and business policies. In other words, it provides information only. b. At the transaction level, the organization uses the Internet to accept orders from customers and/or to place them with their suppliers. In other words, transactions occur. c. At the highest level, the distribution level, the organization uses the Internet to both sell and deliver digital products—online news, software, music, video, etc.

97. Define risk in an electronic commerce setting. Correct Answer:

The typical definition of business risk is the possibility of loss or injury that can reduce or eliminate an organization’s ability to achieve its objectives. In the area of e-commerce, risk relates to the loss, theft, or destruction of data and/or the use or generation of data or computer programs that financially or physically harm an organization. 98. What is a firewall? What does it do? Discuss the common configuration that employs two firewalls. Correct Answer:

A firewall is a system used to insulate an organization’s intranet from the Internet. It can be used to authenticate an outsider user of the network; verify access authority; and then direct the user to the program, data or service requested. Firewalls can also be used to protect LANs from unauthorized internal access. The network-level firewall provides basic screening of low security messages and routes them to their destinations. The application-level firewall provides high-level network security. These firewalls are configured to run security applications called proxies that perform sophisticated functions such as verifying user authentication.

99. Define and contrast digital certificate and digital signature. Correct Answer:

A digital certificate is like an electronic identification card that is used in conjunction with a public key encryption system to verify the authenticity of the message sender. These are issued by certification authorities. A digital signature is an electronic authentication technique that ensures that the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied.

100. Explain the function of the two parts of the TCP/IP protocol. Correct Answer:

The two parts of the TCP/IP protocol are the transfer control protocol (TCP) and the Internet protocol (IP). This controls how individual packets of data are formatted, transmitted, and received. The TCP supports the transport function of the OSI (Open System Interface) model that has been adopted by the International Standards Organization for the communication community. This ensures that the full message is received. The IP component provides the routing mechanism. It contains a network address and is used to route messages to their destinations. 101. What are network protocols? What functions do they perform? Correct Answer:

Network protocols are the rules and standards governing the design of hardware and software that permit users of networks manufactured by different vendors to communicate and share data. Protocols perform a number of different functions.a. They facilitate the physical connection between network devices. b. They synchronize the transfer of data between physical devices. c. They provide a basis for error in checking and measuring network performance. d. They promote compatibility among network devices. e. They promote network designs that are flexible, expandable, and cost-effective.

102. List and briefly define the privacy conditions inherent to the Safe Harbor agreement. Correct Answer:

Notice: An organization must provide individuals with clear notice of, “the purposes for which it collects and uses information about them, the types of third parties to which it discloses the information, and how to contact the company with inquiries or complaints.” Choice: Before any data is collected, an organization must give its customers the opportunity to choose whether to share their sensitive information (e.g., data related to factors such as health, race, or religion).

Onward Transfer: Unless they have the individual’s permission to do otherwise, organizations may share information only with those third parties that belong to the Safe Harbor Agreement or follow its principles.

Security and Data Integrity: Organizations need to ensure that the data they maintain is accurate, complete, and current—thus reliable for use. They must also ensure the security of the information by protecting it against loss, misuse, unauthorized access, disclosure, alteration, and destruction.

Access: Unless they would be unduly burdened or violate the rights of others, organizations must give individuals “access to personal data about themselves and provide an opportunity to correct, amend, or delete such data.” Enforcement: Organizations must “enforce compliance, provide recourse for individuals who believe their privacy rights have been violated, and impose sanctions on their employees and agents for non-compliance.”

103. Explain the disadvantage of private key encryption and how public key encryption overcomes the problem. Correct Answer:

Private key encryption uses the same key for coding and decoding. Therefore, control over the key becomes an important security issue. When several individuals need to exchange encrypted data, the chance that the private key will become known to an intruder is increased. To overcome this problem, public key encryption was devised. This approach uses two different keys: one for encoding messages and the other for decoding them. The recipient has a private key used for decoding that is kept secret. The encoding key is public and published for everyone to use.

104. What is a certification authority and what are the implications for the accounting profession? Correct Answer:

A certification authority (CA) is an independent and trusted third party empowered with responsibility to vouch for the identity of organizations and individuals engaging in Internet commerce. The question then becomes: Who vouches for the CA? How does one know that the CA who awarded a seal of authenticity to an individual is itself reputable and was meticulous in establishing his or her identity? These questions hold specific implication for the accounting profession. Since they enjoy a high degree of public confidence, public accounting firms are natural candidates for certification authorities. 105. Explain a SYN flood attack. Correct Answer:

Normally, a user establishes a connection on the Internet via a three-way handshake. The connecting server sends an initiation code called a SYN (SYNchronize) packet to the receiving server. The receiving server then acknowledges the request by returning a SYNchronize-ACKnowledge (SYN-ACK) packet. Finally, the initiating host machine responds with an ACK packet code. The SYN flood attack is accomplished by not sending the final acknowledgment to the server’s SYN-ACK response, which causes the server to keep signaling for acknowledgement until the server times out. The individual or organization perpetrating the SYN flood attack transmits hundreds of SYN packets to the targeted receiver, but never responds with an ACK to complete the connection. As a result, the ports of the receiver’s server are clogged with incomplete communication requests that prevent legitimate transactions from being received and processed. Organizations under attack may thus be prevented from receiving Internet messages for days at a time.

106. Explain a smurf attack. Correct Answer:

A smurf attack involves three parties: the perpetrator, the intermediary, and the victim. It is accomplished by exploiting an Internet maintenance tool called a ping, which is used to test the state of network congestion and determine whether a particular host computer is connected and available on the network. The perpetrator of a smurf attack uses a program to create a ping message packet that contains the forged IP address of the victim’s computer (IP spoofing) rather than that of the actual source computer. The ping message is then sent to the intermediary, which is actually an entire subnetwork of computers. By sending the ping to the network’s IP broadcast address, the perpetrator ensures that each node on the intermediary network receives the echo request automatically. Consequently,

each intermediary node sends an echo response to the ping message, which are returned to the victim’s IP address rather than the source’s computer. The resulting flood of echoes can overwhelm the victim’s computer and cause network congestion that makes it unusable for legitimate traffic.

107. Explain a distributed denial of service attack (DDoS). Correct Answer:

A distributed denial of service (DDoS) attack may take the form of a SYN flood or smurf attack. The distinguishing feature of the DDoS is the sheer scope of the event. The perpetrator of a DDoS attack may employ a virtual army of so-called zombie or bot (robot) computers to launch the attack. Since vast numbers of unsuspecting intermediaries are needed, the attack often involves one or more Internet Relay Chat (IRC) networks as a source of zombies. The perpetrator accesses the IRC and uploads a malicious program such as a Trojan horse, which contains DDoS attack script. This program is subsequently downloaded to the PCs of the many thousands of people who visit the IRC site. The attack program runs in the background on the new zombie computers, which are now under the control of the perpetrator. Via the zombie control program, the perpetrator can direct the DDoS to specific victims and turn the attack on or off at will. 108. Discuss the various motivations behind a denial of service attack (DoS). Correct Answer:

The motivations behind DoS attacks may originally have been to punish an organization with which the perpetrator had a grievance or simply to gain bragging rights for being able to do it. Today, DoS attacks are also perpetrated for financial gain. The typical scenario is for the perpetrator to launch a short DoS attack (a day or so) to demonstrate what life would be like if the organization were isolated from the Internet. After the attack, the CEO of the organization receives a phone call demanding that a sum of money be deposited in an off-shore account, or the attack will resume. Compared to the potential loss in customer confidence, damaged reputation, and lost revenues, the ransom may appear to be a small price to pay. 109. Discuss the key features of cloud computing. Correct Answer:

The key features of cloud computing are, first, client firms can acquire IT resources from vendors on demand and as needed. Second, resources are provided over a network (private or Internet) and accessed through network terminals at the client location. Third, acquisition of resources is rapid and infinitely scalable. Fourth, computing resources are pooled to meet the needs of multiple client firms. 110. Is cloud computing the best option for all companies? Why or why not?

Correct Answer:

In spite of its convenience and potential for cost savings, cloud computing is not a realistic option for all companies. The information needs of large companies are often in conflict with the cloud solution for four reasons. First, large firms have typically already incurred massive investments in equipment, proprietary software, and human resources. These organizations are not inclined to walk away from their investments and turn over their entire IT operations to a cloud vendor. Second, many large enterprises have mission-critical functions running on legacy systems that are many decades old. These systems continue to exist because they continue to add value. The task of migrating legacy systems to the cloud would require new architectures and considerable reprogramming. Third, a central tenant of cloud computing is the philosophy that IT is a one-size-fits-all commodity asset. Larger companies are more likely to have esoteric information needs and pursue strategic advantage through IT systems. Finally, internal control and security issues are concerns for companies of all sizes that outsource their IT to the cloud. When an organization’s critical data reside outside its corporate walls, it is at risk. The client firm has little option but to trust to the ethics, competence, and internal controls of the vendor. The relevant risk issues include an extensive set of topics, such as technology failures in the cloud, distributed denial of service attacks, hacking, vendor exploitation, vendor failure to perform, and the loss of strategic advantage.

Chapter 13 1. According to the text, a stakeholder is an end user of a system. a. True *b. False

2. In a backbone system, the vendor designs the user interface to fit the client’s needs. *a. True b. False

3. All vendor-supported systems include software, infrastructure, and maintenance. a. True *b. False

4. The objective of systems planning is to link systems projects to the strategic objectives of the firm. *a. True b. False

5. An accountant’s responsibility in the systems development life cycle (SDLC) is to ensure that the system applies proper accounting conventions and rules and possesses adequate control. *a. True b. False

6. In the conceptual design phase of the SDLC, task force members are focused on selecting the new system design. a. True *b. False

7. When determining the operational feasibility of a new system, the expected ease of transition from the old system to the new system should be considered. *a. True b. False

8. One-time costs include operating and maintenance costs.

a. True *b. False

9. When preparing a cost-benefit analysis, design costs incurred in the systems planning, systems analysis, and conceptual design phases of the systems development life cycle are relevant costs. a. True *b. False

10. A tangible benefit can be measured and expressed in financial terms. *a. True b. False

11. When the nature of the project and the needs of the user permit, most organizations will seek a pre-coded commercial software package rather than develop a system in-house. *a. True b. False

12. All of the steps in the systems development life cycle apply both to software that is developed in-house and to commercial software. a. True *b. False

13. When the nature of the project and the needs of the user permit, most organizations will create the system in-house rather than rely on a commercial package. a. True *b. False

14. Recurring costs include: hardware maintenance, software acquisition, software maintenance, insurance, supplies, and personnel costs. a. True *b. False

15. The payback method is often more useful than the net present value method for evaluating systems projects because the effective lives of information systems tend to be short and shorter-payback projects are often desirable.

*a. True b. False

16. Intangible benefits are not physical, but can be measured and expressed in financial terms. a. True *b. False

17. Legal feasibility identifies conflicts between the proposed system and the company’s ability to discharge its legal responsibilities. *a. True b. False

18. The conceptual design of modern systems follows one of two basic approaches: the structured approach and the object-oriented approach. *a. True b. False

19. The concept of reusability is central to the structured approach to systems design. a. True *b. False

20. In-house developed systems are less reliable than commercial software. *a. True b. False

21. If individual modules are thoroughly tested, it is not necessary to test the whole system. a. True *b. False

22. A primary role for accountants during the detailed design and implementation phases is to ensure that controls are adequate to meet the requirements of Statement on Auditing Standards No. 109. *a. True b. False

23. When studying the detailed feasibility of a new project a. prototyping does not affect the schedule feasibility analysis *b. the need for user training will influence the schedule feasibility analysis c. protection from fraud and errors will influence the schedule feasibility analysis d. a cost-benefit review will affect the schedule feasibility analysis

24. Protection from inadvertent disclosures of confidential information is part of the

detailed a. operational feasibility study b. schedule feasibility study *c. legal feasibility study d. economic feasibility study

25. A cost-benefit analysis is a part of the detailed a. operational feasibility study b. schedule feasibility study c. legal feasibility study *d. economic feasibility study

26. Examples of one-time costs include all of the following except a. hardware acquisition *b. insurance c. site preparation d. programming

27. Examples of recurring costs include a. software acquisition b. data conversion *c. personnel costs d. systems design

28. Site preparation costs include all of the following except a. crane used to install equipment b. freight charges *c. supplies d. reinforcement of the building floor

29. The testing of individual program modules is a part of a. software acquisition costs b. systems design costs c. data conversion costs *d. programming costs

30. When implementing a new system, the costs associated with transferring data

from one storage medium to another is an example of a. a recurring cost *b. a data conversion cost c. a systems design cost d. a programming cost

31. An example of a tangible benefit is a. increased customer satisfaction b. more current information *c. reduced inventories d. faster response to competitor actions

32. An example of an intangible benefit is a. expansion into other markets b. reduction in supplies and overhead *c. more efficient operations d. reduced equipment maintenance

33. A tangible benefit a. can be measured and expressed in financial terms b. might increase revenues c. might decrease costs *d. all of the above

34. Intangible benefits a. are easily measured b. are of relatively little importance in making information system decisions *c. are sometimes estimated using customer satisfaction surveys d. when measured, do not lend themselves to manipulation

35. Which technique is least likely to be used to quantify intangible benefits? a. opinion surveys b. simulation models c. professional judgment *d. review of accounting transaction data

36. The formal product of the systems evaluation and selection phase of the

systems development life cycle is a. the report of systems analysis *b. the systems selection report c. the detailed system design d. the systems plan

37. One-time costs include all of the following except a. site preparation *b. insurance c. programming and testing d. data conversion

38. Recurring costs include all of the following except *a. data conversion b. software maintenance c. insurance d. supplies

39. The systems steering committee is responsible for all of the following except a. assigning priorities b. determining whether and when to terminate systems projects *c. analyzing the technical feasibility of the project d. budgeting funds for systems development

40. Strategic systems planning *a. is not technically part of the SDLC b. will eliminate any crisis component in systems development c. provides a static goal to be attained within a five-year period d. all of the above

41. Project feasibility includes all of the following except a. technical feasibility *b. conceptual feasibility c. operational feasibility d. schedule feasibility

42. The degree of compatibility between the firm’s existing procedures and

personnel skills and the requirements of the new system is called a. technical feasibility *b. operational feasibility c. schedule feasibility d. legal feasibility

43. The ability of a system to protect individual privacy and confidentiality is an

example of a. schedule feasibility b. operational feasibility *c. legal feasibility d. economic feasibility

44. Reasons that a new systems implementation may be unsuccessful include all of

the following except a. organizational restructuring required by the new system results in displaced workers b. end users do not understand the strategic merits of the new system c. employees are not trained to use the system *d. system development team members include representatives from end-user departments

45. Typically a systems analysis a. results in a formal project schedule b. does not include a review of the current system *c. identifies user needs and specifies new system requirements d. is performed by the internal auditor

46. A disadvantage of surveying the current system is *a. it constrains the generation of ideas about the new system b. it highlights elements of the current system that are worth preserving c. it pinpoints the causes of the current problems

d. all of the above are advantages of surveying the current system

47. Systems analysis involves all of the following except a. gathering facts b. surveying the current system *c. redesigning bottleneck activities d. reviewing key documents

48. The systems analysis report does not a. identify user needs b. specify requirements for the new system c. formally state the goals and objectives of the system *d. specify the system processing methods

49. After the systems analysis phase of the systems development life cycle (SDLC)

is complete, the company will have a formal systems analysis report on a. the conceptual design of the new system b. an evaluation of the new system *c. users’ needs and requirements for the new system d. a comparison of alternative implementation procedures for the new system

50. Project planning includes all of the following except a. evaluating a proposal’s feasibility b. preparing a formal project proposal *c. selecting hardware vendors d. producing a project schedule

51. Aspects of project feasibility include all of the following except a. technical feasibility b. economic feasibility *c. logistic feasibility d. schedule feasibility

52. Which of the following is not a tool of systems analysts? a. observation b. task participation *c. audit reports d. personal interviews

53. When developing the conceptual design of a system a. all similarities and differences between competing systems are highlighted b. structure diagrams are commonly used c. an iterative approach may be used *d. inputs, processes, and outputs that distinguish one alternative from another are identified

54. Which statement is not correct? The structured design approach a. is a top-down approach b. is documented by data flow diagrams and structure diagrams *c. assembles reusable modules rather than creating systems from scratch d. starts with an abstract description of the system and redefines it to produce a more detailed description of the system

55. The benefits of the object-oriented approach to systems design include all of the

following except *a. this approach requires a top-down approach b. development time is reduced c. a standard module once tested does not have to be retested until changes are made d. system maintenance activities are simplified

56. A commercial software system that is completely finished, tested, and ready for

implementation is called a a. backbone system b. vendor-supported system c. benchmark system *d. turnkey system

57. Which of the following is not an advantage of commercial software?

Commercial software a. can be installed faster than a custom system *b. can be easily modified to the user’s exact specifications c. is significantly less expensive than a system developed inhouse d. is less likely to have errors than an equivalent system developed in-house

58. The output of the detailed design phase of the systems development life cycle

(SDLC) is a a. fully documented system report b. systems selection report *c. detailed design report d. systems analysis report

59. The detailed design report contains all of the following except a. input screen formats *b. alternative conceptual designs c. report layouts d. process logic

60. Which statement is not true? A systems design walkthrough a. is conducted by a quality assurance group *b. occurs just after system implementation c. simulates the operation of the system in order to uncover errors and omissions d. reduces costs by reducing the amount of reprogramming

61. When converting to a new system, which cutover method is the most

conservative? a. cold turkey cutover b. phased cutover *c. parallel operation cutover d. data coupling cutover

62. List at least three one-time costs and three recurring costs in system development. Correct Answer:

One-time costs include: hardware acquisition, site preparation, software acquisition, system design, programming and testing, data conversion, and training. Recurring costs include: hardware maintenance, software maintenance, insurance, supplies, and personnel.

63. Discuss the differences between turnkey systems and backbone systems. Correct Answer:

Turnkey systems are commercial software packages that are fully tested and documented that can be immediately implemented. They come with minimal ability to customize them. General accounting systems are an example of turnkey systems. By contrast, backbone systems provide a group of preprogrammed modules, which are then customized by adding user interfaces that meet a client’s needs. ERP software is an example of a backbone system. 64. Why is the payback method often more useful than the net present value method for evaluating systems projects? Correct Answer:

Because of brief product life cycles and rapid advances in technology, the effective lives of information systems tend to be short. Shorter payback projects are often desirable. 65. Explain an advantage of surveying the current system when preparing a systems analysis for a new systems project. Correct Answer:

An analysis of the current system:will identify what aspects of the current system should be retained; will force systems analysts to fully understand the system; may uncover causes of reported problems.

66. How is the organization’s business plan used during systems planning? Correct Answer:

The business plan is the basis for the systems plan since the goal of systems planning is to link individual system projects or applications to the strategic objectives of the firm. 67. How is strategic systems planning related to the other SDLC activities? Correct Answer:

It is not actually part of the SDLC because it does not pertain to specific applications. However, SDLC activities spring from the strategic systems plan, which allocates resources at the macro level. 68. List four types of facts that should be gathered during an analysis of a system. Correct Answer:

data sources, users, data stores, processes, data flows, controls, transaction volumes, error rates, resource costs, bottlenecks, and redundant operations 69. What is the project schedule and what does it represent? Correct Answer:

The project schedule is a budget of the time and costs of all phases of SDLC. It represents management’s commitment to the project. 70. Name four techniques that systems analysts use to gather facts during system surveys. Correct Answer:

Techniques include observation, task participation, personal interviews, and reviews of key documents. 71. What topics should be included in a systems analysis report? Correct Answer:

A system analysis report should include findings of surveys, problems identified with the current system, the user’s needs, and the requirements of the new system. 72. Name three topics that would not be included in the systems analysis report. Correct Answer:

The report does not specify the detailed design of the proposed system, including processing methods, storage media, record structures, and other details needed to design the physical system. 73. Why is cost-benefit analysis more difficult for information systems than for many other types of investments organizations make? Correct Answer:

The benefits of information systems are oftentimes very difficult to assess. Many times the benefits are intangible, such as improved decision making capabilities. Also, maintenance costs may be difficult to predict. Most other investments that organizations make, i.e. purchase of a new piece of equipment, tend to have more tangible and estimable costs and benefits. 74. Contrast the structured and object-oriented approaches to conceptual systems design. Correct Answer:

The structured approach develops each new system from scratch from the top down. Object-oriented design builds systems from the bottom up through the assembly of reusable modules rather than creating each system from scratch.

75. What is meant by object-oriented design? What does it mean for systems design? Correct Answer:

Object-oriented design refers to a building block approach to system design which develops systems from reusable standard components. This approach avoids starting from scratch for each new system. This saves time and expense for development, maintenance, and testing of systems. 76. List three advantages and one disadvantage of commercial software. Correct Answer:

Advantages include very quick implementation time, relatively inexpensive software, and reliable, tested software. Disadvantages include not being able to customize the system and difficulty in modifying the software.

77. Why does the conceptual design phase present several possible alternatives for the system? Correct Answer:

Systems analysts want to avoid imposing preconceived constraints on the new system. This also minimizes resource investment during the SDLC process. 78. Describe a risk associated with the phased cutover procedure for data conversion. Correct Answer:

Incompatibilities may exist between the new subsystems and the yet-to-be replaced old subsystems. 79. Describe the cold turkey (or big bang) approach to system cutover. Correct Answer:

Under the cold turkey cutover approach (also called the big bang approach), the firm switches to the new system and simultaneously terminates the old system. When implementing simple systems, this is often the easiest and least costly approach. With more complex systems, it is the riskiest. 80. Discuss the advantage of the parallel operation cutover approach. Correct Answer:

Parallel operation cutover involves running the old system and the new system simultaneously for a period of time. The advantage of parallel cutover is the reduction in risk. By running two systems, the user can reconcile outputs to identify errors and debug errors before running the new system solo. 81. Name three items included in the detailed design report. Correct Answer:

The report specifies input screen formats, output report layouts, database structures, and process logic. 82. What is the purpose of a system design walkthrough and who conducts it? Correct Answer:

A walkthrough ensures that the design is free from conceptual errors. It is often conducted by an independent quality assurance group that includes programmers, analysts, users, and internal auditors. 83. Name three benefits of modular programming. Correct Answer:

The benefits are programming efficiency, maintenance efficiency, and control. 84. What is the purpose of retaining test data after a system has been successfully implemented? Correct Answer:

Retaining the test data facilitates future testing. The data gives auditors a frame of reference for designing and evaluating future audit tests. 85. Discuss two areas in which accountants offer expertise. Correct Answer:

Accountants provide technical expertise during the detailed design phase to ensure that the system complies with GAAP, GAAS, SEC regulations and IRS codes. During the implementation phase, accountants specify systems documentation standards that will support later auditing of the system. 86. What are the two major stages of the systems development life cycle and what happens during each stage? Correct Answer:

The first stage is new systems development. It involves conceptual steps that can apply to any problem-solving process: identify the problem, understand what needs

to be done, consider alternative solutions, select the best solution, and finally implement the solution. Throughout the process the SDLC produces a set of required documentation that together constitutes a body of audit evidence about the quality of the SDLC. The second stage is systems maintenance, which constitutes the organization’s program change procedures. It begins after the system is fully implemented.

87. Define the feasibility measures that should be considered during project analysis and give an example of each. Correct Answer:

Technical feasibility is an assessment as to whether the system can be developed under existing technology or if new technology is needed. An example might be a situation where a firm wants to completely automate the sales process. A question would be: Is technology available that allows sales to be made without humans? Economic feasibility is an assessment as to the availability of funds to complete the project. A question would be: Is it cost feasible to purchase equipment to automate sales?

Legal feasibility identifies any conflicts with the proposed system and the company’s ability to discharge its legal responsibilities. An example would be a firm that is proposing a new mail order sales processing system for selling wine.

Operational feasibility shows the degree of compatibility between the firm’s existing procedures and personnel skills and the operational requirements of the new system. Does the firm have the right work force to operate the system? If not, can employees be trained? If not, can they be hired?

Schedule feasibility pertains to whether the firm can implement the project within an acceptable time frame. An example would be a new ticket sales system for a sports team. The system would need to be implemented prior to the start of the new season.

88. What is the payback method and how is it used? Correct Answer:

The payback method is a variation of break-even analysis. The break-even point is reached when total costs equals total benefits. In choosing an information system, payback speed is often a decisive factor. With brief product life cycles and rapid advances in technology, the effective lives of information systems tend to be short.

The length of the payback period often takes precedence over other considerations represented by intangible benefits. 89. What are the currentsystem?

advantages

and

disadvantages

surveying

the

Correct Answer:

Advantages:It is a way to identify what aspects of the old system should be kept. When the new system is implemented, users must go through a conversion process. The analysts must determine what tasks, procedures, and data will be phased out with the old system and which will continue. This requires a thorough understanding of the current system. By surveying the current system, the analyst may determine conclusively the cause of the reported problem symptoms.

Disadvantages: There is a tendency on the part of the analyst to be sucked in and bogged down by the task of surveying the current dinosaur system (current physical tar pit phenomenon). By studying and modeling the old system, the analyst may develop a constrained notion about how the new system should function.

90. What are some of the intangible benefits that may be expected from the new system? Discuss their importance and why they are difficult tovalue. Correct Answer:

Common intangible benefits include: increased customer and employee satisfaction, improved decision making and more current information, faster response time to competitor actions, more efficient operations, better communications, improved planning and control, and operational flexibility. Intangible benefits are often of overriding importance in information system decisions, but cannot be easily measured and quantified. For example, improved customer satisfaction may translate into increased sales, but how do we quantify this benefit? Assigning a value is often highly subjective. By overstating or understating these benefits, a system’s proponents may push it forward or its opponents may kill it.

91. Discuss the advantages and disadvantages of the three methods of converting to a new system: cold turkey (big bang) cutover, phased cutover, and parallel operation cutover.

Correct Answer:

Cold turkey (big bang)–This is the quickest and least expensive cutover method. It is also the riskiest. If the system does not function properly, there is no backup system to rely on. Phased cutover–The phased cutover avoids the risk of total system failure because the conversion occurs one module at a time. The disadvantage of this method is the potential incompatibilities between new modules that have been implemented and old modules that have not yet been phased out.

Parallel operation cutover–This is the most time consuming and costly of the three methods, but it also provides the greatest security. The old system is not terminated until the new system is tested for accuracy.

92. Give an example of a testing methodology that can test the programming and its logic. Correct Answer:

The programmer first creates a hypothetical master file and transaction files that will be processed by the newly created modules. For example, if the programmer is testing the logic of the AR update module, the programmer creates a customer master file with a current balance and a sales order transaction record. Before conducting the test, the programmer has already determined the correct balance for the customer file. The test is run, and its logic is tested by comparing the test result with the predetermined balance. 93. Discuss the documentation requirements of systems designers and programmers, computer operators, and end users. Correct Answer:

Systems designers and programmers need documentation to debug errors and perform maintenance of the system. Such documentation is highly technical and includes DFDs, ER diagrams, structure diagrams, systems flowcharts, program flowcharts, and program code listings. The systems flowchart shows the relationship of input files, programs, and output files. The program flowchart provides a detailed description of the sequential and logical operation of the program. Operator documentation consists of a run manual that includes such things as the name of the system, the run schedule, required hardware devices, file requirements, run-time instructions, and a list of users who receive the output of the run.

User documentation describes how to use the system. The nature of user documentation will depend on the user’s degree of sophistication with computers and technology. This documentation is frequently in the form of a user handbook as well as online documentation such as tutorials and help features.

94. Identify ways existing data can be converted during implementation and discuss precautions that should be taken during data conversion. Correct Answer:

Database conversion activities can be labor intensive, sometimes requiring that data be entered into the new database manually. The other option is to write special conversion programs that will format the existing data into the form needed for the new database. During data conversion, the old database must be validated to ensure that only needed data is converted. The new database must then be reconciled record by record and field by field with the original. Sometimes validation can be automated by writing a program to compare the two sets of data. Finally, the original files must be kept as a backup against discrepancies in the converted data. If the current files are already in magnetic form, they can be stored indefinitely. If the current files are paper files, they are generally destroyed after the accuracy and completeness of the new database has been verified. 95. System control should be maintained throughout the maintenance phase. What four requirements should be observed to minimize the risk of corruption to the program’s logic? Correct Answer:

All maintenance actions should require formal authorization for all application changes, development of technical specifications for desired changes, retesting of the system after changes are made, and updating the documentation to reflect the changes.

Chapter 14 1. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting. a. True *b. False

2. Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal control adequacy. a. True *b. False

3. Both the SEC and the PCAOB recommend management to use the COSO framework for assessing internal control adequacy. *a. True b. False

4. A qualified opinion on management’s assessment of internal controls over the financial reporting system necessitates a qualified opinion on the financial statements. a. True *b. False

5. The same internal control objectives apply to manual and computerbased information systems. *a. True b. False

6. To fulfill the segregation of duties control objective, computer processing functions (like authorization of credit and billing) areseparated. a. True *b. False

7. Some systems professionals have unrestricted access to the organization's programs and data. *a. True b. False

8. Application controls apply to a wide range of exposures that threaten the integrity of all programs processed within the computer environment. a. True *b. False

9. The database administrator should be separated from systems development. *a. True b. False

10. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster. *a. True b. False

11. IT auditing is a small part of most external and internal audits. a. True *b. False

12. Statements on Auditing Standards recommendations must be followed by every member of the profession unless it can be shown why a standard does not apply in a given situation. *a. True b. False

13. An IT auditor expresses an opinion on the fairness of the financial statements. a. True *b. False

14. External auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. a. True *b. False

15. External auditors can cooperate with and use evidence gathered by internal audit departments that are organizationally independent and that report to the audit committee of the board of directors.

*a. True b. False

16. Tests of controls determine whether the database contents fairly reflect the organization's transactions. a. True *b. False

17. Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated. *a. True b. False

18. A strong internal control system will reduce the amount of substantive testing that must be performed. *a. True b. False

19. Substantive testing techniques provide information about the accuracy and completeness of an application’s processes. a. True *b. False

20. The most common access point for perpetrating computer fraud is at the data collection stage. *a. True b. False

21. Changing the Hours Worked field in an otherwise legitimate payroll transaction to increase the amount of the paycheck is an example of data collection fraud. *a. True b. False

22. Scavenging is a form of fraud in which the perpetrator uses a computer program to search for key terms in a database and then steal the data. a. True

*b. False

23. Transaction cost economics (TCE) theory suggests that firms should outsource specific noncore IT assets. a. True *b. False

24. Commodity IT assets are easily acquired in the marketplace and should be outsourced under the core competency theory. a. True *b. False

25. The IT audit focuses on systems where technology plays a material role and thus makes the entire audit process more complex. *a. True b. False

26. Which of the following is not an implication of section 302 of the Sarbanes-

Oxley Act? a. Auditors must determine whether changes in internal control have materially affected (or are likely to affect) internal control over financial reporting. b. Auditors must interview management regarding significant changes in the design or operation of internal control thatoccurred since the last audit. *c. The board of directors must certify quarterly and annually their organization’s internal controls over financial reporting. d. Management must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter.

27. Which of the following is not a requirement in management’s report on the

effectiveness of internal controls over financial reporting? a. A statement of management’s responsibility for establishing and maintaining adequate internal control user satisfaction. *b. A statement that the organization’s internal auditors has issued an attestation report on management’s assessment of the company’s internal controls. c. A statement identifying the framework used by management to conduct their assessment of internal controls. d. An explicit written conclusion as to the effectiveness of internal control over financial reporting.

28. In a computer-based information system, which of the following duties needs to

be separated? a. program coding from program operations b. program operations from program maintenance c. program maintenance from program coding *d. All of the above duties should be separated.

29. Supervision in a computerized environment is more complex than in a manual

environment for all of the following reasons except a. rapid turnover of systems professionals complicates management's task of assessing the competence and honesty of prospective employees b. many systems professionals have direct and unrestricted access to the organization’s programs and data c. rapid changes in technology make staffing the systems environment challenging *d. systems professionals and their supervisors work at the same physical location

30. Adequate backups will protect against all of the following except a. natural disasters such as fires *b. unauthorized access c. data corruption caused by program errors d. system crashes

31. Which is the most critical segregation of duties in the centralized computer

services function? *a. systems development from data processing b. data operations from data librarian c. data preparation from data control d. data control from data librarian

32. Systems development is separated from data processing activities because

failure to do so a. weakens database access security *b. allows programmers access to make unauthorized changes to applications during execution c. results in inadequate documentation d. results in master files being inadvertently erased

33. Which organizational structure is most likely to result in good documentation

procedures?

*a. separate systems development from systems maintenance b. separate systems analysis from application programming c. separate systems development from data processing d. separate database administrator from data processing

34. All of the following are control risks associated with the distributed data

processing structure except a. lack of separation of duties b. system incompatibilities *c. system interdependency d. lack of documentation standards

35. Which of the following is not an essential feature of a disaster recovery plan? a. off-site storage of backups *b. computer services function c. second site backup d. critical applications identified

36. A cold site backup approach is also known as a. an internally provided backup b. a recovery operations center *c. an empty shell d. a mutual aid pact

37. The major disadvantage of an empty shell solution as a second site backup is a. the host site may be unwilling to disrupt its processing needs to process the critical applications of the disaster stricken company *b. intense competition for shell resources during a widespread disaster c. maintenance of excess hardware capacity d. the control of the shell site is an administrative drain on the company

38. An advantage of a recovery operations center is that a. it is an inexpensive solution *b. the initial recovery period is very quick c. the company has sole control over the administration of the center d. none of the above are advantages of the recovery operations center

39. For most companies, which of the following is the least critical application for

disaster recovery purposes? *a. month-end adjustments b. accounts receivable c. accounts payable d. order entry/billing

40. The least important item to store off-site in case of an emergency is a. backups of systems software b. backups of application software c. documentation and blank forms *d. results of the latest test of the disaster recovery program

41. Some companies separate systems analysis from programming/program

maintenance. All of the following are control weaknesses that may occur with this organizational structure except a. systems documentation is inadequate because of pressures to begin coding a new program before documenting the current program b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time *c. a new systems analyst has difficulty in understanding the logic of the program d. inadequate systems documentation is prepared because this provides a sense of job security to the programmer

42. All of the following are recommended features of a fire protection system for a

computer center except a. clearly marked exits *b. an elaborate water sprinkler system c. manual fire extinguishers in strategic locations d. automatic and manual alarms in strategic locations

43. Which concept is not an integral part of an audit? a. evaluating internal controls *b. preparing financial statements c. expressing an opinion d. analyzing financial data

44. Which statement is not true? a. Auditors must maintain independence.

b. IT auditors attest to the integrity of the computer system. *c. IT auditing is independent of the general financial audit. d. IT auditing can be performed by both external and internal auditors.

45. Which of the following is true of disaster recovery as a service (DRaaS)? *a. Cloud resources are used to protect an organization from the consequences of disasters and service disruptions. b. DRaaS is the most secure disaster recovery option available to most businesses. c. Cloud resources are used as backups in place of all traditional forms of data backup. d. DRaaS is different than other outsourcing of the IT function because it exposes a client’s data more fully than other cloud services.

46. The fundamental difference between internal and external auditing is that *a. internal auditors represent the interests of the organization and external auditors represent outsiders b. internal auditors perform IT audits and external auditors perform financial statement audits c. internal auditors focus on financial statement audits and external auditors focus on operational audits and financial statement audits d. external auditors assist internal auditors but internal auditors cannot assist external auditors

47. Internal auditors assist external auditors with financial audits to *a. reduce audit fees b. ensure independence c. represent the interests of management d. None of the above. Internal auditors are not permitted to assist external auditors with financial audits.

48. Which statement is not correct? a. Auditors gather evidence using tests of controls and substantive tests. *b. The most important element in determining the level of materiality is the mathematical formula. c. Auditors express an opinion in their audit report. d. Auditors compare evidence to established criteria.

49. All of the following are steps in an IT audit except

a. substantive testing b. tests of controls *c. post-audit testing d. audit planning

50. When planning the audit, information is gathered by all of the following methods

except a. completing questionnaires b. interviewing management c. observing activities *d. confirming accounts receivable

51. Substantive tests include *a. examining the safety deposit box for stock certificates b. reviewing systems documentation c. completing questionnaires d. observation

52. Tests of controls include a. confirming accounts receivable b. counting inventory *c. completing questionnaires d. counting cash

53. All of the following are components of audit risk except a. control risk *b. legal risk c. detection risk d. inherent risk

54. Control risk is a. the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated b. associated with the unique characteristics of the business or industry of the client *c. the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts d. the risk that errors not detected or prevented by the control structure will also not be detected by the auditor

55. All of the following tests of controls will provide evidence about the physical

security of the computer center except a. review of fire marshal records b. review of the test of the backup power supply *c. verification of the second site backup location d. observation of procedures surrounding visitor access to the computer center

56. All of the following tests of controls will provide evidence about the adequacy of

the disaster recovery plan except a. inspection of the second site backup *b. analysis of the fire detection system at the primary site c. review of the critical applications list d. composition of the disaster recovery team

57. Which of the following is true? a. In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the reliability of thecomputer system. *b. Conducting an audit is a systematic and logical process that applies to all forms of information systems. c. Substantive tests establish whether internal controls are functioning properly. d. IT auditors prepare the audit report if the system is computerized.

58. Inherent risk a. exists because all control structures are flawed in some ways. b. is the likelihood that material misstatements exist in the financial statements of the firm. *c. is associated with the unique characteristics of the business or industry of the client. d. is the likelihood that the auditor will not find material misstatements.

59. Which of the following is not a generally accepted auditing standard? a. The auditor must have adequate technical training and proficiency. *b. The auditor must obtain sufficient, competent evidence. c. The auditor must have independence of mental attitude. d. All of the above are generally accepted auditing standard general standards.

60. The financial statements of an organization reflect a set of management

assertions about the financial health of the business. All of the following describe types of assertions except a. that all of the assets and equities on the balance sheet exist *b. that all employees are properly trained to carry out their assigned duties c. that all transactions on the income statement actually occurred d. that all allocated amounts such as depreciation are calculated on a systematic and rational basis

61. Which of the following is not an advantage of distributed data processing? a. ability to backup computing facilities b. improved user satisfaction *c. efficient use of resources d. All of the above are advantages of distributed data processing.

62. Operations fraud includes a. altering program logic to cause the application to process data incorrectly *b. misusing the firm’s computer resources c. destroying or corrupting a program’s logic using a computer virus d. creating illegal programs that can access data files to alter, delete, or insert values

63. Segregation of duties in the computer-based information system includes *a. separating the programmer from the computer operator b. preventing management override c. separating the inventory process from the billing process d. performing independent verifications by the computer operator

64. Computer fraud can take many forms, including each of the following except a. theft or illegal use of computer-readable information b. theft, misuse, or misappropriation of computer equipment c. theft, misuse, or misappropriation of assets by altering computer-readable records and files *d. theft, misuse, or misappropriation of printer supplies

65. The following are examples of commodity assets except

a. network management b. systems operations *c. systems development d. server maintenance

66. All of the following are examples of specific assets except a. application maintenance b. data warehousing c. highly skilled employees *d. server maintenance

67. Which of the following is true? a. Core competency theory argues that an organization should outsource specific core assets. *b. Core competency theory argues that an organization should focus exclusively on its core business competencies. c. Core competency theory argues that an organization should not outsource specific commodity assets. d. Core competency theory argues that an organization should retain certain specific noncore assets in-house.

68. Which of the following is not true? a. Large-scale IT outsourcing involves transferring specific assets to a vendor. b. Specific assets, while valuable to the client, are of little value to the vendor. c. Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state. *d. Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale by employing them with other clients.

69. Which of the following is not true? *a. When management outsources their organization’s IT functions, they also outsource responsibility for internal control. b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. c. IT outsourcing may effect incongruence between a firm’s IT strategic planning and its business planning functions. d. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale.

70. Which of the following is not true?

a. Management may outsource their organizations’ IT functions, but they cannot outsource their management responsibilities for internal control. b. Section 404 requires the explicit testing of outsourced controls. *c. The SSAE 16 report, which is prepared by the company’s auditor, attests to the adequacy of the vendor’s internal controls. d. Auditors issue two types of SSAE 16 reports: SSAE 16 Type I report and SSAE 16 Type II report.

71. Both the SEC and the PCAOB have expressed an opinion as to which internal control framework an organization should use to comply withSOX legislation. Explain. Correct Answer:

Both the SEC and PCAOB endorse the COSO framework, but any framework can be used that encompasses all of the COSO’s general themes. 72. Describe the two broad groupings of information system controls that are specified by COSO. Correct Answer:

Application controls apply to specific applications to ensure validity, completeness, and accuracy of financial transactions. General controls apply to all systems and include such controls over IT governance, IT infrastructure, network and operating system security, database access, application acquisition and development, and program changes. 73. The Sarbanes-Oxley Act contains many sections. Which sections are the focus of this chapter? Correct Answer:

The chapter concentrates on internal control and audit responsibilities pursuant to Sections 302 and 404. 74. What approach to the design and assessment of controls is recommended by PCAOB Auditing Standard No. 5? Correct Answer:

The PCAOB’s Auditing Standard No. 5 recommends a risk-based approach, such as that outlined in the COSO framework, to the design and assessment of controls. 75. What are the objectives of application controls? Correct Answer:

The objectives of application controls are to ensure the validity, completeness, and accuracy of financial transactions.

76. Define general controls. Correct Answer:

General controls apply to all systems. They are not application specific. General controls include controls over IT governance, the IT infrastructure, and security, as well as access to operating systems and databases, application acquisition and development, and program changes. 77. Discuss the key features of Section 302 of the Sarbanes-Oxley Act. Correct Answer:

Section 302 requires corporate management (including the chief executive officer) to certify financial and other information contained in the organization’s quarterly and annual reports. The rule also requires them to certify the internal controls over financial reporting. The certifying officers are required to have designed internal controls, or to have caused such controls to be designed, and to provide reasonable assurance as to the reliability of the financial reporting process. Furthermore, they must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter. 78. What primary IT functions must be separated in a centralized firm? Correct Answer:

separate systems development from computer operationsseparate the database administrator from other functions separate new systems development from maintenance

79. List three pairs of system functions that should be separated in the centralized computer services organization. Describe a risk exposure if the functions are not separated. Functions to Separate

Risk Exposure

Correct Answer:

separate systems development from data processing operations (unauthorized changes to application programs during execution),separate database administrator from systems development (unauthorized access to database files), separate new systems development from systems maintenance (writing fraudulent code and keeping it concealed during maintenance), separate data library from computer operations (loss of files or erasing current files)

80. For disaster recovery purposes, what criteria are used to identify an application or data as critical? Correct Answer:

Critical application and files are those that impact the short-run survival of the firm. Critical items impact cash flows, legal obligations, and customer relations. 81. Describe the components of a disaster recovery plan. Correct Answer:

Every disaster recovery plan should:designate a second site backup identify critical applications perform backup and off-site storage procedures create a disaster recovery team test the disaster recovery plan

82. What is a mirrored data center? Correct Answer:

A mirrored data center duplicates programs and data onto a computer at a separate location. Mirroring is performed for backup purposes. At any point in time, the mirrored data center reflects current economic events of the firm. 83. What is a recovery operations center? What is its purpose? Correct Answer:

A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications.

84. Why is inadequate documentation a chronic problem? Correct Answer:

Poor-quality systems documentation is a significant challenge for many organizations seeking SOX compliance. There are at least two explanations for this phenomenon. First, documenting systems is not as interesting as designing, testing, and implementing them. Systems professionals much prefer to move on to a new project rather than document one just completed. The second possible reason for poor documentation is job security. When a system is poorly documented, it is difficult to interpret, test, and debug. Therefore, the programmer who understands the system (the one who coded it) maintains bargaining power and becomes relatively indispensable. When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system. Depending on its complexity, the transition period may be long and costly. 85. What is program fraud? Correct Answer:

Program fraud involves making unauthorized changes to parts of a program for the purpose of committing an illegal act. 86. The distributed data processing approach carries some control implications of which accountants should be aware. Discuss two. Correct Answer:

Incompatibility of hardware and software, selected by users working independently, can result in system incompatibility that can affect communication. When individuals in different parts of the organization “do their own thing,” there can be significant redundancy between units. When user areas handle their own computer services functions, there may be a tendency to consolidate incompatible activities. Small units may lack the ability to evaluate systems professionals and to provide adequate opportunities and may therefore have difficulty acquiring qualified professionals. As the number of units handling systems tasks increases, there is an increasing chance that the systems will lack standards.

87. Explain the relationship between internal controls and substantive testing. Correct Answer:

The stronger the internal controls, the less substantive testing must be performed. 88. Define fault tolerance.

Correct Answer:

Fault tolerance is the ability of the system to continue operation when part of the system fails. Implementing redundant system components such as redundant disks and powers supplies are two examples. 89. Distinguish between errors and irregularities. Which do you think concern auditors the most? Correct Answer:

Errors are unintentional mistakes; while irregularities are intentional misrepresentations to perpetrate a fraud or mislead the users of financial statements. Errors are a concern if they are numerous or sizable enough to cause the financial statements to be materially misstated. Processes which involve human actions will contain some amount of human error. Computer processes should only contain errors if the programs are erroneous, or if systems operating procedures are not being closely and competently followed. Errors are typically much easier to uncover than misrepresentations, thus auditors typically are more concerned with uncovering any and all irregularities than they are about errors. 90. What is a disaster recovery plan? Correct Answer:

A disaster recovery plan is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. 91. Distinguish between inherent risk and control risk. How do internal controls and detection risk fit in? Correct Answer:

Inherent risk is associated with the unique characteristics of the business or industry of the client. Firms in declining industries are considered to have more inherent risk than firms in stable or thriving industries. Control risk is the likelihood that the control structure is flawed because internal controls are either absent or inadequate to prevent or detect errors in the accounts. Internal controls may be present in firms with inherent risk, yet the financial statements may be materially misstated due to circumstances outside the control of the firm, such as a customer with unpaid bills on the verge of bankruptcy. Detection risk is the risk that auditors are willing to accept that errors are not detected or prevented by the control structure. Typically, detection risk will be lower for firms with higher inherent risk and control risk. 92. Contrast internal and external auditing. Correct Answer:

Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. External auditing is often called "independent auditing" because it is done by

certified public accountants who are independent of the organization being audited. This independence is necessary since the external auditors represent the interests of third-party stakeholders such as shareholders, creditors, and government agencies. 93. What are the components of audit risk? Correct Answer:

Inherent risk is associated with the unique characteristics of the business itself; control risk is the likelihood that the control structure is flawed because controls are absent or inadequate; and detection risk is the risk that auditors are willing to take that errors will not be detected by the audit. 94. How do the tests of controls affect substantive tests? Correct Answer:

Tests of controls are used by the auditor to measure the strength of the internal control structure. The stronger the internal controls, the lower the control risk, and the less substantive testing the auditor must do. 95. What is an auditor looking for when testing computer center controls? Correct Answer:

When testing computer center controls, the auditor is trying to determine that the physical security controls are adequate to protect the organization from physical exposures, that insurance coverage on equipment is adequate, that operator documentation is adequate to deal with operations and failures, and that the disaster recovery plan is adequate and feasible. 96. What is the empty shell? Correct Answer:

The empty sell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center. In the event of disaster, the shell is available and ready to receive whatever hardware the temporary user needs to run essential systems. 97. What is IT governance? Correct Answer:

IT governance is a broad concept relating to the decision rights and accountability for encouraging desirable behavior in the use of IT. Three aspects of IT governance are of particular importance to SOX compliance: organizational structure of the IT function, computer operations, and disaster recovery planning.

98. Why should the tasks of systems development and maintenance be segregated from operations? Correct Answer:

The segregation of systems development (both new systems development and maintenance) and operations activities is of great importance. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud. Detailed knowledge of an application’s logic and control parameters, along with access to the computer operations, could enable an individual to make unauthorized changes to application logic during execution. Such changes may be temporary (on the fly) and will disappear with little or no trace when the application terminates. 99. Why should new systems development activities be segregated from the program change (maintenance) function? Correct Answer:

Combining these functions increases the potential for two problems: inadequate documentation and fraud. Inadequate systems documentation is a chronic IT problem and a significant challenge for many organizations seeking SOX compliance. The potential for fraud is increased when the original programmer of a system also has maintenance responsibility. 100. Name three forms of computer fraud. Correct Answer:

Computer fraud includes:the theft, misuse, or misappropriation of assets by altering computer-readable records and files the theft, misuse, or misappropriation of assets by altering the logic of computer software the theft or illegal use of computer-readable information the theft, corruption, illegal copying, or intentional destruction of computer software the theft, misuse, or misappropriation of computer hardware

101. Name three types of program fraud. Correct Answer:

Program fraud includes:(1) creating illegal programs that can access data files to alter, delete, or insert values into accounting records; (2) destroying or corrupting a program’s logic using a computer virus; or (3) altering program logic to cause the application to process data incorrectly.

102. Define operations fraud. Correct Answer:

Operations fraud is the misuse or theft of the firm’s computer resources. This often involves using the computer to conduct personal business. 103. Define database management fraud. Correct Answer:

Database management fraud includes altering, deleting, corrupting, destroying, or stealing an organization’s data. 104. What is scavenging? Correct Answer:

Scavenging involves searching through the trash of the computer center for discarded output. 105. As a form of computer fraud, what is eavesdropping? Correct Answer:

Eavesdropping involves listening to output transmissions over telecommunications lines. 106. Briefly explain the core competency theory. Correct Answer:

Core competency theory argues that an organization should focus exclusively on its core business competencies, while allowing outsourcing vendors to efficiently manage the noncore areas such as the IT functions. 107. What are commodity IT assets? Correct Answer:

Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. 108. Briefly outline transaction cost economics as it relates to IT outsourcing. Correct Answer:

Transaction cost economics theory is in conflict with the core competency school by suggesting that firms should retain certain specific noncore IT assets in-house.

Because of their esoteric nature, specific assets cannot be easily replaced once they are given up in an outsourcing arrangement. 109. Briefly explain how a SSAE 16 report is used in assessing internal controls of outsourced facilities. Correct Answer:

The internal controls over the outsourced services reside at the vendor location. They are audited by the vendor’s auditor, who expresses an opinion and issues a SSAE 16 report on the control adequacy. The Type 1 report attests to the vendor management’s description of their system and the suitability of the design of controls. The Type 2 report goes further and includes an assessment on the operating effectiveness of the controls. 110. Give an example of an audit objective and its related audit procedure. Correct Answer:

Examples include:Inventories on the balance sheet exist (observe the counting of the physical inventory); Accounts payable include all obligations to vendors for the period (compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period); Plant and equipment listed on the balance sheet are actually owned by the company (review purchase agreements, insurance policies, and related documents); Contingencies not reported in the financial accounts are properly disclosed in footnotes (obtain information from the company’s lawyers about the status of litigation and potential loss).

111. Discuss the key features of Section 404 of the Sarbanes-Oxley Act. Correct Answer:

Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls over financial reporting and provide an annual report addressing the following points: 1) A statement of management’s responsibility for establishing and maintaining adequate internal control. 2) An assessment of the effectiveness of the company’s internal controls over financial reporting. 3) A statement that the organization’s external auditor has issued an attestation report on management’s assessment of the company’s internal controls. 4) An explicit written conclusion as to the effectiveness of internal control over financial reporting. 5) A statement identifying the framework used by management to conduct their assessment of internal controls.

112. Section 404 requires management to make a statement identifying the control framework used to conduct their assessment of internal controls. Discuss the options in selecting a control framework. Correct Answer:

The SEC has made specific reference as to COSO as a recommended control framework. PCAOB’s Auditing Standard No. 5 endorses the use of COSO as the framework for control assessment. Although other suitable frameworks have been published, any other framework used should encompass all of COSO’s general themes. 113. Explain how general controls impact transaction integrity and the financial reporting process. Correct Answer:

Consider an organization with poor database security controls. In such a situation, even data processed by systems with adequate built-in application controls may be at risk. An individual who can circumvent database security may then change, steal, or corrupt stored transaction data. Thus, general controls are needed to support the functioning of application controls, and both are needed to ensure accurate financial reporting. 114. Prior to SOX, external auditors were required to be familiar with the client organization’s internal controls, but not test them. Explain. Correct Answer:

Auditors had the option of not relying on internal controls in the conduct of an audit and therefore did not need to test them. Instead auditors could focus primarily on substantive tests. Under SOX, management is required to make specific assertions regarding the effectiveness of internal controls. To attest to the validity of these assertions, auditors are required to test the controls. 115. Does a qualified opinion on management’s assessment of internal controls over the financial reporting system necessitate a qualifiedopinion on the financial statements? Explain. Correct Answer:

No. Auditors are permitted to simultaneously render a qualified opinion on management’s assessment of internal controls and an unqualified opinion on the financial statements. In other words, it is technically possible for auditors to find internal controls over financial reporting to be weak, but conclude through substantive tests that the weaknesses did not cause the financial statements to be materially misrepresented. 116. The PCAOB’s Auditing Standard No. 5 specifically requires auditors to understand transaction flows in designing their test of controls. What steps does this entail?

Correct Answer:

This involves:1. Selecting the financial accounts that have material implications for financial reporting. 2. Identifying the application controls related to those accounts. 3. Identifying the general controls that support the application controls.

The sum of these controls, both application and general, constitute the relevant internal controls over financial reporting that need to be reviewed.

117. What fraud detection responsibilities are imposed on auditors by the Sarbanes-Oxley Act? Correct Answer:

SOX places responsibility on auditors to detect fraudulent activity and emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements. Management is responsible for implementing such controls and auditors are expressly required to test them. 118. Describe how a corporate IT function can overcome some of the problems associated with distributed data processing. Correct Answer:

The corporate IT function may provide the following technical advice and expertise to distributed data processing units:central testing of commercial software and hardware; installation of new software; troubleshooting hardware and software problems; technical training; firm-wide standard setting for the systems area; and performance evaluation of systems professionals.

119. Discuss the advantages and disadvantages of the second site backup options. Correct Answer:

Second site backups include empty shell, recovery operations center, and internally provided backups.

Empty Shell

Advantages

Inexpensive

Disadvantages

Extended time lag between disaster and initial recovery May encounter competition among users for shell resources

Recovery Operations Center Advantages

Rapid initial recovery

Disadvantages

Expensive Potential for competition among users

Internally Provided Backups Advantages

Controlled by the firm Compatibility of hardware and software Rapid initial recovery

Disadvantages

Expense of maintaining excess capacity year round

120. Internal control in a computerized environment can be divided into two broad categories. What are they? Explain each. Correct Answer:

Internal controls can be divided into two broad categories. General controls apply to all or most of a system to minimize exposures that threaten the integrity of the applications being processed. These include operating system controls, data management controls, organizational structure controls, system development controls, system maintenance controls, IT infrastructure, and IT governance. Application controls focus on exposures related to specific parts of the system or specific applications: payroll, accounts receivable, etc. 121. Auditors examine the physical environment of the computer center as part of their audit. Many characteristics of computer centers are of interest to auditors. What are they? Discuss. Correct Answer:

The characteristics of computer centers that are of interest of auditors include: physical location, which affects the risk of disaster—it should be distant from human-

made and natural hazards; construction of the computer center should be sound; access to the computer center should be controlled; air-conditioning should be adequate given the heat generated by electronic equipment and the failure that can result from overheating; fire suppression systems are critical; and adequate power supply is needed to ensure service. 122. Explain why certain duties that are deemed incompatible in a manual system may be combined in an automated environment? Give an example. Correct Answer:

In an automated environment it would be inefficient and contrary to the objectives of automation to separate such tasks as processing and recoding a transaction among several different application programs merely to emulate a manual control model. Further, the reason for separating tasks is to control against the negative behavior of humans; in an automated environment the computer performs the tasks, not humans. 123. Compare and contrast the following disaster recovery options: empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as most costly to least costly. Correct Answer:

The lowest cost method is internally provided backup. With this method, organizations with multiple data processing centers may invest in internal excess capacity and support themselves in the case of disaster in one data processing center. In terms of cost, the next method is the empty shell, where two or more organizations buy or lease space for a data processing center. The space is made ready for computer installation; however, no computer equipment is installed. This method requires lease or mortgage payments, as well as payment for air conditioning and raised floors. The risk of this method is that the hardware, software, and technicians may be difficult, if not impossible, to have available in the case of a natural disaster. Further, if multiple members' systems crash simultaneously, an allocation problem exists. The method with lowest risk and also the highest cost is the recovery operations center. This method takes the empty shell concept one step further—the computer equipment is actually purchased, and software may even be installed. Assuming that this site is far enough away from the disaster-stricken area not to be affected by the disaster, this method can be a very good safeguard. Yet it can also suffer from an allocation of usage should a disaster hit several members at the same time. 124. What is a disaster recovery plan? What are the key features? Correct Answer:

site backup, identifying critical applications, backup and off-site storage procedures, creating a disaster recovery team, and testing the disaster recovery plan. 125. Computer fraud is easiest at the data collection stage. Why? Correct Answer:

Computer fraud is easiest at the data collection stage because much of what occurs after the data collection or input stage is not visible to human eyes. Once entered, the system will presume that the input is legitimate and will process it as all others. 126. Explain the outsourcing risk of failure to perform. Correct Answer:

Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. The negative implications of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Corp. (EDS). In a cost-cutting effort, EDS terminated seven thousand employees, which impacted its ability to serve other clients. Following an eleven-year low in share prices, EDS stockholders filed a class-action lawsuit against the company. Vendors in such serious financial and legal trouble threaten the viability of their clients. 127. Explain vendor exploitation. Correct Answer:

Once the client firm has divested itself of specific assets it becomes dependent on the vendor. The vendor may exploit this dependency by raising service rates to an exorbitant level. As the client’s IT needs develop over time beyond the original contract terms, it runs the risk that new or incremental services will be negotiated at a premium. This dependency may threaten the client’s long-term flexibility, agility, and competitiveness, as well as result in even greater vendor dependency. 128. Explain why reduced security is an outsourcing risk. Correct Answer:

Information outsourced to offshore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data. When corporate financial systems are developed and hosted overseas, and program code is developed through interfaces with the host company's network, U.S. corporations are at risk of losing control of their information. To a large degree U.S. firms are reliant on the outsourcing vendor’s security measures and data-access policies, as well as the privacy laws of the host country. 129. Explain how IT outsourcing can lead to loss of strategic advantage.

Correct Answer:

Alignment between IT strategy and business strategy requires a close working relationship between corporate management and IT management in the concurrent development of business and IT strategies. This, however, is difficult to accomplish when IT planning is geographically redeployed offshore or even domestically. Further, since the financial justification for IT outsourcing depends upon the vendor achieving economies of scale, the vendor is naturally driven toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them. This fundamental underpinning of IT outsourcing is inconsistent with the client’s pursuit of strategic advantage in the marketplace. 130. Explain the role of an SSAE 16 report in reviewing internal controls. Correct Answer:

An SSAE 16 report is the means by which an outsourcing vendor can obtain a single audit report that may be used by its clients’ auditors and thus preclude the need for each client firm’s auditor to conduct its own audit of the vendor’s system and the adequacy of its internal controls.

Chapter 15 1. In a computerized environment, the audit trail log must be printed onto paper documents. a. True *b. False

2. Disguising message packets to look as if they came from another user in order to gain access to the host’s network is called spooling. a. True *b. False

3. A formal log-on procedure is the operating system’s last line of defense against unauthorized access. a. True *b. False

4. Computer viruses usually spread throughout the system before being detected. *a. True b. False

5. A worm is software program that replicates itself in areas of idle memory until the system fails. *a. True b. False

6. Viruses rarely attach themselves to executable files. a. True *b. False

7. Subschemas are used to authorize user access privileges to specific data elements. a. True *b. False

8. A recovery module suspends all data processing while the system reconciles its journal files against the database. a. True

*b. False

9. The database management system controls access to program files. a. True *b. False

10. Operating system controls are of interest to system professionals but should not concern accountants and auditors. a. True *b. False

11. The most frequent victims of program viruses are microcomputers. *a. True b. False

12. Access controls protect databases against destruction, loss or misuse through unauthorized access. *a. True b. False

13. Operating system integrity is not of concern to accountants because only hardware risks are involved. a. True *b. False

14. Audit trails in computerized systems are comprised of two types of audit logs: detailed logs of individual keystrokes and event-oriented logs. *a. True b. False

15. In a telecommunications environment, line errors can be detected by using an echo check. *a. True b. False

16. Firewalls are special materials used to insulate computer facilities.

a. True *b. False

17. The message authentication code is calculated by the sender and the receiver of a data transmission. *a. True b. False

18. The request-response technique should detect if a data communication transmission has been diverted. *a. True b. False

19. Electronic data interchange translation software interfaces with the sending firm and the value added network. a. True *b. False

20. A value-added network can detect and reject transactions by unauthorized trading partners. *a. True b. False

21. Electronic data interchange customers may be given access to the vendor's data files. *a. True b. False

22. Malicious and destructive programs cause millions of dollars of loss to corporations annually. *a. True b. False

23. A firewall is a hardware partition designed to protect networks from power surges. a. True *b. False

24. Transaction logs are permanent records of transactions created to preserve audit trails in a computerized environment. *a. True b. False

25. Examining programmer authority tables for information about who has access to data definition language commands will provide evidence aboutwho is responsible for creating subschemas. *a. True b. False

26. The operating system performs all of the following tasks except a. translates third-generation languages into machine language b. assigns memory to applications *c. authorizes user access d. schedules job processing

27. Which of the following is considered an unintentional threat to the integrity of the

operating system? a. a hacker gaining access to the system because of a security flaw *b. a hardware flaw that causes the system to crash c. a virus that formats the hard drive d. the systems programmer accessing individual user files

28. A software program that replicates itself in areas of idle memory until the system

fails is called a a. Trojan horse *b. worm c. logic bomb d. none of the above

29. A software program that allows access to a system without going through the

normal log-on procedures is called a a. logic bomb b. Trojan horse c. worm *d. back door

30. All of the following will reduce the exposure to computer viruses except

a. install antivirus software b. install factory-sealed application software c. assign and control user passwords *d. install public-domain software from reputable bulletin boards

31. Public key encryption *a. uses one key for encoding messages and another for decoding them b. is an enhancement to data encryption standard (DES) c. is electronic authentication that cannot be forged d. requires RSA, a highly secure cryptography method

32. A Trojan horse a. burrows into a computer’s memory and replicates itself into areas of idle memory b. is a destructive program triggered by some predetermined event c. allows unauthorized access to a system without going through normal log-on procedures *d. captures IDs and passwords from unsuspecting users

33. Hackers can disguise their message packets to look as if they came from an

authorized user and gain access to the host’s network using a technique called *a. spoofing b. spooling c. dual-homing d. screening

34. The checkpoint feature a. makes a periodic backup of the entire database b. uses logs and backup files to restart the system after failure *c. suspends all data processing while the system reconciles the transaction log against the database d. provides an audit trail of all processed transactions

35. Which of the following is not an access control in a database system? *a. antivirus software b. database authorization table c. passwords d. voice prints

36. Which is not a biometric device? *a. password b. retina prints c. voice prints d. signature characteristics

37. Which of the following is not a basic database backup and recovery feature? a. checkpoint b. backup database c. transaction log *d. database authority table

38. All of the following are objectives of operating system control except a. protecting the OS from users b. protesting users from each other c. protecting users from themselves *d. protecting the environment from users

39. Passwords are secret codes that users enter to gain access to systems.

Security can be compromised by all of the following except a. failure to change passwords on a regular basis *b. using obscure passwords unknown to others c. recording passwords in obvious places d. selecting passwords that can be easily detected by computer criminals

40. Audit trails cannot be used to a. detect unauthorized access to systems b. facilitate reconstruction of events *c. reduce the need for other forms of security d. promote personal accountability

41. Which control will not reduce the likelihood of data loss due to a line error? a. echo check *b. encryption c. vertical parity bit d. horizontal parity bit

42. Which method will render useless data captured by unauthorized receivers?

a. echo check b. parity bit *c. public key encryption d. message sequencing

43. Which method is most likely to detect unauthorized access to the system? *a. message transaction log b. data encryption standard c. vertical parity check d. request-response technique

44. All of the following techniques are used to validate electronic data interchange

transactions except a. value-added networks that compare passwords to a valid customer file before message transmission b. prior to converting the message, the translation software of the receiving company can compare the password against a validation file in the firm's database c. the recipient's application software can validate the password prior to processing *d. the recipient's application software can validate the password after the transaction has been processed

45. In an electronic data interchange environment, customers routinely access *a. the vendor's price list file b. the vendor's accounts payable file c. the vendor's open purchase order file d. none of the above

46. All of the following tests of controls will provide evidence that adequate

computer virus control techniques are in place and functioning except a. verifying that only authorized software is used on company computers *b. reviewing system maintenance records c. confirming that antivirus software is in use d. examining the password policy including a review of the authority table

47. Audit objectives for the database management system include all of the

following except

*a. verifying that the security group monitors and reports on fault tolerance violations b. confirming that backup procedures are adequate c. ensuring that authorized users access only those files they need to perform their duties d. verifying that unauthorized users cannot access data files

48. All of the following tests of controls will provide evidence that access to the data

files is limited except a. inspecting biometric controls *b. reconciling program version numbers c. comparing job descriptions with access privileges stored in the authority table d. attempting to retrieve unauthorized data via inference queries

49. Audit objectives for communications controls include all of the following except a. detection and correction of message loss due to equipment failure b. prevention and detection of illegal access to communication channels c. procedures that render intercepted messages useless *d. all of the above

50. When auditors examine and test the call-back feature, they are testing which

audit objective? a. incompatible functions have been segregated b. application programs are protected from unauthorized access c. physical security measures are adequate to protect the organization from natural disaster *d. illegal access to the system is prevented and detected

51. In an electronic data interchange (EDI) environment, when the auditor

compares the terms of the trading partner agreement against the access privileges stated in the database authority table, the auditor is testing which audit objective? a. all EDI transactions are authorized b. unauthorized trading partners cannot gain access to database records *c. authorized trading partners have access only to approved data d. a complete audit trail is maintained

52. Audit objectives in the electronic data interchange (EDI) environment include all

of the following except

a. all EDI transactions are authorized b. unauthorized trading partners cannot gain access to database records c. a complete audit trail of EDI transactions is maintained *d. backup procedures are in place and functioning properly

53. In determining whether a system is adequately protected from attacks by

computer viruses, all of the following policies are relevant except a. the policy on the purchase of software only from reputable vendors b. the policy that all software upgrades are checked for viruses before they are implemented c. the policy that current versions of antivirus software should be available to all users *d. the policy that permits users to take files home to work on them

54. Which of the following is not a test of access controls? a. biometric controls b. encryption controls *c. backup controls d. inference controls

55. In an electronic data interchange environment, customers routinely a. access the vendor's accounts receivable file with read/write authority b. access the vendor's price list file with read/write authority *c. access the vendor's inventory file with read-only authority d. access the vendor's open purchase order file with read-only authority

56. In an electronic data interchange environment, the audit trail a. is a printout of all incoming and outgoing transactions *b. is an electronic log of all transactions received, translated, and processed by the system c. is a computer resource authority table d. consists of pointers and indexes within the database

57. All of the following are designed to control exposures from subversive threats

except a. firewalls b. one-time passwords *c. field interrogation

d. data encryption

58. Many techniques exist to reduce the likelihood and effects of data

communication hardware failure. One of these is a. hardware access procedures b. antivirus software *c. parity checks d. data encryption

59. Which of the following deal with transaction legitimacy? a. transaction authorization and validation b. access controls c. EDI audit trail *d. all of the above

60. Firewalls are a. special materials used to insulate computer facilities *b. a system that enforces access control between two networks c. special software used to screen Internet access d. none of the above

61. The database attributes that individual users have permission to access are

defined in the a. operating system b. user manual c. database schema *d. user view

62. An integrated group of programs that supports the applications and facilitates

their access to specified resources is called a(n) *a. operating system b. database management system c. utility system d. facility system

63. Transmitting numerous SYN packets to a targeted receiver, but not responding

to an ACK, is a. a smurf attack b. IP spoofing c. a ping attack

*d. none of the above

64. Which of the following is true? *a. Deep packet inspection uses a variety of analytical and statistical techniques to evaluate the contents of message packets. b. An intrusion prevention system works in parallel with a firewall at the perimeter of the network to act as a filer that removes malicious packets from the flow before they can affect servers and networks. c. A distributed denial of service attack is so named because it is capable of attacking many victims simultaneously who are distributed across the Internet. d. None of the above are true statements.

65. Advance encryption standard (AES) is a. a 64-bit private key encryption technique *b. a 128-bit private key encryption technique c. a 128-bit public key encryption technique d. a 256-bit public encryption technique that has become a U.S. government standard

66. Briefly define an operating system. Correct Answer:

An operating system is an integrated group of programs that supports the applications and facilitates their access to specified resources. 67. What is a virus? Correct Answer:

A virus is a program that attaches itself to another legitimate program in order to penetrate the operating system. 68. Describe one benefit of using a call-back device. Correct Answer:

Access to the system is achieved when the call-back device makes contact with an authorized user. This reduces the chance of an intruder gaining access to the system from an unauthorized remote location. 69. Contrast the private encryption standard approach with the public key encryption approach to controlling access to telecommunication messages.

Correct Answer:

In the private encryption standard approach, both the sender and the receiver use the same key to encode and decode the message. In the public key encryption approach, all senders receive a copy of the key used to send messages; the receiver is the only one with access to the key to decode the message. 70. List three methods of controlling unauthorized access to telecommunication messages. Correct Answer:

call-back devices, data encryption, message sequence numbering, message authentication codes, message transaction logs, and request-response technique 71. Describe two ways that passwords are used to authorize and validate messages in the electronic data interchange environment. Correct Answer:

Value-added networks use passwords to detect unauthorized transactions before they are transmitted to recipients; the recipient of the message can validate the password prior to translating the message; the recipient of the message can validate the password prior to processing the transaction. 72. Explain how transactions are audited in an electronic data interchange environment. Correct Answer:

Firms using electronic data interchange maintain an electronic log of each transaction as it moves from receipt to translation to communication of the message. This transaction log restores the audit trail that was lost because no source documents exist. Verification of the entries in the log is part of the audit process. 73. What are some typical problems with passwords? Correct Answer:

users failing to remember passwords; failure to change passwords frequently; displaying passwords where others can see them; using simple, easy-to-guess passwords 74. Discuss the key features of the one-time password technique: Correct Answer:

The one-time password was designed to overcome the problems associated with reusable passwords. The user’s password changes continuously. This technology employs a credit card-sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays, a new and unique password every 60 seconds. The card works in conjunction with special

authentication software located on a mainframe or network server computer. Each user’s card is synchronized to the authentication software, so that at any point in time both the smart card and the network software are generating the same password for the same user. 75. Describe two tests of controls that would provide evidence that the database management system is protected against unauthorized access attempts. Correct Answer:

compare job descriptions with authority tables; verify that database administration employees have exclusive responsibility for creating authority tables and designing user subschemas; evaluate biometric and inference controls 76. What is event monitoring? Correct Answer:

Event monitoring summarizes key activities related to system resources. Event logs typically record the IDs of all users accessing the system; the time and duration of a user’s session; programs that were executed during a session; and the files, databases, printers, and other resources accessed. 77. What are the auditor's concerns in testing EDI controls? Correct Answer:

When testing EDI controls, the auditor's primary concerns are related to ascertaining that EDI transactions are authorized, validated, and in compliance with organization policy, that no unauthorized organizations gain access to records, that authorized trading partners have access only to approved data, and that adequate controls are in place to maintain a complete audit trail. 78. What is a database authorization table? Correct Answer:

The database authorization table contains rules that limit the actions a user can take. Each user is granted certain privileges that are coded in the authority table, which is used to verify the user’s action requests. 79. What is a user-defined procedure? Correct Answer:

A user-defined procedure allows the user to create a personal security program or routine to provide more positive user identification than a password can. For example, in addition to a password, the security procedure asks a series of personal questions (such as the user’s mother’s maiden name), which only the legitimate user is likely to know.

80. What are biometric devices? Correct Answer:

Biometric devices measure various personal characteristics such as fingerprints, voiceprints, retina prints, or signature characteristics. These user characteristics are digitized and stored permanently in a database security file or on an identification card that the user carries. When an individual attempts to access the database, a special scanning device captures his or her biometric characteristics, which it compares with the profile data stored internally or on the ID card. If the data do not match, access is denied. 81. What can be done to defeat a DDoS attack? Correct Answer:

Intrusion prevention systems (IPS) that employ deep packet inspection (DPI) are a countermeasure to DDoS attacks. 82. What is deep packet inspection? Correct Answer:

DPI is a technique that searches individual network packets for protocol noncompliance and can identify and classify malicious packets based on a database of known attack signatures. 83. Explain how smurf attacks can be controlled. Correct Answer:

The targeted organization can program their firewall to ignore all communication from the attacking site, once the attacker’s IP address is determined. 84. Explain how SYN flood attacks can be controlled. Correct Answer:

Two things can be done:First, Internet hosts can program their firewalls to block outbound message packets that contain invalid internal IP addresses. Second, security software can scan for half-open connections that have not been followed by an ACK packet. The clogged ports can then be restored to allow legitimate connections to use them.

85. What problem is common to all private key encryption techniques? Correct Answer:

The more individuals who need to know the private key, the greater the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she can intercept and decipher coded messages. 86. What are the three security objectives of audit trails? Explain. Correct Answer:

Audit trails support system security objectives in three ways. By detecting unauthorized access to the system, the audit trail protects the system from outsiders trying to breach system controls. By monitoring system performance, changes in the system may be detected. The audit trail can also contribute to reconstructing events such as system failures, security breaches, and processing errors. In addition, the ability to monitor user activity can support increased personal accountability. 87. What is an operating system? What does it do? What are operating system control objectives? Correct Answer:

An operating system is a computer’s control program. It controls user sharing of applications and resources such as processors, memory, databases, and peripherals such as printers. Common PC operating systems include Windows 2000, Windows NT, and Linux. An operating system carries out three primary functions: translating high level languages into machine language using modules called compilers and interpreters; allocating computer resources to users, workgroups, and applications; and managing job scheduling and multiprogramming.

An operating system has five basic control objectives: 1. to protect itself from users, 2. to protect users from each other, 3. to protect users from themselves, 4. to protect it from itself, and 5. to protect itself from its environment.

88. Discuss three sources of exposure (threats) to the operating system. Correct Answer:

1. Privileged personnel who abuse their authority. Systems administrators and systems programmers require unlimited access to the operating system to perform maintenance and to recover from system failures. Such individuals may use this

authority to access users’ programs and data files.2. Individuals both internal and external to the organization who browse the operating system to identify and exploit security flaws. 3. Individuals who intentionally (or accidentally) insert computer viruses or other forms of destructive programs into the operating system.

89. Discuss three techniques for breaching operating system controls. Correct Answer:

Browsing involves searching through areas of main memory for password information.Masquerading is a technique where a user is made to believe that he/she has accessed the operating system and therefore enters passwords, etc., that can later be used for unauthorized access. A virus is a program that attaches itself to legitimate software to penetrate the operating system. Most are destructive. A worm is software that replicates itself in memory. A logic bomb is a destructive program triggered by some "logical" condition—a matching date, e.g., Michelangelo's birthday.

90. A formal log-on procedure is the operating system’s first line of defense. Explain how this works. Correct Answer:

When the user logs on, he or she is presented with a dialog box requesting the user’s ID and password. The system compares the ID and password to a database of valid users. If the system finds a match, then the log-on attempt is authenticated. If, however, the password or ID is entered incorrectly, the log-on attempt fails and a message is returned to the user. The message should not reveal whether the password or the ID caused the failure. The system should allow the user to reenter the log-on information. After a specified number of attempts (usually no more than five), the system should lock out the user from the system. 91. Explain the concept of discretionary access privileges. Correct Answer:

In centralized systems, a system administrator usually determines who is granted access to specific resources and maintains the access control list. In distributed systems, however, resources may be controlled (owned) by end users. Resource owners in this setting may be granted discretionary access privileges, which allow them to grant access privileges to other users. For example, the controller, who is the owner of the general ledger, may grant read-only privileges to a manager in the budgeting department. The accounts payable manager, however, may be granted both read and write permissions to the ledger. Any attempt by the budgeting

manager to add, delete, or change the general ledger will be denied. The use of discretionary access control needs to be closely supervised to prevent security breaches because of its liberal use. 92. One purpose of a database system is the easy sharing of data. But this ease of sharing can also jeopardize security. Discuss at least three forms of access control designed to reduce this risk. Correct Answer:

Many types of access control are possible. A user view is a subset of a database that limits a user’s view or access to the database. The database authorization table contains rules that limit what a user can do, i.e., read, insert, modify, delete. A userdefined procedure adds additional queries to user access to prevent others from accessing in a specific user’s place. To protect the data in a database, many systems use data encryption to make it unreadable by intruders. A newer technique uses biometric devices to authenticate users. 93. Explain how the one-time password approach works. Correct Answer:

Under this approach, the user’s password changes continuously. To access the operating system, the user must provide both a secret reusable personal identification number (PIN) and the current one-time only password for that point in time. One technology employs a credit-card-sized device (smart card) that contains a microprocessor programmed with an algorithm that generates, and visually displays, a new and unique password every 60 seconds. The card works in conjunction with special authentication software located on a mainframe host or network server computer. At any point in time both the smart card and the network software are generating the same password for the same user. To access the network, the user enters the PIN followed by the current password displayed on the card. The password can be used one time only. 94. Network communication poses some special types of risk for a business. What are the two broad areas of concern? Explain. Correct Answer:

Two general types of risk exist when networks communicate with each other: risks from subversive threats and risks from equipment failure.Subversive threats include interception of information transmitted between sender and receiver, computer hackers gaining unauthorized access to the organization’s network, and denial of service attacks from remote locations on the Internet. Methods for controlling these risks include firewalls, encryption, digital signatures, digital certificates, message transaction logs, and call-back devices. Equipment failure can be the result of line errors. The problems can be minimized with the help of echo checks, parity checks, and good backup control.

95. What is EDI? How does its use affect the audit trail? Correct Answer:

Electronic data interchange is an arrangement which links the computer systems of two trading partners to expedite sales/purchases. The buying company’s purchasing system creates and transmits a purchase order electronically in an agreed format, either directly or through a value-added network. The selling company receives the information and it is converted electronically into a sales order. The absence of paper documents in an EDI transaction disrupts the traditional audit trail. This can be compensated for through the use of transaction logs which can be reconciled.

96. Describe three ways in which IPS can be used to protect against DDoS attacks? Correct Answer:

1) IPS can work in-line with a firewall at the perimeter of the network to act as a filer that removes malicious packets from the flow before they can affect servers and networks.2) IPS may be used behind the firewall to protect specific network segments and servers. 3) IPS can be employed to protect an organization from becoming part of a botnet by inspecting outbound packets and blocking malicious traffic before it reaches the Internet.

Chapter 16 1. Users need to be actively involved in the systems development process. *a. True b. False

2. All systems should be informally approved to ensure economic justification and feasibility. a. True *b. False

3. The technical design activities translate a system’s set of detailed technical specifications into user specifications. a. True *b. False

4. All program modules must be thoroughly tested before they are implemented. *a. True b. False

5. Meaningful test data is relatively easy to create. a. True *b. False

6. To verify the module’s internal logic, the programmer compares the actual results obtained from the test with the predetermined results. *a. True b. False

7. The user test and acceptance procedure is the last point at which the user can determine the system’s acceptability prior to it going into service. *a. True b. False

8. To support future audit needs, test data prepared during systems implementation should be preserved.

*a. True b. False

9. Maintenance access to systems increases the risk that logic will be corrupted either by accident or intent to defraud. *a. True b. False

10. One of the auditor’s objectives relating to systems development is to authorize development projects. a. True *b. False

11. The longest period in the SDLC is the maintenance phase. *a. True b. False

12. Source program library controls should prevent and detect unauthorized access to application programs. *a. True b. False

13. The presence of a SPLMS effectively guarantees program integrity. a. True *b. False

14. Programs in their compiled state are highly susceptible to the threat of unauthorized modification. a. True *b. False

15. When using the test data method, the presence of multiple error messages indicates a flaw in the preparation of test transactions. a. True *b. False

16. The black box approach to testing computer applications allows the auditor to explicitly review program logic.

a. True *b. False

17. A salami fraud affects a large number of victims, but the harm to each appears to be very small. *a. True b. False

18. The black box approach to testing computer program controls is also known as auditing around the computer. *a. True b. False

19. The base case system evaluation is a variation of the test data method. *a. True b. False

20. Tracing is a method used to verify the logical operations executed by a computer application. *a. True b. False

21. Generalized audit software packages are used to assist the auditor in performing substantive tests. *a. True b. False

22. The results of a parallel simulation are compared to the results of a production run in order to judge the quality of the application processes and controls. *a. True b. False

23. Firms with an independent internal audit staff may conduct tests of the system development life cycle on an ongoing basis. *a. True b. False

24. The programmer’s authority table will specify the libraries a programmer may access. *a. True b. False

25. Use of the integrated test facility poses no threat to organizational data files. a. True *b. False

26. Which of the following statements is not true? a. All systems should be properly authorized to ensure their economic justification and feasibility. *b. Users need not be actively involved in the systems development process. c. All program modules must be thoroughly tested before they are implemented. d. The task of creating meaningful test data is time consuming.

27. Which control is not associated with new systems development activities? *a. reconciling program version numbers b. program testing c. user involvement d. internal audit participation

28. Routine maintenance activities require all of the following controls except a. documentation updates b. testing c. formal authorization *d. internal audit approval

29. Which statement is correct? a. Compiled programs are very susceptible to unauthorized modification. *b. The source program library stores application programs in source code form. c. Modifications are made to programs in machine code language. d. The source program library management system increases operating efficiency.

30. Which control is not a part of the source program library management system?

a. using passwords to limit access to application programs b. assigning a test name to all programs undergoing maintenance *c. combining access to the development and maintenance of test libraries d. assigning version numbers to programs to record program modifications

31. Which control ensures that production files cannot be accessed without specific

permission? a. database management system b. recovery operations function *c. source program library management system d. computer services function

32. Program testing a. involves individual modules only, not the full system *b. requires creation of meaningful test data c. need not be repeated once the system is implemented d. is primarily concerned with usability

33. To meet the governance-related expectations of management under SOX, an

organization’s internal audit department needs to be all of the following except a. independent b. objective c. technically qualified *d. designers of test data

34. Which test of controls will provide evidence that the system as originally

implemented was free from material errors and free from fraud? a. A cost-benefit analysis was conducted. b. The detailed design was an appropriate solution to the user's problem. *c. Tests were conducted at the individual module and total system levels prior to implementation. d. Problems detected during the conversion period were corrected in the maintenance phase.

35. Which statement is not true? *a. An audit objective for systems maintenance is to detect unauthorized access to application databases.

b. An audit objective for systems maintenance is to ensure that applications are free from errors. c. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to program version numbers. d. An audit objective for systems maintenance is to ensure that the production libraries are protected from unauthorized access.

36. When the auditor reconciles the program version numbers, which audit

objective is being tested? *a. protect applications from unauthorized changes b. ensure applications are free from error c. protect production libraries from unauthorized access d. ensure incompatible functions have been identified and segregated

37. When auditors do not rely on a detailed knowledge of the application's internal

logic, they are performing *a. black box tests of program controls b. white box tests of program controls c. substantive testing d. intuitive testing

38. All of the following concepts are associated with the black box approach to

auditing computer applications except a. the application need not be removed from service and tested directly b. auditors do not rely on a detailed knowledge of the application's internal logic c. the auditor reconciles previously produced output results with production input transactions *d. this approach is used for complex transactions that receive input from many sources

39. Which test is not an example of a white box test? *a. determining the fair value of inventory b. ensuring that passwords are valid c. verifying that all pay rates are within a specified range d. reconciling control totals

40. When analyzing the results of the test data method, the auditor would spend the

least amount of time reviewing

*a. the test transactions b. error reports c. updated master files d. output reports

41. All of the following are advantages of the test data technique except a. auditors need minimal computer expertise to use this method b. this method causes minimal disruption to the firm's operations *c. the test data is easily compiled d. the auditor obtains explicit evidence concerning application functions

42. All of the following are disadvantages of the test data technique except *a. the test data technique requires extensive computer expertise on the part of the auditor b. the auditor cannot be sure that the application being tested is a copy of the current application used by computer services personnel c. the auditor cannot be sure that the application being tested is the same application used throughout the entire year d. preparation of the test data is time consuming

43. All of the following statements are true about the integrated test facility (ITF)

except *a. production reports are affected by ITF transactions b. ITF databases contain “dummy” records integrated with legitimate records c. ITF permits ongoing application auditing d. ITF does not disrupt operations or require the intervention of computer services personnel

44. Which statement is not true? Embedded audit modules a. can be turned on and off by the auditor b. reduce operating efficiency c. may lose their viability in an environment where programs are modified frequently *d. identify transactions to be analyzed using white box tests

45. Generalized audit software packages perform all of the following tasks except a. recalculate data fields b. compare files and identify differences c. stratify statistical samples *d. analyze results and form opinions

46. Contrast the source program library (SPL) management system to the database management system (DBMS). Correct Answer:

The SPL software manages program files and the DBMS manages data files. 47. Name two methods used to control the source program library. Correct Answer:

passwords, separation of development programs from maintenance programs, program management reports, program version numbers, controlling maintenance commands 48. New system development activity controls must focus on the authorization, development, and implementation of new systems and its maintenance. List five control activities that are found in an effective system development life cycle. Correct Answer:

system authorization activities, user specification activities, technical design activities, internal audit, and program testing 49. What distinguishing a salami fraud? Correct Answer:

It affects a large number of victims, but the harm to each is minimal. 50. Describe a test of controls that would provide evidence that only authorized program maintenance is occurring. Correct Answer:

reconcile program version numbers, confirm maintenance authorizations 51. Auditors do not rely on detailed knowledge of the application's internal logic when they use the approach to auditing computer applications. Correct Answer:

black box or audit around the computer 52. Describe parallel simulation. Correct Answer:

The auditor writes a program that simulates the application under review. The simulation is used to reprocess production transactions that were previously processed by the production application. The results of the simulation are compared to the results of the original production run. 53. What is meant by auditing around the computer versus auditing through the computer? Why is this so important? Correct Answer:

Auditing around the computer involves black box testing in which the auditors do not rely on a detailed knowledge of the application's internal logic. Input is reconciled with corresponding output. Auditing through the computer involves obtaining an indepth understanding of the internal logic of the computer application. As transactions become increasingly automated, the inputs and outputs may become decreasingly visible. Thus, the importance of understanding the programming components of the system is crucial. 54. What is an embedded audit module? Correct Answer:

EAM techniques use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subsequent analysis. This method allows material transactions to be captured throughout the audit period. The auditor's substantive testing task is thus made easier since they do not have to identify significant transactions for substantive testing. 55. What are the audit’s objectives relating to systems development? Correct Answer:

The auditor’s objectives are to ensure that (1) systems development activities are applied consistently and in accordance with management’s policies to all systems development projects; (2) the system as originally implemented was free from material errors and fraud; (3) the system was judged necessary and justified at various checkpoints throughout the SDLC; and (4) system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities. 56. What are program version numbers and how are they used? Correct Answer:

The SPLMS assigns a version number automatically to each program stored on the SPL. When programs are first placed in the libraries (at implementation), they are assigned version number zero. With each modification to the program, the version number is increased by one.

57. Identify six controllable activities that distinguish an effective systems development process. Correct Answer:

systems authorization activities, user specification activities, technical design activities, internal audit participation, program testing, and user test and acceptance procedures 58. What are CAATS? Identify five of them. Correct Answer:

Through-the-computer testing employs computer-assisted audit tools and techniques (CAATTs) and requires an in-depth understanding of the internal logic of the application under review. Five CAATTs are the test data method, base case system evaluation, tracing, integrated test facility, and parallel simulation. 59. What is ITF? Correct Answer:

ITF stands for integrated test facility, an automated technique that enables the auditor to test an application’s logic and controls during its normal operation. 60. What is GAS? Identify two examples of GAS products. Correct Answer:

Generalized audit software (GAS) is a widely used CAATT for IT auditing that allows auditors to access digital data files and perform various operations on the contents. ACL and IDEA are currently the leading GAS products, but others exist with similar features. 61. Outline the six controllable activities that relate to new systems development Correct Answer:

Systems authorization activities. All systems should be properly authorized to ensure their economic justification and feasibility. This requires a formal environment in which users submit requests to systems professionals in written form. User specification activities. Users need to be actively involved in the systems development process. Users should create a detailed written description of their needs. It should describe the user’s view of the problem, not that of the systems professionals.

Technical design activities. The technical design activities translate user specifications into a set of detailed technical specifications for a system that meets

the user’s needs. The scope of these activities includes systems analysis, feasibility analysis, and detailed systems design.

Internal audit participation. To meet the governance-related expectations of management under SOX, an organization’s internal audit department needs to be independent, objective, and technically qualified. As such, the internal auditor can play an important role in the control of systems development activities.

Program testing. All program modules must be thoroughly tested before they are implemented. This involves creating hypothetical master files and transactions files that are processed by the modules being tested. The results of the tests are then compared against predetermined results to identify programming and logic errors.

User test and acceptance procedures. Prior to system implementation, the individual modules of the system need to be formally and rigorously tested as a whole. The test team should comprise of user personnel, systems professionals, and internal auditors. The details of the tests performed and their results need to be formally documented and analyzed. Once the test team is satisfied that the system meets its stated requirements, the system can be transferred to the user.

62. Describe two tests of controls the auditor can use confirm that authorization procedures for program changes. Correct Answer:

Reconcile program version numbers. The permanent file of the application should contain program change authorization documents that correspond to the current version number of the production application. In other words, if the production application is in its tenth version, there should be ten program change authorizations in the permanent file as supporting documentation. Any discrepancies between version numbers and supporting documents may indicate that unauthorized changes were made. Confirm Maintenance Authorization. The program maintenance authorization should indicate the nature of the change requested and the date of the change. The appropriate management from both computer services and the user departments should also sign and approve it. The auditor should confirm the facts contained in the maintenance authorization and verify the authorizing signatures with the managers involved.

63. Describe and contrast the test data method with the integrated test facility.

Correct Answer:

In the test data method, a specially prepared set of input data is processed; the results of the test are compared to predetermined expectations. To use the test data method, a copy of the current version of the application must be obtained. The auditor will review printed reports, transaction listings, error reports, and master files to evaluate application logic and control effectiveness. The test data approach results in minimal disruption to the organization's operations and requires little computer expertise on the part of auditors. The integrated test facility (ITF) is an automated approach that permits auditors to test an application’s logic and controls during its normal operation. ITF databases contain test records integrated with legitimate records. During normal operations, test transactions are entered into the stream of regular production transactions and are processed against the test records. The ITF transactions are not included with the production reports but are reported separately to the auditor for evaluation. The auditor compares ITF results against expected results.

In contrast to the test data approach, the ITF technique promotes ongoing application auditing and does not interfere with the normal work of computer services employees. In the test data approach, there is a risk that the auditor might perform the tests on a version of the application other than the production version; this cannot happen in the ITF approach. Both versions are relatively costly to implement. The major risk with the ITF approach is that ITF data could become combined with live data and the reports would be misstated; this cannot happen in the test data approach.

64. Contrast embedded audit modules with generalized audit software. Correct Answer:

Both techniques permit auditors to access, organize, and select data in support of the substantive phase of the audit. The embedded audit module (EAM) technique embeds special audit modules into applications. The EAM captures specific transactions for auditor review. EAMs reduce operational efficiency and are not appropriate for environments with a high level of program maintenance. Generalized audit software (GAS) permits auditors to electronically access audit files and to perform a variety of audit procedures. For example, the GAS can recalculate, stratify, compare, format, and print the contents of files.

The EAM is an internal program that is designed and programmed into the application. The GAS is an external package that does not affect operational efficiency of the program. GASs are easy to use, require little IT background on the part of the user, are hardware independent, can be used without the assistance of computer service employees, and are not application-specific. On the other hand, EAMs are programmed into a specific application by computer service professionals.

65. What is the purpose of the auditor’s review of SDLC documentation? Correct Answer:

In reviewing the SDLC documentation, the auditor seeks to determine that completed projects now in use reflect compliance with SDLC policies including:  User and computer services management properly authorized the project.  A preliminary feasibility study showed that the project had merit.  A detailed analysis of user needs was conducted that resulted in alternative conceptual designs.  A cost-benefit analysis was conducted using reasonably accurate figures.  The detailed design was an appropriate and accurate solution to the user’s problem.  Test results show that the system was thoroughly tested at both the individual module and the total system level before implementation. (To confirm these test results, the auditor may decide to retest selected elements of the application.)  There is a checklist of specific problems detected during the conversion period, along with evidence that they were corrected in the maintenance phase.  Systems documentation complies with organizational requirements and standards.

66. Discuss the six general categories of tests of IT controls. Correct Answer:

Access tests verify that individuals, programmed procedures, or messages attempting to access a system are authentic and valid. Access tests include verifications of user IDs, passwords, valid vendor codes, and authority tables. Validity tests ensure that the system processes only data values that conform to specified tolerances. These tests also apply to transaction approvals, such as verifying that credit checks and AP three-way matches are properly performed by applications.

Accuracy tests ensure that mathematical calculations are accurate and posted to the correct accounts.

Completeness tests identify missing data within a single record and entire records missing from a batch. Tests include field tests and record sequence tests, as well as, recalculation of hash totals and financial control totals.

Redundancy tests determine that an application processes each record only once and include reviewing record counts and recalculation of hash totals and financial control totals.

Audit trail tests ensure that the application creates an adequate audit trail. Tests include obtaining evidence that the application records all transactions, posts data values appropriately, and generates error files and reports for all exceptions.

67. Discuss the three types of controls auditors can perform to determine that programs are free from material errors.

Correct Answer:

Reconcile the source code. Each application’s permanent file should contain the current program listing and listings of all changes made to the application. These documents describe the application’s maintenance history in detail. The nature of the program change should be clearly stated on the authorization document. The auditor should select a sample of applications and reconcile each program change with the appropriate documents. Review the tests results. Every program change should be thoroughly tested before being implemented. Test procedures should be properly documented as to test objective, test data, and processing results. The auditor should review this record for each significant program change to establish that testing was sufficiently rigorous to identify any errors.

Retest the program. The auditor can retest the application to confirm its integrity.