Cha 8 Solutions Manual 11th Ed

8/11/2019 Cha 8 Solutions Manual 11th Ed

1/24

Accounting Information Systems

CHAPTER 8

INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

8.1 For the consumer, opt-out represents many disadvantages because the consumer isresponsible for explicitly notifying every company that might be collecting the consumerspersonal information and tell them to stop collecting their personal data. Consumers areless liely to tae the time to opt-out of these programs and even if they do decide to opt-out, they may not no! of all of the companies that are capturing their personalinformation. For the organi"ation collecting the data, opt-out is an advantage for the samereasons it is a disadvantage to the consumer, the organi"ation is free to collect all theinformation they !ant until explicitly told to stop.

8.2 a. #he cost here is tangible, consisting of the salaries of additional employees, if any, !ho

must be hired in order to accomplish segregation of duties. #he benefit is much lesstangible, comprising primarily the reduction in the ris of loss from both fraud andunintentional errors. $ne approach might be to estimate an %expected benefit% as aproduct of the possible loss from fraud and the reduction in probability of fraud.

b. #he costs here are also relatively tangible, including the costs of maintaining a tapelibrary and of performing special procedures such as file labeling, concurrent updatecontrols, encryption, virus protection, maintaining bacup files, and so forth. #hebenefit is again intangible, consisting of the reduction in ris of loss of vital businessdata. $nce again an %expected benefit% might be estimated as the reduction of theproduct of the cost of data reconstruction and the probability of data loss.

c. #he cost here consists of the extra programming and processing time re&uired toprepare and execute the input validation routines. As in the other cases, the benefitsare intangible and difficult to measure in dollars. #he primary benefit is the increase inaccuracy of files and output. In this case, the decision must be primarily sub'ective,since a reliable dollar value is unliely to be available.

8.3 #he disadvantage of full bacups is time. $rgani"ations do not normally mae fullbacups of their data on a fre&uent (daily) basis simply due to the time a full bacup taes.*ost organi"ations do full bacups on a !eely basis. #he advantage of fre&uent fullbacups is that the full system can be restored from a single bacup. An advantage ofincremental or partial daily bacups is time. Since only files that have been altered sincethe last incremental bacup or full bacup are included in the bacup, the bacup can bedone much more &uicly. $f course, the do!nside of incremental bacups is that it isliely that more than one bacup !ill be needed to fully restore the system in the event ofa system failure. *anagement decides !hat the recovery point ob'ective (+$) should befor their company i.e., ho! much they are !illing to lose in the event of a catastrophicevent. aturally, the recovery time ob'ective (+#$) !ould al!ays be /as soon as

0-1 2009 Pearson Education, Inc. Publishing as Prentice Hall


2/24

Ch. 02 Computer-3ased Information Systems Control

possible4, but this decision hinges on ho! long management thins the company canoperate !ithout their data. #he advantage of real-time mirroring is that a full and completebacup is al!ays available at a moments notice. #he mirror site can instantly step into theshoes of the primary site since it is a real-time replica of the primary site. #he

disadvantage of real-time mirroring is the cost of creating and maintaining identicaldatabases at t!o different site locations ho!ever, depending on the needs of the business,real-time mirroring may be a legitimate and necessary business expense since the cost oflosing data and then recreating that data from a full or partial bacup !ould be prohibitive.In other !ords, for these businesses, +$ and +#$ are essentially "ero i.e., the data mustbe available instantaneously.

8.4

A 3 3 - A 5ivisible by 67$riginal umber #ransposed umber 5ifference18 81 6 9es11 11 8 ot a transposition

1: :1 6 9es1; ;1 10 9es1< >1 ;? 9es1? ?1 9es1= =1 >< 9es10 01 ?; 9es

16 61 =: 9es

@hen numbers bet!een 18 and 16 are transposed, the difference bet!een the originalnumber and the transposed number is divisible by 6 except for the number 11 since thetransposition of 11 is 11 and therefore not a transposition.

8.5 ood internal control procedures dictate the ob'ectives of internal control, but not thetechni&ues by !hich those ob'ectives are to be achieved. Computer systems can efficientlyscan large volumes of records on a regular basis, identify transactions that need to beinitiated, and then tae appropriate transaction-initiation steps such as documentpreparation and file updating.

iven that computer systems !ill be programmed to initiate transactions, the issue is toidentify internal control techni&ues that !ill achieve the stated ob'ective under thesecircumstances. #hese include (1) strong controls over the development and revision of thecomputer programs that initiate transactions, (:) organi"ational separation of theprogramming and computer operations functions, (;) logical access controls to preventunauthori"ed access to computer programs, and (


3/24


In summary, automatic generation of transactions by computer does not necessarily violategood internal control.

8.6 Since outsourcing is and !ill liely continue to be a topic of interest, this &uestion shouldgenerate some good discussion from students. 5ata security and data protection are ratedin of the top ten riss of offshore outsourcing by CI$ e!s. Compliance !ith #he BealthInsurance ortability and Accountability Act (BIAA) and the Sarbanes-$xley Act (S$)are of particular concern to companies outsourcing !or to offshore companies. Sinceoffshore companies are not re&uired to comply !ith BIAA, companies that contract !ithoffshore providers do not have any enforceable mechanisms in place to protect andsafeguard rotected Bealth Information i.e., patient health information, as re&uired byBIAA. #hey essentially lose control of that data once it is processed by an offshoreprovider. Similarly, offshore companies are not governed by S$ and therefore !hen theCD$ and CF$ attest to the accuracy of their companys financial statements !hich

includes documentation of any business processes performed by offshore entities.

$ne &uestion that may facilitate discussion is to as the students that once a companysends some operations offshore, does the outsourcing company still have legal controlover their data or do the la!s of the off shore company dictate o!nership7 Should theoutsourcing company be liable in this country for data that !as lost or compromised by anoutsourcing offshore partner7

8.7 Since most students !ill encounter this &uestion as an employee and as a future manager,the concept of personal email use during business hours should generate significantdiscussion. $ne &uestion that may help facilitate discussion is to as !hether personal

emails are any different than personal phones calls during business hours. #he instructormay also !ant to use this opportunity to discuss security issues !ith email. Eiruses arefre&uently spread through email and although a virus could infect company computersthrough a business related email, personal email !ill also expose the company to virusesand therefore !arrant the policy of disallo!ing any personal emails. In addition, there isthe ris that employees could overtly or inadvertently release confidential companyinformation through personal email. $nce the information is !ritten in electronic form itis easy and convenient for the recipient to disburse that information.

8.8 *any people may vie! biometric authentication as invasive. #hat is, in order to gain

access to a !or related location or data, that they must provide a very personal image ofpart of their body such as their retina, finger or palm print, their voice, etc. rovidingsuch personal information may mae some individuals fearful of identity theft in that unliea social security number or a ban account number, biometric identification characteristicscannot simply be /reset4. If someones digiti"ed biometric identification such as a fingerprint is stolen, then ho! can they prevent their identity from being used to lie, cheat, andsteal7 Indeed, facial scans and voice scans can be obtained and recorded !ithout theconsent and no!ledge of the person being scanned. +FI5 tags that are embedded or

2009 Pearson Education, Inc. Publishing as Prentice Hall

0-;


4/24


attached to a persons clothing !ould allo! anyone !ith that particular tags fre&uency totrac the exact movements of the /tagged4 person. For police tracing criminals that!ould be a tremendous asset, but !hat if criminals !ere tracing people !ho they !antedto rob or !hose property they !anted to rob !hen they ne! the person !ould not be at

home. Already one elementary school tried using +FI5 tags on students to tracattendance, but stopped the program due to parental complaints and because the companythat donated the e&uipment decided to stop supplying the +FI5 tags to the school.

SUGGESTED SOLUTIONS TO THE PROBLEMS

8.1 #here is no single correct solution for this problem. Student responses !ill varydepending on their experience !ith various businesses. $ne minimal classification schemecould be highly confidential or top-secret, confidential or internal only, and public. #he

follo!ing table lists some examples of items that could fall into each basic category.

Bighly Confidential (#opSecret)

Confidential (Internal) ublic

+esearch 5ata ayroll Financial Statementsroduct 5evelopment 5ata Cost of Capital Security and Dxchange Commission

Filingsroprietary *anufacturingrocesses

#ax *areting Information

roprietary 3usiness rocesses *anufacturing Cost5ata

roduct Specification 5ata

Competitive 3idding 5ata Financial ro'ections Darnings Announcement 5ata

8.2 a. +ecord Count2 < records

Bash and Financial #otals are sho!n in the table belo!.Dmployeeumber ay +ate

Bours@ored ross ay 5eductions et ay

1:1 ?.>8 ;0 :.>8 ::1.>81:; =.:> ?.=> 68 ?8=.> 8.88 >=.>81:: ?=.> 88.88 ::88.88

.>8 :?=6.88

Bash #otal Bash #otal Bash #otalFinancial

#otalFinancial

#otalFinancial

#otal

b. Field Chec2 :


5/24


Se&uence Chec2 Dmployee 1:: is out of order. #his record should appeardirectly after Dmployee 1:1.

Gimit Chec2 68 Bours @ored for Dmployee 1:> is probably too high.

+easonableness #est2 8 in 5eductions for Dmployee 1:> seems too high givena ross ay of >0=.>8..

Crossfooting 3alance #est2 >=.>8 net pay for employee 1:> does not e&ual?8=.>8-8. et pay should be 1>=.>8 if the gross payand deductions are correct. In addition, the deductions foremployee 1:> also appear to be unreasonably high, so thecorrect net pay should be much higher than >=.>8.

.


0->


6/24


8.3

a. Field 1 - *ember number2

+ange chec to verify that the field contains only four digits !ithin the range of

8881 to 1;?0.

Ealidity chec on member number if a file of valid member numbers is maintained.

Field : - 5ate of flight start2

Chec that day, month, and year corresponds to the current date.

Field chec to verify that the field contains six digits.

Field ; - lane used2

Ealidity chec that character is one of the legal characters to describe a plane (,

C, , or G).

Chec that only a single character is used. (field chec)

Field < - #ime of tae off2

+ange chec that both pairs of numbers are !ithin the acceptable range (first t!o

digits are !ithin range 88 to :;, and second t!o digits are !ithin the range 88 to>6).

Field chec to verify that the field contains four digits.

Field > - #ime of landing2

+ange chec that both pairs of numbers are !ithin the acceptable range described

for field is greater than field


7/24


preformatting to display an input form including all re&uired input items.

completeness chec on each input record to ensure all item have been entered.

default values such todayHs date for the flight date.

closed-loop verification (member name !ould appear immediately after the

member number)(S*AC Dxamination, adapted)

8.4 5ifferences bet!een the correct batch total and the batch totals obtained after processing2

(a) (b) (c) (d):6,;? is not divisible evenly by 6, !hich rules out a transpositionerror. #he difference affects multiple columns, !hich rules out a single transcriptionerror. #he difference amount is not e&ual to any of the entries in the first batch totalcalculation, !hich rules out an error of omission. 5ividing the difference by : gives:,?:?.:0, !hich is one of the entries in the first calculation. *ore careful inspectionreveals that this amount has been inadvertently subtracted from the second batch totalcalculation rather than added.

b. #he difference of 68 is evenly divisible by 6, !hich suggests the possible transposition

of ad'oining digits in the hundredths and tenths columns. *ore careful inspectionindicates that the amount ??.0? from the first calculation !as incorrectlytransposed to ?.0? in the second calculation.

c. A difference of 1,888 represents a discrepancy in only one column, the thousandthscolumn. A possible error in transcribing one digit in that column is indicated. *orecareful examination reveals that the amount :,==:.


8/24


8.5

#he follo!ing edit checs might be used to detect errors during the typing of ans!ers to the inputcues2

Ealidity chec of operator access code and pass!ord C ensures that the operator is

authori"ed to access computer programs and files. Also use of expense account - ensures that proper expense account number is used.

Compatibility test of operator re&uest to access payroll file C ensures that this

operator has been granted authority to access and modify payroll records.

Field chec C ensures that numeric characters are entered into and accepted by the

system in fields !here only numeric characters are re&uired e.g., numbers 8-6 in asocial security number.

Field chec C ensures that letters are entered into and accepted by the system in

fields !here only letters are re&uired e.g., letters A-J in employee name.

Field chec C ensures that only specific special characters are entered into and

accepted by the system !here only these special characters are re&uired e.g.,dashes in a social security number.

Sign chec C ensures that positive or negative signs are entered into and accepted

by the system !here only such signs are re&uired to be entered or that the absenceof a positive or negative sign appears !here such an absence is re&uired e.g.,hours !ored.

Ealidity chec C ensures that only authori"ed data codes !ill be entered into and

accepted by the system !here only such authori"ed data codes are re&uired e.g.,authori"ed employee account numbers.

+ange chec C ensures that only data values !ithin a predetermined range !ill be

entered into and accepted by the system e.g., rate per hour for ne! employeescannot be lo!er than the minimum set by la! or higher than the maximum set bymanagement.


0-0


9/24


Si"e chec C ensures that only data using fixed or defined field lengths !ill be

entered into and accepted by the system e.g., number of dependents re&uiresexactly t!o digits.

Chec digit C ensures that only specific code numbers prepared by using a specific

arithmetic operation !ill be entered into and accepted by the system. #his may notbe needed if the more po!erful validity checs are properly used.

Completeness test C ensures that no blans !ill be entered into and accepted by

the system !hen data should be present e.g., an %S% or %*% is entered in responseto single or married7

$verflo! chec C ensures that no digits are dropped if a number becomes too

large for a variable during processing e.g., hourly rates %on si"e errors% aredetected.

Control-total chec C ensures that no unauthori"ed changes are made to specified

data or data fields and all data have been entered.

+easonableness test C ensures that unreasonable combinations of data are re'ected

e.g., overtime hours cannot be greater than "ero if regular hours are less than


10/24


8.6 a. #he computer security !eanesses present at leicen Corporation that made itpossible for a disastrous data loss to occur include2

inade&uate attention by top management to D5 facilities planning and security

concerns.

housing the data processing facility in a building !ith exposed !ooden beams and

a !ood-shingled exterior, rather than in a building constructed of fire retardantmaterials.

lac of a sprinler (Balon) system, a fire suppression system under a raised floor,

and fire doors.

preparing tape bacups too infre&uently (!eely).

data and program tapes, especially the bacup copies, should not be stored onopen shelves in the data processing area. @oring copies should be stored in aseparate library area constructed of fire retardant materials, !hile bacup copiesshould be stored off-site.

lac of a !ritten disaster recovery plan !ith arrangements in place to use an

alternate off-site computer center in the event of a disaster or an extended serviceinterruption. @hile a phone list of data processing personnel exists, there is noindication that responsibilities have been assigned as to actions to be taen in theevent of a disaster.

lac of complete systems documentation ept outside the data processing area.

inade&uate casualty insurance coverage.

b. #he components that should have been included in the disaster recovery plan atleicen Corporation in order to ensure computer recovery !ithin =: hours includethe follo!ing2

A !ritten disaster recovery plan should be developed !ith revie! and approval by

senior management, data processing management, end-user management, andinternal audit.

3acup file copies should be prepared at least daily. 3acup files and programs

should be stored at a secure off-site location that can be easily accessible in anemergency.

#he disaster recovery team should be organi"ed. Select the disaster recovery

manager, identify the tass, segregate into teams, develop an organi"ation chart for


0-18


11/24


disaster procedures, match personnel to team sills and functions, and assign dutiesand responsibilities to each member.

#he duties and responsibilities of the recovery team include obtaining use of a

previously arranged alternate data processing facility activating the bacup systemand net!or retrieving bacup data files and programs restoring programs anddata processing critical applications and reconstructing data entered into thesystem subse&uent to latest saved bacupKrestart point.

c. Factors, other than those included in the disaster recovery plan itself, that should beconsidered !hen formulating the plan include2

arranging business interruption insurance in addition to liability insurance.

ensuring that all systems and operations documentation is ept up to date, and thatbacup copies are maintained off-site, easily accessible for use in case of disaster.

performing a risKcost analysis to determine the level of expense that may be

'ustified to obtain reasonable, as opposed to certain, assurance that disasterrecovery can be achieved in =: hours. For example, is the purchase of a duplicatehard!are set-up at another location 'ustified.

d. $ther threats (besides fire) from !hich leicen should have protected itself are2

earth&uae

theftKburglary

intense sunlight through the sylights

(C*A Dxamination, adapted)

8.7 Student solutions !ill vary depending on the template they select. #emplates are availablein Adobe 5F or *icrosoft @ord format.


0-11


12/24



0-1:


13/24

8.8


14/24

0.0 (Cont.)

#he follo!ing represents one !ay to solve this problem. #o chec student solutions, theinstructor !ill have to collect electronic copies of this assignment to verify that students haveimplemented the checs assigned in the problem.

Supporting Formulas2

F> (*onthly ayment)2 H*#(+ateK1:,*#sL1:,-*ortgage)F0 (#otal Interest aid)2 HSM*(C1;2C;=:)F6 (rincipal aid)2 HSM*(D1;2D;=;)? (@arning)2 HIF(F?NF>L8.>,%@arning2 Dxtra principal payment is greater than >8O of thetotal regular payment%,%%)1: (3eginning 3alance)2 HP*ortgageA1; (ayment umber)2 HIF(+$@S(A1;2A1;)N*#sL1:,8,+$@S(A1;2A1;))31; (rincipal balance at beginning of period)2 HIF(A1;H8,8,IF(1:QH8,8,1:))C1; (Interest)2 HIF(A1;H8,8,IF(31;H8,8,I*#(+ateK1:,A1;,*#sL1:,-*ortgage)))

51; (rincipal)2 HIF(A1;H8,8,IF(31;H8,8,*#(+ateK1:,A1;,*#sL1:,-*ortgage)))D1; (*onthly rincipal P Dxtra rincipal ayment)2 HIF(A1;H8,8,IF(31;H8,8,IF(B1;H8,P51;PF?P1;,P51;PF?)))F1; (Cumulative rincipal)2 HPF1:PD1;1; (rincipal balance at end of period)2 HIF(A1;H8,8,IF(31;H8,8,*ortgage-(SM*(51;251;)PF?LA1;)))B1; (*arer)2 HIF(1;NH8,1,8)

5ata Input Controls2

Field chec to ensure only numeric data is entered in the /Gife of loan in years42


15/24

0.0 (Cont.)

+ange chec to ensure that annual interest rates must be bet!een


16/24

0.0 (Cont.)

Gimit chec to verify that the amount of the loan is than ;88,8882


17/24

0.0 (cont.)

+easonableness test2 amount of extra principal payment cannot be greater than >8O of the initialtotal monthly payment2

Cell Formula ?2 HIF(F?NF>L8.>,%@arning2 Dxtra principal payment is greater than >8O of thetotal regular payment%,%%)


18/24

Cross-footing balance checs to verify that total amount paid in principal plus extra principal overthe life of the loan e&uals original loan amount2

Cell Formula F62 HSM*(D1;2D;=;)Cell Formula D1; to end of the column2 HIF(A1;H8,8,IF(31;H8,8,IF(B1;H8,P51;P

F?P1;,P51;PF?)))

Although this is not strictly a cross-footing balance, for an Dxcel based repayment schedule thatdoes not employ any Eisual 3asic programming code, this is an effective method to chec for anyoverpayment over the life of the loan !hen additional payments are included. #herefore, studentsshould be !arned in advance that a strict cross-footing balance may not be possible and to beflexible and to thin creatively in meeting the control re&uirements of this problem.

0.0 (Cont.)

Conditional limit chec to calculate the final extra principal payment so that it does not reduce theoutstanding balance belo! "ero2

Cell Formula D1; to end of the column2 HIF(A1;H8,8,IF(31;H8,8,IF(B1;H8,P51;PF?P1;,P51;PF?)))Cell Formula B1;2 HIF(1;NH8,1,8)

For an Dxcel based repayment schedule that does not employ any Eisual 3asic programming code,this is an effective method to chec for the final payment over the life of the loan !hen additionalpayments are included. #he /*arer (column B)4 cell is used to trac !hen the balance at theend of the period goes negative i.e., the loan has been repaid, but the last normal paymentexceeds the last remaining balance. #he final payment is then e&ual to the normal payment lessthe amount that !ould be overpaid if a full normal payment is made as the final payment on theloan. #he final payment is the found as the last the last non-"ero amount in the /*onthlyrincipal P Dxtra rincipal ayment4 column. #herefore, students should be !arned in advanceto be flexible and to thin creatively in meeting the control re&uirements of this problem.

8.

#ype of 3acup #ime to 3acup Si"e of 3acup #ime to +estore

A Full 5aily 3acup ;88 *inutes (> days L?8 minutes)

:>8 3 (> days L >83)

;88 *inutes (> daysL ?8 *inutes)

#otal ;88 *inutes :>8 *inutes ;88 *inutes


19/24

3 Full @eely3acup

?8 *inutes >8 3 ?8 *inutes

5aily Incremental3acup

>8 *inutes (> days L18 minutes)

days L 03)

:> *inutes (> days L> minutes)

#otal 118 *inutes 68 *inutes 0> *inutes

C Full @eely3acup

?8 *inutes >8 3 ?8 *inutes

5aily 5ifferential3acup

=> *inutes (> days L1> minutes)

;8 R 1>8 3 (> daysL ?-;8 3)

days L0 minutes)

#otal 1;> *inutes 08 R 108 *inutes 188 *inutes

#he full !eely bacup !ith a daily incremental bacup is the best options based on time tobacup, si"e of bacup and the time to restore.

8.1! (ote2 In order to access the =? page control frame!or, students must first register onthe !ebsite !ith ISACA.)

#rust Services Frame!or rinciple

Cobit Control $b'ective Security

Confidentiality

rivacy rocessingIntegrity

Availability

$1 R 5efine a strategicI# plan

$: R 5efine theinformation architecture

$; R 5eterminetechnological direction

$-< 5efine the I#processes, organi"ation

and relationships

$-> *anage the I#investment

$-? Communicatemanagement aims anddirection


20/24

$-= *anage I# humanresources

$-0 *anage &uality

$-6 Assess and manageI# riss

$-18 *anage ro'ects

AI1-Identify automatedsolutions

AI:-Ac&uire and maintainapplication soft!are

AI;-Ac&uire and maintaintechnology infrastructure

AI-rocure I# resources

AI?-*anage changes

AI=-Install and accreditsolutions and changes

Cobit Control $b'ective Security

Confidentiality

rivacy rocessingIntegrity

Availability

5S1-5efine and manageservice levels

5S:-*anage third-partyservices

5S;-*anage performanceand capacity

5S-Dnsure systemssecurity

5S?-Indentify and allocate

costs

5S=-Dducate and trainusers

5S0-*anage service desand incidents


21/24

5S6-*anage theconfiguration

5S18-*anage problems

5S11-*anage data

5S1:-*anage the physicalenvironment

5S1;-*anage operations

*D1-*onitor andevaluate I# performance

*D:-*onitor andevaluate internal control

*D;-Dnsure compliance!ith external re&uirements

*D


22/24

8.11

a. +easonableness chec bet!een fields indicating salaried and hours field.

b. All files should have header labels to identify their contents, and all programs shouldchec these labels before processing transactions against the file.

c. A field chec should be performed to chec !hether all characters entered in this fieldare numeric. #here should be a prompt correction and re-processing of erroneoustransactions.

d. A reasonableness test of &uantity ordered relative to the product if >8 is an unusuallylarge number of monitors to be ordered at one time. Closed-loop verification to maesure that the stoc number matches the item that is ordered.

e. An uninterruptible po!er system should be used to provide a reserve po!er supply inthe event of po!er failure.

f. Fireproof storage and maintenance of duplicate files at an off-site location.

g. A reasonableness test of &uantity on hand.

h. A completeness chec to chec !hether all re&uired fields !ere filled in.

i. Chec digit verification on each customer account number and a validity chec foractual customers should have caught this error.

'. A si"e chec !ould prevent characters.

. Concurrent update controls protect records from errors !hen more than one salesmantries to update the inventory database by locing one of the users out of the databaseuntil the first salesmans update has been completed.

l. A limit chec based on the original sales date.

m. Chec digit verification on each customer account number and a validity chec foractual customers and closed loop verification.

n. Chec digit verification on each customer account number and a validity chec for

actual customers and closed loop verification.

o. A completeness chec for all payroll checs and a hash total using employee numbers.

p. Dncrypting the email containing the bid !ould have prevented the competitor fromreading the email even if they could have intercepted the email.


23/24

&. arity checs and echo checs !ill test for data transmission errors.8.12 (Adapted from C*A Dxam. une 166


24/24

(C*A Dxamination, adapted)

Documents

Cha 8 Solutions Manual 11th Ed