ACC203 Subject Review Materials

1) This data entry control compares the ID number in transaction data to a master file to verify that the ID
number exists.
A) Reasonableness test
B) User review
C) Data matching
D) Validity check
Answer: D

2) Westpac Investment Service (WTS) allows customers to manage their investments over the Internet. If
customers attempt to spend more money than they have in their account, an error message is displayed.
This is an example of a
A) reasonableness test.
B) field check.
C) validity check.
D) limit check.
Answer: A

3) The Flying Happy Gear generates three quarters of its revenue from orders taken over the Internet. The
revenue clearing account is debited by the total of cash and credit receipts and credited by the total of
storefront and Internet sales. This is an example of a
A) data integrity test.
B) zero-balance test.
C) trial balance audit.
D) cross-footing balance test.
Answer: B

4) What is the most effective way to ensure information system availability?

A) High bandwidth
B) Maintain a hot site
C) Maintain a cold site
D) Frequent backups
Answer: B

5) When a computer system's files are automatically duplicated on a second data storage system as they
are changed, the process is referred to as
A) real-time mirroring.
B) batch updating.
C) consistency control.
D) double-secure storage.
Answer: A

6) ________ enables a system to continue functioning in the event that a particular component fails.
A) An incremental backup procedure
B) Fault tolerance
C) Preventive maintenance
D) A concurrent update control
Answer: B

1
7) This ensures that the input data will fit into the assigned field.
A) Limit check
B) Range check
C) Size check
D) Validity check
Answer: C

8) This tests a numerical amount to ensure that it does not exceed a predetermined value nor fall below
another predetermined value.
A) Completeness check
B) Field check
C) Limit check
D) Range check
Answer: D

9) Forms design is an example of this type of control.

A) Data entry control
B) Processing control
C) Output control
D) Input control
Answer: D

10) Sequentially prenumbered forms is an example of a(n)

A) data entry control.
B) data transmission control.
C) processing control.
D) input control.
Answer: D

11) All of the following controls for online entry of a sales order would be useful except
A) check digit verification on the dollar amount of the order.
B) validity check on the inventory item numbers.
C) field check on the customer ID and dollar amount of the order.
D) concurrent update control.
Answer: A

12) A specific inventory record indicates that there were 12 items on hand before a customer brings two of
the items to the check stand to be purchased. The cashier accidentally entered quantity 20 instead of 2.
Which data entry control would best have prevented this error?
A) sign check
B) limit check
C) validity check
D) field check
Answer: A

13) What is the status of an invoice in MYOB that is fully paid?

A) Credit.
B) Closed.
C) Debit.
D) Pending.

2
Answer: B

14) Asymmetric key encryption combined with the information provided by a certificate authority allows
unique identification of
A) the user of encrypted data.
B) the provider of encrypted data.
C) both the user and the provider of encrypted data.
D) either the user or the provider of encrypted data.
Answer: D

15) Information encrypted with the creator's private key that is used to authenticate the sender is
A) asymmetric encryption.
B) digital certificate.
C) digital signature.
D) public key.
Answer: C

16) Meaningful Discussions is a social networking site that boasts over a million registered users and a
quarterly membership growth rate in the double digits. As a consequence, the size of the information
technology department has been growing very rapidly, with many new hires. Each employee is provided
with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This
is an example of a(an)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer: A

17) This is an authorized attempt by an internal audit team or an external security consultant to attempt to
break into the organization's information system.
A) Intrusion detection system
B) Log analysis
C) Penetration test
D) Vulnerability scan
Answer: C

18) A well-known hacker started his own computer security consulting business shortly after being released
from prison. Many companies pay him to attempt to gain unauthorized access to their network. If he is
successful, he offers advice as to how to design and implement better controls. What is the name of the
testing for which the hacker is being paid?
A) Penetration test
B) Vulnerability scan
C) Deep packet inspection
D) Buffer overflow test
Answer: A

19) Verifying the identity of the person or device attempting to access the system is
A) authentication.
B) authorization.
C) identification.

3
D) threat monitoring.
Answer: A

20) Restricting access of users to specific portions of the system as well as specific tasks, is
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer: B

21) An access control matrix

A) does not have to be updated.
B) is a table specifying which portions of the system users are permitted to access.
C) is used to implement authentication controls.
D) matches the user's authentication credentials to his authorization.
Answer: B

22) Perimeter defense is an example of which of the following preventive controls that are necessary to
provide adequate security?
A) Training
B) Controlling physical access
C) Controlling remote access
D) Host and application hardening
Answer: C

23) Which of the following is an example of a preventive control?

A) Encryption
B) Log analysis
C) Intrusion detection
D) Emergency response teams
Answer: A

24) Which of the following is an example of a detective control?

A) Physical access controls
B) Encryption
C) Log analysis
D) Emergency response teams
Answer: C

25) Which of the following is an example of a corrective control?

A) Physical access controls
B) Encryption
C) Intrusion detection
D) Incident response teams
Answer: D

26) Which of the following is not a requirement of effective passwords?

A) Passwords should be changed at regular intervals.
B) Passwords should be no more than 8 characters in length.

4
C) Passwords should contain a mixture of upper and lowercase letters, numbers and characters.
D) Passwords should not be words found in dictionaries.
Answer: B

27) Which of the following is not a useful control procedure to control access to system outputs?
A) Allowing visitors to move through the building without supervision
B) Coding reports to reflect their importance
C) Requiring employees to log out of applications when leaving their desk
D) Restricting access to rooms with printers
Answer: A

28) Which of the following is an example of a preventive control?

A) approving customer credit prior to approving a sales order
B) reconciling the bank statement to the cash control account
C) counting inventory on hand and comparing counts to the perpetual inventory records
D) maintaining frequent backup records to prevent loss of data
Answer: A

29) A computer operator is allowed to work as a programmer on a new payroll software project. Does this
create a potential internal control problem?
A) Yes, the computer operator could alter the payroll program to increase her salary.
B) Yes, this is a potential problem unless the computer operator is supervised by the payroll manager.
C) No, ideal segregation of duties is not usually possible, and operators are often the best at programming
changes and updates.
D) No, as long as the computer operator separately accounts for hours worked in programming and in
operations.
Answer: A

30) Which of the following is a control related to design and use of documents and records?
A) Sequentially prenumbering sales invoices
B) Comparing physical inventory counts with perpetual inventory records
C) Reconciling the bank statement to the general ledger
D) Locking blank checks in a drawer or safe
Answer: A

31) Which of the following duties could be performed by the same individual without violating segregation
of duties controls?
A) Approving accounting software change requests and testing production scheduling software changes
B) Programming new code for accounting software and testing accounting software upgrades
C) Approving software changes and implementing the upgraded software
D) Managing accounts payable function and revising code for accounting software to more efficiently
process discount due dates on vendor invoices
Answer: A

32) With a limited work force and a desire to maintain strong internal control, which combination of duties
would result in the lowest risk exposure?
A) Updating the inventory subsidiary ledgers and recording purchases in the purchases journal
B) Approving a sales return on a customer's account and depositing customers' checks in the bank
C) Updating the general ledger and working in the inventory warehouse

5
D) Entering payments to vendors in the cash disbursements journal and entering cash received from
customers in the cash receipts journal
Answer: D

33) Which of the following is accomplished by corrective controls?

A) Identify the cause of the problem.
B) Correct the resulting errors.
C) Modify the system to prevent future occurrences of the problem.
D) All of the above are accomplished by corrective controls.
Answer: D

34) Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit
rejected transactions is an example of a ________ control.
A) corrective; detective
B) detective; corrective
C) preventive; corrective
D) detective; preventive
Answer: B

35) Which of the following is not a risk reduction element of a disaster recovery plan?
A) Identification of alternate work site
B) Off-site storage of backup files and programs
C) Documentation of procedures and responsibilitie
D) Adequate casualty insurance
Answer: D

36) "Cooking the books" is typically accomplished by all the following except
A) inflating accounts payable.
B) accelerating recognition of revenue.
C) delaying recording of expenses.
D) overstating inventory.
Answer: A

37) Why is computer fraud often more difficult to detect than other types of fraud?
A) Rarely is cash stolen in computer fraud.
B) The fraud may leave little or no evidence it ever happened.
C) Computers provide more opportunities for fraud.
D) Computer fraud perpetrators are just more clever than other types of criminals.
Answer: B

38) The simplest and most common way to commit a computer fraud is to
A) alter computer input.
B) alter computer output.
C) modify the processing.
D) corrupt the database.
Answer: A

39) Downloading a master list of customers and selling it to a competitor is an example of

A) data fraud.
B) output theft.

6
C) download fraud.
D) fraudulent financial reporting.
Answer: A

40) Scuz Bootes has been doing custom choppers, piercings, and tattoos for over thirty years. His home and
place of business is a garage in the harbor district of Seattle, Washington. He has meticulous records of
every job he has ever done. These have been entered into a computerized accounting information system
that his accountant refers to as a "data warehouse." Scuz is considering an expansion of his business into
scarification, and has asked his accountant to identify past customers who might be likely candidates for
this service. Scuz wants his accountant to engage in
A) customer auditing.
B) customer resource management.
C) data mining.
D) enterprise resource planning.
Answer: C

41) Heidi Holloway is a headhunter with Career Funnel in Boca Raton, Florida. Heidi is proud of the
company's motto: We funnel workers into jobs. The foundation of CF's success is its accounting information
system. When a client is placed with an employer, a record is created that identifies the employment
relationship. CF follows up on placements by surveying both employers and clients about the employment
experience and then entering the results into the AIS. Clients are uniquely identified by social security
number. In records that contain client survey data,the social security number number is likely to be
A) the primary key.
B) a foreign key.
C) combined with other data fields to form a primary key.
D) null.
Answer: B

42) Which is probably the most immediate and significant effect of database technology on accounting?
A) replacement of the double entry-system
B) change in the nature of financial reporting
C) elimination of traditional records such as journals and ledgers
D) quicker access to and greater use of accounting information in decision-making
Answer: D

43) In a well-designed and normalized database, which of the following attributes would be a foreign key in
a cash receipts table?
A) Customer number
B) Cash receipt date
C) Remittance advice number
D) Customer check number
Answer: A

44) Dana Halsey is chair of the Purebred Marmoset Society, which maintains a database of registered
purebred marmosets and their breeding history. One table will store the name, birth date, and other
characteristics of all of the marmosets that have been registered. Each marmoset is uniquely identified by a
registration number. A second table will contain data that link each marmoset to its male and female
parents by means of their registration numbers. The primary key in the first table is:
A) name
B) birth date

7
C) a foreign key in the second table.
D) the primary key in the second table.
Answer: C

45) Dana Halsey is chair of the Purebred Marmoset Society, which maintains a database of registered
purebred marmosets and their breeding history. One table will store the name, birth date, and other
characteristics of all of the marmosets that have been registered. Each marmoset is uniquely identified by a
registration number. A second table will contain data that link each marmoset to its male and female
parents by means of their registration numbers. The primary key in the second table is:
A) name
B) birth date
C) a combination of primary keys in the first table
D) the same as the primary key in the first table
Answer: C

46) In a relational database, requiring that every record in a table have a unique identifier is called the
A) entity integrity rule.
B) referential integrity rule.
C) unique primary key rule.
D) foreign key rule.
Answer: A

47) A data flow diagram

A) is a graphical description of the source and destination of data that shows how data flow within an
organization.
B) is a graphical description of the flow of documents and information between departments or areas of
responsibility.
C) is a graphical description of the relationship among the input, processing, and output in an information
system.
D) is a graphical description of the sequence of logical operations that a computer performs as it executes a
program.
Answer: A

48) A DFD created at the highest-level or summary view is referred to as a

A) process diagram.
B) overview diagram.
C) content diagram.
D) context diagram.
Answer: D

49) Changing an employee's hourly wage rate would be recorded where?

A) Employee master file
B) Employee transaction file
C) Special journal
D) Employee update file
Answer: A

50) Data processing includes all of the following except

A) verifying subsidiary ledger balances.
B) changing customer addresses.

8
C) removing inventory items no longer offered.
D) adding the name of a new vendor.
Answer: A

51) To be effective, the chart of accounts of MYOB accounting software package must
A) be as concise as possible.
B) begin with account 001.
C) utilize only one coding technique.
D) contain sufficient detail to meet the information needs of the organization.
Answer: D

10) Which step below is not considered to be part of the data processing cycle?
A) data input
B) feedback from external sources
C) data storage
D) data processing
Answer: B

52) A delivery of inventory from a vendor, with whom a credit line is already established, would be initially
recorded in which type of accounting record and as part of what transaction cycle?
A) purchases journal; expenditure cycle
B) general journal; expenditure cycle
C) general ledger; expenditure cycle
D) cash disbursements journal; production cycle
Answer: A

53) Who of the following would not be involved in the revenue cycle?
A) Accounts payable clerk
B) Customer
C) Cashier
D) Credit manager
Answer: A

54) Which of the following statements below shows the contrast between data and information?
A) Data is the output of an AIS.
B) Information is the primary output of an AIS.
C) Data is more useful in decision-making than information.
D) Data and information are the same.
Answer: B

55) Information is
A) basically the same as data.
B) raw facts about transactions.
C) potentially useful facts when processed in a timely manner.
D) data that has been organized and processed so that it's meaningful.
Answer: D

56) MYOB accounting software package offer separate transaction cycle modules. What is the reason for
this?
A) Every organization does not need to implement all of the available transaction cycle modules.

9
B) Most businesses do not need the revenue cycle module as part of their AIS.
C) The nature of a given transaction cycle is the same irrespective of the type of organization.
D) A properly designed AIS does not use the concept of separate business transaction cycles to process
transactions.
Answer: A

57) The business owners obtain financing from outside investors, which results in an inflow of cash into the
company. This transaction is considered to be part of which cycle?
A) the revenue cycle
B) the payroll cycle
C) the production cycle
D) the financing cycle
Answer: D

58) Which of the following is not a transaction cycle?

A) revenue
B) expenditure
C) human resources
D) general ledger and reporting
Answer: D

59) Which of the following statements is false?

A) Retail stores do not have a production cycle.
B) Financial institutions have installment-loan cycles.
C) A service company does not have an inventory system.
D) Every organization should implement every transaction cycle module.
Answer: D

60) Verifying the accuracy of certain information, often through communication with third parties, is known
as
A) reperformance.
B) confirmation.
C) substantiation.
D) documentation.
Answer: B

61) The evidence collection method that examines all supporting documents to determine the validity of a
transaction is called
A) review of documentation.
B) vouching.
C) physical examination.
D) analytical review.
Answer: B

62) The evidence collection method that considers the relationships and trends among information to
detect items that should be investigated further is called
A) review of the documentation.
B) vouching.
C) physical examination.
D) analytical review.

10
Answer: D

63) Determining whether the necessary control procedures are in place is accomplished by conducting
A) a systems overhaul.
B) a systems review.
C) tests of controls.
D) both B and C
Answer: B

64) According to the risk-based auditing approach, when a control deficiency is identified, the auditor
should inquire about
A) tests of controls.
B) the feasibility of a systems review.
C) materiality and inherent risk factors.
D) compensating controls.
Answer: D

65) What is the purpose of an information systems audit?

A) To determine the inherent risk factors found in the system
B) To review and evaluate the internal controls that protect the system
C) To examine the reliability and integrity of accounting records
D) To examine whether resources have been used in an economical and efficient manner in keeping with
organization goals and objectives
Answer: B

66) How could auditors determine if unauthorized program changes have been made?
A) By interviewing and making inquiries of the programming staff
B) By examining the systems design and programming documentation
C) By using a source code comparison program
D) By interviewing and making inquiries of recently terminated programming staff
Answer: C

67) The ________ procedure for auditing computer process controls uses a hypothetical series of valid and
invalid transactions.
A) concurrent audit techniques
B) test data processing
C) integrated test facility
D) dual process
Answer: B

68) The auditor uses ________ to continuously monitor the system and collect audit evidence while live
data are processed.
A) test data processing
B) parallel simulation
C) concurrent audit techniques
D) analysis of program logic
Answer: C

69) Auditors have several techniques available to them to test computer-processing controls. An audit
technique that immediately alerts auditors of suspicious transactions is known as

11
A) a SCARF.
B) an audit hook.
C) an audit sinker.
D) the snapshot technique.
Answer: B

70) A type of software that auditors can use to analyze program logic and detect unexecuted program code
is
A) a mapping program.
B) an audit log.
C) a scanning routine.
D) program tracing.
Answer: A

71) An auditor finds that employee absentee rates are significantly higher on Mondays and Fridays than on
other work days. This is an example collecting audit evidence by
A) confirmation.
B) reperformance.
C) vouching.
D) analytical review.
Answer: D

72) An auditor creates a fictitious customer in the system and then creates several fictitious sales to the
customer. The records are then tracked as they are processed by the system. The auditor is using
A) an integrated test facility.
B) the snapshot technique.
C) a system control audit review file.
D) continuous and intermittent simulation.
Answer: A

73) An auditor sets an embedded audit module to flag all credit transactions in excess of $1,500. The flag
causes the system state to be recorded before and after each transaction is processed. The auditor is using
A) an integrated test facility.
B) the snapshot technique.
C) a system control audit review file.
D) audit hooks.
Answer: B

74) An auditor sets an embedded audit module to record all credit transactions in excess of $1,500 and
store the data in an audit log. The auditor is using
A) the snapshot technique.
B) a system control audit review file.
C) audit hooks.
D) continuous and intermittent simulation.
Answer: B
Page Ref: 313
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

12
75) An auditor sets an embedded audit module to flag questionable online transactions, display
information about the transaction on the auditor's computer, and send a text message to the auditor's cell
phone. The auditor is using
A) the snapshot technique.
B) a system control audit review file.
C) audit hooks.
D) continuous and intermittent simulation.
Answer: C

76) An auditor sets an embedded audit module to selectively monitor transactions. Selected transactions
are then reprocessed independently, and the results are compared with those obtained by the normal
system processing. The auditor is using
A) an integrated test facility.
B) the snapshot technique.
C) a system control audit review file.
D) continuous and intermittent simulation.
Answer: D

77) Which of the following is not one of the types of internal audits?
A) reviewing corporate organizational structure and reporting hierarchies
B) examining procedures for reporting and disposing of hazardous waste
C) reviewing source documents and general ledger accounts to determine integrity of recorded
transactions
D) comparing estimates and analysis made before purchase of a major capital asset to actual numbers and
results achieved
Answer: A

78) When programmers are working with program code, they often employ utilities that are also used in
auditing. For example, as program code evolves, it is often the case that blocks of code are superseded by
other blocks of code. Blocks of code that are not executed by the program can be identified by
A) embedded audit modules.
B) scanning routines.
C) mapping programs.
D) automated flow charting programs.
Answer: C

79) When programmers are working with program code, they often employ utilities that are also used in
auditing. For example, as program code evolves, it is often the case that variables defined during the early
part of development become irrelevant. The occurrences of variables that are not used by the program can
be found using
A) program tracing.
B) scanning routines.
C) mapping programs.
D) embedded audit modules.
Answer: B

80) Which of the following tasks are facilitated by maintaining a strong and secure audit trail?
A) tracing a transaction from original source document to the general ledger to a report
B) tracing an item in a report back through the general ledger to the original source document
C) tracing changes in general ledger accounts from beginning to ending balances

13
D) All of the above are facilitated by the audit trail.
Answer: D

81) Alex is an accountant. While making an adjusting entry to the general ledger to company financial
system, he received the following error message, "The account number referenced in your journal entry
does not exist. Do you want to create a new account?" This message was the result of a
A) validity check.
B) closed loop verification.
C) zero-balance check.
D) completeness test.
Answer: A

82) ) Alex is an accountant. While making an adjusting entry to the general ledger to company financial
system, he received the following error message, "Your journal entry must be a numeric value. Please
reenter." This message was the result of a
A) validity check.
B) field check.
C) zero-balance check.
D) completeness test.
Answer: B

83) Cheryl Liao is an accountant at Folding Squid Technologies. While making an adjusting entry to the
general ledger, she received the following error message when she tried to save her entry, "The amounts
debited and credited are not equal. Please correct and try again." This message was the result of a
A) validity check.
B) field check.
C) zero-balance check.
D) completeness test.
Answer: C

84) Cheryl Liao is an accountant at Folding Squid Technologies. While making an adjusting entry to the
general ledger, she received the following error message when she tried to save her entry, "The data you
have entered does not include a source reference code. Please enter this data before saving." This message
was the result of a
A) validity check.
B) field check.
C) zero-balance check.
D) completeness test.
Answer: D

85) A listing of journal vouchers by numerical sequence, account number, or date is an example of
A) a general ledger control report.
B) a budget report.
C) a batch to be processed.
D) responsibility accounting.
Answer: A

86) If you believe not all adjusting entries were posted in the general ledger, you should prepare a general
ledger control report listing journal vouchers in
A) numerical sequence.

14
B) chronological order.
C) general ledger account number order.
D) any order, since you have to review them all anyway.
Answer: A

87) How is MYOB accounting software general ledger updating accomplished by the MYOB accounting
software subsystems?
A) Individual journal entries for each accounting subsystem transaction update the general ledger every 24
hours.
B) Summary journal entries that represent the results of all transactions for a certain time period are used
to update the general ledger.
C) The controller or treasurer must approve accounting subsystem journal entries before any updating may
occur.
D) Nonroutine transactions are entered into the system by the treasurer's office.
Answer: B

88) The general ledger system of an organization should be designed to serve the information requirements
of both internal and external users. This means that the system should support
A) producing expansive regular periodic reports to cover all information needs.
B) the real-time inquiry needs of all users.
C) producing regular periodic reports and respond to real-time inquiry needs.
D) access by investors and creditors of the organization to general ledger balances.
Answer: C

89) Which of the following would be the best control to prevent receiving department employees from
stealing inventory and claiming the ordered quantity wasn't received from the vendor?
A) Reconcile quantity on packing slip to physical count when accepting delivery.
B) Restrict physical access to the receiving area.
C) Require all deliveries be made at the receiving area.
D) Require dual signatures on the move ticket when receiving delivers the inventory to the warehouse.
Answer: A

90) The receiving clerk at Folding Squid Technologies examines incoming shipments and reconciles their
contents with the relevant purchase orders. A receiving report is then sent to accounts receivable and the
vendor's invoice is approved for payment. Which of the following would correct control weaknesses, if any,
related to these activities?
A) The invoice should be approved for payment by the shipping clerk after the purchase order and receiving
report are reconciled.
B) Accounts payable should reconcile the purchase order and the receiving report.
C) Invoices, purchase orders, and receiving reports should be reconciled by the receiving clerk.
D) Controls are adequate under the current system.
Answer: B

90) The receiving clerk at Folding Squid Technologies examines incoming shipments and checks their
purchase order numbers. A receiving report is then sent to accounts payable, where it is reconciled with
the relevant purchase orders and invoices and payment is authorized. Which of the following would correct
control weaknesses, if any, related to these activities?
A) Vendor invoices should be approved for payment by the shipping clerk after the purchase order and
receiving report are reconciled.

15
B) Vendor invoices should be approved for payment by the purchasing manager.
C) Purchase orders and receiving reports should be reconciled by the purchasing manager.
D) Controls are adequate under the current system.
Answer: D
Page Ref: 387
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

91) Which of the controls below would be least effective to prevent ordering goods at higher than market
prices?
A) Variance analysis of actual expenses to budgeted expenses
B) For high-dollar goods, solicit competitive bids from possible vendors
C) Only place orders with vendors on an approved vendor list
D) Frequent review of, and update to, vendor price lists stored in the AIS
Answer: A

92) Procurement cards differ from corporate credit cards in which of the following ways?
A) Credit limits can be set for procurement cards, but not corporate credit cards.
B) Credit cards can be used to make purchases without an explicit sign off by supervisors, but procurement
cards require a sign off.
C) Procurement cards can only be used with approved vendors, but credit cards can be used anywhere.
D) Procurement card invoices are sent separately for each card, whereas corporate credit cards are
consolidated into a single invoice.
Answer: C

93) The purchasing manager at Folding Squid Technologies has responsibility for reviewing and authorizing
purchase orders. He also reviews receiving reports, approves or corrects them, and authorizes the cashier
to pay vendor invoices. Which of the following would correct control weaknesses, if any, related to these
activities?
A) Vendor invoices should be reviewed by the purchasing manager to ensure that they are correct.
B) Accounts payable should reconcile purchase orders, receiving reports, and invoices.
C) Vendor invoices should be reviewed by accounts receivable and then cancelled when paid.
D) Controls are adequate under the current system.
Answer: B

94) The purchasing manager at Folding Squid Technologies has responsibility for reviewing and authorizing
purchase orders. Receiving reports are prepared by shipping and receiving based on the relevant purchase
order(s). Purchase orders, receiving reports, and vendor invoices are reconciled by accounts payable, which
authorizes payment. Which of the following would correct control weaknesses, if any, related to these
activities?
A) Vendor invoices should be reviewed by the purchasing manager to ensure that they are correct.
B) Accounts payable should authorize purchase orders.
C) Receiving reports should be reviewed and corrected by the purchasing manager.
D) Controls are adequate under the current system.
Answer: D

95) The management at Sad Clown Pajamas, an Internet-based wholesaler, is considering a new inventory
control system. The current system is inadequate because it results in stockouts that interrupt production
and excess stocks of some materials that result in markdowns and high carrying costs. The new system,

16
which will focus on ensuring that orders are placed with sufficient lead time to prevent stockouts, will
employ
A) a just-in-time inventory system.
B) the economic order quantity.
C) a reorder point.
D) materials requirements planning.
Answer: C

96) MYOB software produces Tax Invoices that comply with Australian legislation as a matter of course.
However, in order to make sure your invoices meet legal requirements, you need to ensure the following:
A) That you include the customer’s ABN on every invoice
B) If an invoice costs more than $1,000, include either the customer’s address or their ABN
C) That you complete your ABN details when setting up MYOB, and that your ABN prints on the Tax Invoice
D) Both b) and c)
Answer: D

97) When working in Spend Money in MYOB, how do you get the cost of sales or expense account to come
up automatically each time:
A) Complete the default Expense account in the Buying Details tab of the supplier’s card.
B)) Set up a recurring transaction for this supplier. Even if the amount varies every time you pay them, the
expense account will still up correctly.
C) There’s no easy way to get account information to come up automatically in Spend Money.
D) Add the account number to the end of the supplier’s name. This way you’ll see the number and be
prompted to enter it correctly.
Answer: A

98) The management at Sad Clown Pajamas, an Internet-based wholesaler, is considering a new inventory
control system. The current system is inadequate because it results in stockouts that interrupt production
and excess stocks of some materials that result in markdowns and high carrying costs. The new system,
which will focus on forecasting demand for Sad Clown's products, will employ
A) a just-in-time inventory system.
B) the economic order quantity.
C) a reorder point.
D) materials requirements planning.
Answer: D

99) The management at Sad Clown Pajamas, an Internet-based wholesaler, is considering a new inventory
control system. The current system is inadequate because it results in stockouts that interrupt production
and excess stocks of some materials that result in markdowns and high carrying costs. The new system,
which will focus on reducing or completely eliminating carrying costs, will employ
A) a just-in-time inventory system.
B) the economic order quantity.
C) a reorder point.
D) materials requirements planning.
Answer: A

100) The AIS compiles and feeds information among the business cycles. What is the relationship between
the revenue and production cycles regarding the exchange of information?
A) The revenue cycle provides sales forecast and customer order information to the production cycle, but
the production cycle sends information back to revenue about finished goods production.

17
B) The revenue cycle receives information from the production cycle about raw materials needs.
C) The production cycle sends cost of goods manufactured information back to the revenue cycle.
D) The production cycle does not exchange information with the revenue cycle.
Answer: A

101) In a customer payment processing DFD, the "update receivables" activity will be represented by
________, the "accounts receivable file" will be represented by ________, and the "credit manager" will be
represented by ________.
A) a square; two horizontal lines; a circle.
B) a rectangle; a square; a circle.
C) a circle; two horizontal lines; two horizontal lines.
D) a circle; two horizontal lines; a square.
Answer: D

102) Inventory information for Sun Corp. is provided in real time by a firm's accounting information system.
However, the accuracy of this information is questionable. Many store managers often report stock outs of
components that the system indicates are in stock. Which of the following characteristics of useful
information is absent in the situation described above?
A) relevant
B) reliable
C) complete
D) timely
Answer: B

103) In which transaction cycle would information for paying dividends be most likely to pass between
internal and external accounting information systems?
A) the revenue cycle
B) the expenditure cycle
C) the human resources / payroll cycle
D) the financing cycle
Answer: D

104) ________ are examples of activities that constitute inbound logistics.

A) Activities that transform inputs into final products or services
B) Activities that consist of receiving, storing, and distributing the materials used as inputs by the
organization to create goods and/or services it sells
C) Activities that provide post-sale support to customers
D) Activities that help customers to buy the organization's products or services
Answer: B

105) A delivery of inventory from a vendor, with whom a credit line is already established, would be initially
recorded in which type of accounting record and as part of what transaction cycle?
A) purchases journal; expenditure cycle
B) general journal; expenditure cycle
C) general ledger; expenditure cycle
D) cash disbursements journal; production cycle
Answer: A

106) What specific control can help restrict the rights of authorized users to only the portion of a database
needed to complete their specific job duties?

18
A) an access control matrix
B) passwords and user IDs
C) closed-loop verification
D) specific authorization
Answer: A

107) To reduce the threat of theft or destruction of inventories and other fixed assets, the organization may
wish to implement which of the following controls?
A) review and approval of fixed asset acquisitions
B) improved and more timely reporting
C) better production and planning systems
D) document all movement of inventory through the production process
Answer: D

108) You’re selling goods to a customer overseas. How can you make sure the tax code comes up correctly
every time?
A) You don’t have to worry, you always use the same tax code for an item, no matter where the customer
lives
B) You set up the correct export tax code in the customer’s details, under the Selling Details tab
C) You create two items for every good you sell (one item for local sales, the other for overseas), and select
a different tax code for each
d) Don’t enter any tax code for items when you create them in the Items List, and then select the correct
tax code in the Tax column every time you create an invoice
Answer: B

109) When you go to delete an account from your Accounts List, if you get a message saying this account
has transactions in the current financial year, what would you do?
A) Edit the account and make it inactive
B) Combine the account with another account that’s similar
C) Choose between option A) and B), depending whether you want a clear history of that account’s
transactions, or not.
D) No Answers
Answer: C

110) The best control procedure for accurate data entry is

A) the use of on-line terminals.
B) an access control matrix.
C) passwords and user IDs.
D) automation of data collection.
Answer: D

111) Which of the following organization controls should be implemented and maintained to counteract
the general threat that the loss of production data will greatly slow or halt production activity?
A) Store key master inventory and production order files on-site only to prevent their theft.
B) Back up data files only after a production run has been physically completed.
C) Access controls should apply to all terminals within the organization.
D) Allow access to inventory records from any terminal within the organization to provide efficient data
entry.
Answer: C

19
1112) What do we call a computer program that organizes data in rows and columns of cells? You might use
this type of program to keep a record of the money you earned moving lawns over the summer.
A) Spreadsheet program
B) Database program
C) Word processor program
D) Desktop publisher program
Answer: A

1113) What does the VLOOKUP function of Ms- Excel program do?
A) Looks up text that contain ‘v’
B) Checks whether text is the same in one cell as in the next
C) Finds related records
D) All of above
Answer: C

114) Which of the following is a correct order of precedence in a formula calculation of MS-Excel program?
A) Multiplication and division, exponential positive and negative value
B) Multiplication and division, positive and negative values, addition and subtraction
C) Addition and subtraction, positive and negative values, exponentiation
D) None of above
Answer: D

115). How should you print a selected area of a worksheet of MS-Excel program, if you’ll want to print a
different area next time?
a. On the file menu, point to print area, and then click set print area.
b. On the file menu, click print, and then click selection under print what
c. On the view menu, click custom views, then click add
d. All of above
Answer: B

116). Who of the following would not be involved in the revenue cycle?
A) cashier
B) credit manager
C) accounts payable clerk
D) customer
Answer: C

117). This image shows the different types of transaction you can enter in the Purchases module. Which
option would you choose if you already had the goods and they arrived with an invoice?
A) Quote
B) Order
C) Receive Items
D) Bill
Answer: D
20
118). Which of the following statements is correct?
an invoice does not include GST
an invoice does not include both income tax and GST
an invoice does not include income tax, but includes GST
an invoice includes GST
Answer: A

119). This diagram illustrates an example of cheques arriving during the week but only being deposited on
the Thursday. Which Command Centre in MYOB has the "Prepare Deposit Slip" option to make this
happen?
A) Account
B) Banking
C) Sales
D) Card
Answer: B

120). A laptop computer belonging to the Novak group was stolen from the trunk of a sales manager's car
while she was attending a conference. After reporting the theft, the manager considered the implications
for the company's network security and concluded there was little to worry about because
A) the computer was insured against theft.
B) the computer was protected by a password.
21
C) the data stored on the computer was encrypted.
D) it was unlikely that the thief would know how to access the company data stored on the computer.
Answer: C

121) Dysfunctional employee behavior in response to implementation of a new computerized information

system is likely to be the result of
A) poor human resource policies.
B) lack of communication and training.
C) weak system controls.
D) inadequate compensation policies.
Answer: B

122) What are the best strategies for determining system requirements?
A) analyze existing systems, ask users what they need, prototyping, and monitoring
B) ask users what they need, analyze existing systems, develop concept of new system, and prototyping
C) ask users what they need, analyze existing systems, examine existing system utilization, and prototyping
D) ask users what they need, analyze existing systems, examine existing system utilization, and develop
concept of new system
Answer: C

123) Which method of data gathering is most likely to result in information that represents the personal
biases and opinions of the person giving the information?
A) a questionnaire
B) an interview
C) observation by the analyst
D) system documentation
Answer: B

124) Significant system changes were implemented two months ago. The changes were well-planned, well-
designed, thoroughly tested before and after conversion, and several employee training sessions were
conducted. Still, the changes haven't resulted in any productivity increases, cost savings, or process
improvements. Management is puzzled and needs to find out why the system isn't successful. The best
action for management to take is
A) conduct face-to-face interviews with managers, key personnel, and randomly selected employees from
each functional area impacted by the system changes in an attempt to discover why the changes aren't
effective.
B) make sure the system changes were well documented and review the documentation to see if perhaps
some important feature or process was overlooked during the design phase.
C) email a series of questions to all employees, asking for input about further changes that would bring
about the desired results.
D) advise employees that consultants will be conducting observation sessions over the next two weeks to
determine if employees have fully implemented changes and whether there is any evidence of resistance to
the changes.
Answer: A

125) Why do so many organizations develop their own software, when many commercial software
packages are available?
A) An organization may have unique requirements.
B) Canned software packages are often less expensive than software developed in house.
C) The organization's size and complexity necessitates the in-house development of software.

22
D) A and C above are correct.
Answer: D

126) According to the Trust Services Framework, the reliability principle of availability is achieved when the
system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer: A

127) It was 8:03 A.M. when Jiao Jan, the Network Administrator for South Asian Technologies, was
informed that the intrusion detection system had identified an ongoing attempt to breach network security.
By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded
several files from the company’s server. Using the notation for the time-based model of security, in this
case
A) P > C
B) P > D
C) D >P
D) C > P
Answer: C

128) The steps that criminals take to identify potential points of remote entry is called
A) scanning and mapping the target.
B) social engineering.
C) research.
D) reconnaissance.
Answer: A

129) Restricting access of users to specific portions of the system as well as specific tasks, is an example of
A) authorization.
B) authentication.
C) threat monitoring.
D) identification.
Answer: A

130) COBIT 5 management practice APO01.08 stresses the importance of ________ of both employee
compliance with the organisation’s information security policies and overall performance of business
processes.
A) continuous monitoring
B) continuous auditing
C) continuous reviewing
D) continuous improvement of
Answer: A

131) Which of the following is not a step in an organisation’s incident response process?
A) Recovery.
B) Isolation.
C) Containment.
D) Recognition.

23
Answer: B

132) Virtualization refers to the ability of

A) using the Internet to perform all needed system functions.
B) running multiple systems simultaneously on one physical computer.
C) using web-based security to protect an organization.
D) eliminating the need for a physical computer.
Answer: B

133) Classification of confidential information is the responsibility of whom, according to COBIT5?

A) Information owner.
B) Management.
C) IT security professionals.
D) External auditor.
Answer: A

SHORT ANSWER. Write your answer in the space provided below.

134) Describe some steps you can take to minimize your risk of identity theft.
Shred documents containing personal information. Never send personally identifying information in
unencrypted e‐mail. Beware of e-mail/phone/print requests to verify personal information that the
requesting party should already possess. Do not carry your social security card with you. Print only your
initials and last name on checks. Limit the amount of other information preprinted on checks. Do not use
your mailbox for outgoing mail. Do not carry more than a few blank checks with you. Use special software
to digitally clean any digital media prior to disposal. Monitor your credit cards regularly. File a police report
as soon as you discover a purse or wallet missing. Make photocopies of your driverʹs license, passport and
credit cards and keep them in a safe location. Immediately cancel any stolen or lost credit cards.

MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the
question.
135) The system and processes used to issue and manage asymmetric keys and digital certificates are
known as
A) certificate authority.
B) public key infrastructure.
C) asymmetric encryption.
D) digital signature.
Answer: B

136) Sequentially prenumbered forms are an example of a(n)

A) input control.
B) processing control.
C) data transmission control.
D) data entry control.
Answer: A

137) Which of the following is not an objective of a disaster recovery plan?

A) Resume normal operations as soon as possible.
B) Minimize the extent of the disruption, damage or loss.
C) Train employees for emergency operations.
D) Establish a permanent alternative means of processing information.
Answer: D
24
138) Turnaround documents are an example of a(n)
A) input control.
B) output control.
C) data entry control.
D) processing control.
Answer: A

139) A validity check is an example of

A) an input control.
B) an output control.
C) a data transmission control.
D) a data entry control.
Answer: D

140) Checksums is an example of a(n)

A) output control.
B) data entry control.
C) data transmission control.
D) processing control.
Answer: C

141) Reconciliation procedures is an example of

A) an output control.
B) a data entry control.
C) a processing control.
D) a data transmission control.
Answer: A

142) Data matching is an example of a(n)

A) input control.
B) processing control.
C) data entry control.
D) data transmission control.
Answer: B

143) A hash total is an example of which control below?

A) Data entry control.
B) Processing control.
C) Output control.
D) Data transmission control.
Answer: A

144) Cancellation and storage of documents means

A) documents are defaced and stored.
B) cancellation data are copied from documents before they are stored.
C) data are copied from a document and stored before it is being shredded.
D) documents are defaced before being shredded.
Answer: A

25
145) A completeness check is an example of a(n)
A) data transmission control.
B) processing control.
C) output control.
D) input control.
Answer: D
146) According to the Trust Services Framework, the confidentiality principle of integrity is achieved when
the system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer: B

147) There are ʺwhite hatʺ hackers and ʺblack hatʺ hackers. Cowboy451 was one of the ʺblack hat ʺ
hackers. He had researched an exploit and determined that he could penetrate the target system,
download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the attack
he was locked out of the system. Using the notation of the time -based model of security, which of the
following must be true?
A) P > 6
B) D = 6
C) P <6
D) P = 6
Answer: A

148) The steps that criminals take to find known vulnerabilities and learn how to take advantage of those
vulnerabilities is called
A) scanning and mapping the target.
B) social engineering.
C) research.
D) reconnaissance.
Answer: C

149) ________ is/are an example of a preventive control.

A) Encryption
B) Intrusion detection
C) Log analysis
D) Emergency response teams
Answer: A

SHORT ANSWER. Write your answer in the space provided below.

150) Describe the three types of detective controls that enable organizations timely detection of intrusions
and problems.
The three types of detective controls that enable organizations timely detection of intrusions and problems
are (1) Log analysis. It is the process of examining logs to identify evidence of possible attacks. (2) Network
intrusion detection systems. It consists of a set of sensors and a central monitoring unit that create logs of
network traffic that was permitted to pass the firewall and then analyse those logs for signs of attempted or
successful intrusions. (3) Continuously Monitoring. COBIT 5 management practice APO01.08 stresses the
importance of continuously monitoring both employee compliance with the organisationʹs information

26
security policies and overall performance of business processes. Such monitoring is an important detective
control that can timely identify potential problems and identify opportunities to improve existing controls

151) Who bears the responsibility for information security in an organization?

A) CFO.
B) CIO.
C) CISO.
D) COO.
Answer: C

TRUE/FALSE. Write ʹTʹ if the statement is true and ʹFʹ if the statement is false.
152) Cloud computing can potentially generate significant cost savings for an organization.
TRUE
153) Encryption is one of the many ways to protect information in transit over the internet.
TRUE

154) The first steps in protecting the privacy of personal information is to identify
A) where sensitive information is stored.
B) what sensitive information is possessed by the organization.
C) who has access to sensitive information.
D) All of the above are first steps in protecting privacy.
Answer: D

155) Text that was transformed into unreadable gibberish using encryption is called
A) private text.
B) plaintext.
C) encryption text.
D) ciphertext.
Answer: D

156) A ________ ensures input data will fit into the assigned field.
A) range check
B) field check
C) limit check
D) size check
Answer: D

157) A disaster recovery plan typically does not include

A) scheduled electronic vaulting of files.
B) uninterruptible power systems installed for key system components.
C) backup computer and telecommunication facilities.
D) a system upgrade due to operating system software changes.
Answer: D

158) A ________ determines whether the input data are of the proper type.
A) field check
B) limit check
C) range check
D) size check
Answer: A

27
159) ________ tests a numerical amount to ensure that it does not exceed a predetermined value nor fall
below another predetermined value.
A) Completeness check
B) Limit check
C) Field check
D) Range check
Answer: D

160) A ________ determines if all required data items have been entered.
A) range check
B) completeness check
C) limit check
D) field check
Answer: B

161) A ________ determines the correctness of the logical relationship between two data items.
A) size check
B) sign check
C) range check
D) reasonableness test
Answer: D

162) A ________ determines the correctness of the logical relationship between two data items.
A) field check
B) reasonableness test
C) alpha-numeric check
D) range check
Answer: B

163) A ________ tests a numerical amount to ensure that it does not exceed a predetermined value.
A) range check
B) limit check
C) completeness check
D) sign check
Answer: B

164) The batch processing data entry control that sums a field that contains dollar values is called
A) financial total.
B) sequence check.
C) hash total.
D) record count.
Answer: A

165) The batch processing data entry control that sums a non-financial numeric field is called
A) financial total.
B) sequence check.
C) record count.
D) hash total.
Answer: D

28
CASE 6-1 Shadowcrew

At 9:00 p.m., Andrew Mantovani, cofounder of the group Shadowcrew, received a knock at his door while
chatting on his computer. For Mantovani and 27 others, that knock marked the end of Shadowcrew, which
provided online marketplaces and discussion forums for identity thieves. Shadowcrew members used the
organization’s website to traffic in stolen Social Security numbers, names, e-mail addresses, counterfeit
driver’s licenses, birth certificates, and foreign and domestic passports. It also shared best practices for
carrying out fraudulent activity. By the time it was shut down, Shadowcrew had trafficked in at least 1.7
million credit cards and was responsible for more than $4.3 million in fraud losses.

Considered the online equivalent of the Russian Mafia, Shadowcrew operated as a highly sophisticated and
hierarchical organization. All users operated un- der aliases, never revealing their true names or other
personal information. Operations and communications were conducted using proxy servers that hid the
location and identity of the users. Shadowcrew users were divided into five different roles: administrators,
moderators, reviewers, vendors, and members.

Shadowcrew administrators were the heads of the organization.

A dozen moderators, chosen from the general membership based on proven skill in fraudulent activity,
controlled the flow of information.

Reviewers tested the quality of illicit goods (credit cards, passports, etc.) trafficked on the Shadowcrew site.
For example, reviewers would run a test called a “dump check” on credit card numbers by hacking into a
retailer’s cash register system. The fraudster accessed the system through back doors used by technical
support personnel to remotely perform maintenance or repairs. The reviewer would then enter a trivial
charge of $1 or $2 to see whether the charge was approved. Reviewers would then write up and post
detailed descriptions of the credit cards or other merchandise tested.

Vendors managed the sale of stolen data. Prices were posted and products were sold using an auction
forum much like eBay. Payments were processed via Western Union money transfers or an electronic
currency and were made using a fraud victim’s stolen data.

Thousands of people used the Shadowcrew website to gather and share information on com- mitting
identity fraud. Shadowcrew practiced open registration, but more sensitive discussion areas were password
protected, and members needed another trusted member to vouch for them in order to join the forum.

Members could be promoted up the organization by providing quality products or by sharing new or
unique tips or techniques for committing fraud. Shadowcrew punished acts of disloyalty. For instance, one
disloyal group member had his actual name, address, and phone number posted on the website for all to
see.

Shadowcrew’s demise began when MasterCard informed the United States government that a hundred
websites promoted and supported identity fraud. The United States Secret Service covertly infiltrated
Shadowcrew. Acting as trusted members, agents set up a Virtual Private Network (VPN) over which
Shadowcrew leaders could conduct illicit business. The VPN allowed the Secret Service to track the
organization’s doings and discover the real identities and locations of Shadowcrew users.

It was vital that all arrests occur simultaneously, because any one of the targets could instantly warn the
others via Shadowcrew’s discussion forum. With the help of the Justice Department, Homeland Security,
the Royal Canadian Mounted Police, Europol, and local police departments, authorities simultaneously
knocked on the suspects’ doors at precisely 9:00 p.m. The operation led to 28 arrests, 21 in the United
States. Rather than immediately deactivating the website, investigators replaced the home page with the
29
following warning: “Activities by Shadowcrew members are being investigated by the United States Secret
Service.” Under a picture of hands clutching bars of a jail cell, agents listed the criminal charges that
Shadowcrew members faced and called on visitors to turn them- selves in: “Contact your local United
States Secret Service field office before we contact you!”

1. How did Shadowcrew members concealed their identities?

 Used aliases when working online

 Communicated via proxy servers
 Rented commercial mailboxes under false names

How can average citizens protect their identities while interacting online?

 Use discretion in revealing personal information online. Individuals who use chat rooms, for
instance, should avoid identifying themselves with their actual names, birthdays, or other
identifying information.
 Do not give out personal information online unless absolutely necessary.

2. How has the Internet made detecting and identifying identity fraudsters difficult?

By using aliases, fraudulent email accounts, and proxy servers, thieves make it difficult to detect
and punish deviant behavior.

3. What are some of the most common electronic means of stealing personal information?

 Accessing public and victim-provided data

 Phishing and spoofing
 Pharming
 Posing
 Spyware and keylogging
 Skimming and chipping

4. What is the most common way that fraudsters use personal data?

The most common way that fraudsters use personal data is to commit credit card fraud. This
may include abuse to existing accounts or the opening of new, fraudulent accounts. Credit card
fraud accounts for 26% of identity fraud cases.

5. What measures can consumers take to protect against the online brokering of their personal
data?

 Avoid giving out their personal data – online or otherwise – whenever possible.
 Avoid filling out online surveys or polls that request identifying information.
 Make sure that websites are secure before submitting any personal information.
 If store clerks request information like name, phone number, or address when you are
making a purchase, question the necessity of providing such information.

6. What are the most effective means of detecting identity theft?

 Regularly monitoring credit reports

 Checking account statements thoroughly
 Review the annual Social Security Personal Earnings and Benefits Estimate Statement

30
 7. What pieces of personal information are most valuable to identity fraudsters?
 Name
 Address
 Date of birth
 Social Security number (SSN)
 Driver’s license number
 Mother’s maiden name
 Account numbers
 Card expiration dates
 Internet passwords
 Personal Identification Numbers (PIN)
 User IDs for online account access
 Security numbers from back of credit and debit cards
 Other identifying information

Problem 7.8 Tralor Corporation manufactures and sells several different lines of small electric components.
Its internal audit department completed an audit of its expenditure processes. Part of the audit
involved a review of the internal accounting controls for payables, including the controls over the
authorization of transactions, accounting for transactions, and the protection of assets. The auditors
noted the following items:
1. Routine purchases are initiated by inventory control notifying the purchasing department of the
need to buy goods. The purchasing department fills out a prenumbered purchase order and gets
it approved by the purchasing manager. The original of the five-part purchase order goes to the
vendor. The other four copies are for purchasing, the user department, receiving for use as a
receiving report, and accounts payable.
2. For efficiency and effectiveness, purchases of specialized goods and services are negotiated
directly between the user department and the vendor. Company procedures require that the
user department and the purchasing department approve invoices for any specialized goods and
services before making payment.
3. Accounts payable maintains a list of employees who have purchase order approval authority.
The list was updated two years ago and is seldom used by accounts payable clerks.
4. Prenumbered vendor invoices are recorded in an invoice register that indicates the receipt date,
whether it is a special order, when a special order is sent to the requesting department for
approval, and when it is returned. A review of the register indicated that there were seven open
invoices for special purchases, which had been forwarded to operating departments for
approval over 30 days previously and had not yet been returned.
5. Prior to making entries in accounting records, the accounts payable clerk checks the
mathematical accuracy of the transaction, makes sure that all transactions are properly
documented (the purchase order matches the signed receiving report and the vendor’s invoice),
and obtains departmental approval for special purchase invoices.
6. All approved invoices are filed alphabetically. Invoices are paid on the 5th and 20th of each
month, and all cash discounts are taken regardless of the terms.
7. The treasurer signs the checks and cancels the supporting documents. An original document is
required for a payment to be processed.

31
 8. Prenumbered blank checks are kept in a locked safe accessible only to the cash disbursements
department. Other documents and records maintained by the accounts payable section are
readily accessible to all persons assigned to the section and to others in the accounting function.
Review the eight items listed and decide whether they represent an internal control strength or
weakness

a. For each internal control strength you identified, explain how the procedure helps achieve good
authorization, accounting, or asset protection control.
b. For each internal control weakness you identified, explain why it is a weakness and recommend
a way to correct the weakness
# a. Why it is a strength b. Why it is a weakness b. Recommendation to
correct weakness

1 User authorization means A purchase order copy should not be The receiving report is
the right materials and used as a receiving report unless the prepared after an
quantities will be ordered. quantities have been blanked out. independent count and
identification.

The use of pre-numbered

purchase orders allows all
POs to be accounted for.

2 The user/purchaser may not be Both the user and the

trained in purchasing techniques and purchasing agent should be
could be overcharged in the involved in negotiating with
transaction. the company.

It increases the potential for collusive The purchasing department

agreements. should approve orders
before the purchase, not
before payment is made.

3 Failure to properly maintain the list of Update the list as soon as a

authorized signatories renders it change in purchase
useless authorization occurs.

Payables clerk should be

required to use the list.

4 Numbering and recording Failure to follow-up on open invoices A periodic review and follow-
32
process establishes good indicates an ineffective control due to up of all open items.
control over invoices and a lack of follow-up.
helps ensure their recording
in accounting records.

33
5 The transaction audit helps
minimize errors and helps
ensure that only properly
authorized transactions are
recorded.

6 Paying monthly on only the 5th or 20th Approved, unpaid invoices

prevents payment of any invoice due should be filed by payment
on another date. due date first, and then
alphabetically.

6 Taking unearned cash discounts Pay suppliers on or before

causes additional paperwork when the discount date.
disputed by suppliers and creates
animosity. This policy may lead to
fewer discounts being offered. Lost discounts should be
analyzed for cause and
future avoidance.

7 Proper separation of duties

exists

Requiring original
documents and cancelling
them after payment
reduces duplicate
payments.

8 Proper protection of blank Unlimited access to cash A policy limiting access to

checks (locked safe only disbursement documents (other than and physical protection of
accessible to cash blank checks) permits unauthorized accounts payable documents
disbursements department alteration of payables documents. and records should be
This could result in a loss of control, a established and monitored.
loss of accountability, or a loss of
assets - as well as improper or
inaccurate accounting or destruction
of records.

34
Problem 8.7 Explain how the following items individually and collectively affect the overall level of
security provided by using a password as an authentication credential.

a. Length – interacts with complexity to determine how hard it is to “guess” a password or

discover it by trial-and-error testing of every combination. Of the two factors, length is more
important because it has the biggest impact on the number of possible passwords.

To understand this, consider that the number of possible passwords = xy, where x = the number
of possible characters that can be used and y = the length. As the following table shows,
increasing the length increases the number of possibilities much more than does the same
proportionate increase in complexity:

b. Complexity requirements (which types of characters are required to be used: numbers,

alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) - interacts with length to
determine how hard it is to “guess” a password or discover it by trial-and-error testing of every
combination.

c. Maximum password age (how often password must be changed) – shorter means more
frequent changes which increases security

d. Minimum password age (how long a password must be used before it can be changed) – this
combined with history prevents someone from just keeping their same password, because it
prevents repeatedly changing passwords until the system allows use of the same password once
again.

e. Maintenance of password history (how many prior passwords does system remember to
prevent reselection of the same password when required to change passwords) – the larger
this is, the longer the time before someone can reuse a password. For example, a password
history of 12 combined with a minimum age of 1 month means that the same password cannot
be used until after a year. Note that this requires setting a minimum age. Otherwise, if the
minimum age is zero, someone could repeatedly change their password as many times as the
system’s history setting, and then change it one more time, this last time setting it to be the
current password.

f. Account lockout threshold (how many failed login attempts before the account is locked) –
this is designed to stop guessing attacks. However, it needs to account for typos, accidentally
hitting the CAPS LOCK key, etc. to prevent locking out legitimate users. Its effect also depends on
the next variable, time frame.

g. Time frame during which account lockout threshold is applied (i.e., if lockout threshold is five
failed login attempts, time frame is whether those 5 failures must occur within 15 minutes, 1
hour, 1 day, etc.). – Shorter time frames defeat attempts to guess by reducing the time available
for attackers to submit attempts.

h. Account lockout duration (how long the account remains locked after exceeding the maximum
allowable number of failed login attempts) – longer lockouts defeat attempts to guess. Too
short a value on this parameter may enable an attacker to try to guess x times, get locked out
for only a few minutes, and then start guessing again.

Problem 10.7 Which control(s) would best mitigate the following threats?
35
a. The hours worked field in a payroll transaction record contained the value 400 instead of 40.
As a result, the employee received a paycheck for $6,257.24 instead of $654.32.
A limit check on hours worked. The limit would have to be higher than 40 (such as 55 – or
whatever the company deemed appropriate) to allow for overtime, but would certainly catch
the extra 0 added to the 40 hours worked.
b. The accounts receivable file was destroyed because it was accidentally used to update
accounts payable.
All files should have header labels to identify their contents, and all programs should check
these labels before processing transactions against the file. There should also be a clearly
marked external label to reduce the risk of an operator loading the wrong file.

c. During processing of customer payments, the digit 0 in a payment of $204 was mistakenly
typed as the letter “O.” As a result, the transaction was not processed correctly and the
customer erroneously received a letter that the account was delinquent.
A field check should be performed to check whether all characters entered in this field are
numeric. There should be a prompt correction and re-processing of erroneous transactions.

d. A salesperson mistakenly entered an online order for 50 laser printers instead of 50 laser
printer toner cartridges.
A reasonableness test of quantity ordered relative to the product if 50 is an unusually large
number of monitors to be ordered at one time.

Closed-loop verification to make sure that the stock number matches the item that is ordered.

e. A 20-minute power brownout caused a mission-critical database server to crash, shutting

down operations temporarily.
An uninterruptible power system should be used to provide a reserve power supply in the event
of power failure. The UPS should at a minimum allow enough time for the system to operated
for a defined length of time and then, if necessary, power down in the event of an extended
power outage.
Longer power outages are best handled by backup generators and real-time mirroring systems
f. A fire destroyed the data center, including all backup copies of the accounts receivable files.
FILES: A backup copy of the files should be stored off-site.
HARDWARE: A hot or cold site arrangement
BOTH: Real-time mirroring, so that when one site is down the other site(s) can pick up the slack.
A disaster recovery plan
Liability and business interruption insurance
g. After processing sales transactions, the inventory report showed a negative quantity on hand
for several items.
A sign test of quantity on hand.

h. A customer order for an important part did not include the customer’s address. Consequently,
the order was not shipped on time and the customer called to complain.
A completeness check to determine whether all required fields were filled in.

i. When entering a large credit sale, the clerk typed in the customer’s account number as 45982
instead of 45892. That account number did not exist. The mistake was not caught until later in
the week when the weekly billing process was run. Consequently, the customer was not billed
for another week, delaying receipt of payment.
Check digit verification on each customer account number
36
 Or a validity check for actual customers.

j. A visitor to the company’s Web site entered 400 characters into the five-digit Zip code field,
causing the server to crash.
A size check would prevent 400 characters from being entered into a field that allows for only 5
characters.
k. Two traveling sales representatives accessed the parts database at the same time. Salesperson
A noted that there were still 55 units of part 723 available and entered an order for 45 of
them. While salesperson A was keying in the order, salesperson B, in another state, also noted
the availability of 55 units for part 723 and entered an order for 33 of them. Both sales reps
promised their customer next-day delivery. Salesperson A’s customer, however, learned the
next day that the part would have to be back-ordered. The customer canceled the sale and
vowed to never again do business with the company.
Concurrent update controls protect records from errors when more than one salesman tries to
update the inventory database by locking one of the users out of the database until the first
salesman’s update has been completed.

l. The warranty department manager was upset because special discount coupons were mailed
to every customer who had purchased the product within the past 3 years, instead of to only
those customers who had purchased the product within the past 3 months.
A limit check based on the original sales date.

m. The clerk entering details about a large credit sale mistakenly typed in a nonexistent account
number. Consequently, the company never received payment for the items.
Check digit verification on each customer account number

Or a validity check for actual customers

Or closed loop verification that returns the customer name associated with a customer number.

n. A customer filled in the wrong account number on the portion of the invoice being returned
with payment. Consequently, the payment was credited to another customer’s account.
Turnaround documents should include account numbers on them.

o. A batch of 73 time sheets was sent to the payroll department for weekly processing.
Somehow, one of the time sheets did not get processed. The mistake was not caught until
payday, when one employee complained about not receiving a paycheck.
Batch totals would have caught this.
A record count would have indicated that one record was not processed.
Or a hash total (sum of the employee numbers).
p. Sunspot activity resulted in the loss of some data being sent to the regional office. The
problem was not discovered until several days later when managers attempted to query the
database for that information.
Parity checks and checksums will test for data transmission errors.

Problem 10.8 MonsterMed Inc. (MMI) is an online pharmaceutical firm. MMI has a small systems staff
that designs and writes MMI’s customized software. The data center is installed in the basement of its
two-story headquarters building. The data center is equipped with fire suppression equipment and an
uninterruptible power supply system.

Because the programming staff is small and the work demands have increased, backups are only made
whenever time permits. The backup files are stored in a locked cabinet in the data center. Recently, due
37
to several days of heavy rains, MMI’s building recently experienced serious flooding that destroyed not
only the computer hardware but also all the data and program files that were on-site.

Required: Identify at least five weaknesses in MonsterMed Inc.’s backup and DRP procedures.

1. Only copy of backup is stored on-site; should be two copies, one stored on-site and the
other off-site.
2. No written disaster recovery plan.
3. Backups are not done on a regular basis.
4. Restoration of backups is not tested.
5. Programming staff makes backups. This means that the programming staff has access to the
computer room without supervision of the operations staff. The programmers could alter
the data files or operational programs.
6. The location of the computing facility in the basement increases the risk of damage due to
flooding.
7. No mention that the disaster recovery plan is ever tested.

Problem 12.7 O’Brien Corporation is a midsize, privately owned, industrial instrument manufacturer
supplying precision equipment to manufacturers in the Midwest. The corporation is 10 years old
and uses an integrated ERP system. The administrative offices are located in a downtown building
and the production, shipping, and receiving departments are housed in a renovated warehouse a
few blocks away.

Customers place orders on the company’s website, by fax, or by telephone. All sales are on credit,
FOB destination. During the past year sales have increased dramatically, but 15% of credit sales
have had to written off as uncollectible, including several large online orders to first-time
customers who denied ordering or receiving the merchandise.

Customer orders are picked and sent to the warehouse, where they are placed near the loading
dock in alphabetical sequence by customer name. The loading dock is used both for outgoing
shipments to customers and to receive incoming deliveries. There are ten to twenty incoming
deliveries every day, from a variety of sources.

The increased volume of sales has resulted in a number of errors in which customers were sent
the wrong items. There have also been some delays in shipping because items that supposedly
were in stock could not be found in the warehouse. Although a perpetual inventory is maintained,
there has not been a physical count of inventory for two years. When an item is missing, the
warehouse staff writes the information down in log book. Once a week, the warehouse staff uses
the log book to update the inventory records.

The system is configured to prepare the sales invoice only after shipping employees enter the
actual quantities sent to a customer, thereby ensuring that customers are billed only for items
actually sent and not for anything on back order.

Required:

a. Identify at least three weaknesses in O’Brien Corporation’s revenue cycle procedures, explain the
associated problem, and propose a solution. Present your answer with these headings: Weakness,

38
 Problem, Solution.

Recommendation(s) to Correct
Weaknesses
Weaknesses and Potential Problem(s)

1. Orders from new customers do not Require digital signatures on all online
require any form of validation, resulting in orders from new customers.
several large shipments being sent and
never paid for. Require a written customer purchase order
as confirmation of telephone and fax
orders.

2. Customer credit histories are not Customers’ credit should be checked and
checked before approving orders, resulting no sales should be made to those that do
in excessive uncollectible accounts. not meet credit standards.

3. Outgoing shipments are placed near the Separate the shipping and receiving docks.
loading dock door without any physical
security. The loading dock is also used to Physically restrict access to the loading
receive incoming deliveries. This increases dock area where customer orders are
the risk of theft, which may account for placed.
the unexplained shortages in inventory.

4. Physical counts of inventory are not Physical counts of inventory should be

made at least annually. This probably made at least once a year.
accounts for the inaccuracies in the
perpetual inventory records and may also Inventory records discrepancies should be
prevent timely detection of theft. corrected and investigated.

5. Shipments are not reconciled to sales The system should be configured to match
orders, resulting in sending customers the shipping information to sales orders and
wrong items. alert the shipping employees of any
discrepancies.

6. The perpetual inventory records are The warehouse staff should enter
only updated weekly. This contributes to information about shortages as soon as
the unanticipated shortages that result in they are discovered.
delays in filling customer orders.

Problem 13.10 Last year the Diamond Manufacturing Company purchased over $10 million worth
of office equipment under its “special ordering” system, with individual orders ranging from
$5,000 to $30,000. Special orders are for low-volume items that have been included in a
department manager’s budget. The budget, which limits the types and dollar amounts of office
equipment a department head can requisition, is approved at the beginning of the year by the
board of directors. The special ordering system functions as follows:

39
 Purchasing A purchase requisition form is prepared and sent to the purchasing department.
Upon receiving a purchase requisition, one of the five purchasing agents (buyers) verifies that the
requester is indeed a department head. The buyer next selects the appropriate supplier by
searching the various catalogs on file. The buyer then phones the supplier, requests a price quote,
and places a verbal order. A prenumbered purchase order is processed, with the original sent to
the supplier and copies to the department head, receiving, and accounts payable. One copy is
also filed in the open-requisition file. When the receiving department verbally informs the buyer
that the item has been received, the purchase order is transferred from the open to the filled file.
Once a month, the buyer reviews the unfilled file to follow up on open orders.

Receiving The receiving department gets a copy of each purchase order. When equipment is
received, that copy of the purchase order is stamped with the date and, if applicable, any
differences between the quantity ordered and the quantity received are noted in red ink. The
receiving clerk then forwards the stamped purchase order and equipment to the requisitioning
department head and verbally notifies the purchasing department that the goods were received.

Accounts Payable Upon receipt of a purchase order, the accounts payable clerk files it in the
open purchase order file. When a vendor invoice is received, it is matched with the applicable
purchase order, and a payable is created by debiting the requisitioning department’s equipment
account. Unpaid invoices are filed by due date. On the due date, a check is prepared and
forwarded to the treasurer for signature. The invoice and purchase order are then filed by
purchase order number in the paid invoice file.

Treasurer Checks received daily from the accounts payable department are sorted into two
groups: those over and those under $10,000. Checks for less than $10,000 are machine signed.
The cashier maintains the check signature machine’s key and signature plate and monitors its use.
Both the cashier and the treasurer sign all checks over $10,000.

a. Describe the weaknesses relating to purchases and payments of “special orders” by the
Diamond Manufacturing Company.
b. Recommend control procedures that must be added to overcome weaknesses identified in
part a.
c. Describe how the control procedures you recommended in part b should be modified if
Diamond reengineered its expenditure cycle activities to make maximum use of current IT
(e.g., EDI, EFT, bar-code scanning, and electronic forms in place of paper documents).

Weakness Control Effect of new IT

1. Buyer does not verify Compare requested System can automatically compare
that the department amounts to total budget the requested amount to the
head’s request is within and YTD expenditures. remaining budget.
budget.
2. No procedures Solicit quotes/bids for EDI and Internet can be used to
established to ensure the large orders. solicit bids.
best price is obtained.

40
 3. Buyer does not check Prepare a vendor Vendor performance ratings can be
vendor’s past performance report and updated automatically and made
performance. use it when selecting available to buyer.
vendors.
4. Blind counts not made Black out quantities Do not permit receiving clerks to
by receiving. ordered on copy of access quantities on purchase orders.
Purchase Order sent to Request bar coding or RFID tagging
receiving of all items and use readers to check
Provide incentives if in all deliveries.
discrepancies between Still provide incentives to detect
packing slip and actual discrepancies.
delivery are detected.
5. Written notice of Send written notice of Receiving data and comments
equipment receipt not equipment receipt to entered via on-line terminals and
sent to purchasing. purchasing. routed to purchasing.
6. Written notice of Send written notice of Configure system to notify accounts
equipment receipt not equipment receipt to payable automatically of equipment
sent to accounts payable accounts payable receipt.
7. Mathematical accuracy Verify mathematical Automatic verification of
of vendor invoice is not accuracy of vendor invoice. mathematical accuracy of vendor
verified. invoice.
8. Invoice quantity not Compare/verify invoiced System verifies invoice quantity with
compared to receiving quantity with quantity quantity received.
report quantity. received.
9. Notification of Obtain confirmation from Configure system to require
acceptability of equipment requisitioner of the confirmation of equipment
from requesting acceptability of equipment acceptability prior to approving
department not obtained ordered prior to recording invoice for payment.
prior to recording payable. payable.
10. Voucher package not Send voucher package Configure system to match invoices
sent to Treasurer. (purchase order and automatically with supporting
receiving report) to documents.
Treasurer along with
approved invoice.
11. Voucher package not Treasurer should mark Configure system to mark supporting
cancelled when invoice voucher package as PAID documents as used when invoice is
paid. when check is signed. paid.
12. No mention of bank Bank account should be Bank account should be reconciled
reconciliation. reconciled by someone by someone other than Accounts
other than Accounts Payable or the treasurer.
Payable or the treasurer.

Problem 14.5
The Joseph Brant Manufacturing Company makes athletic footwear. Processing of production orders is as
follows: At the end of each week, the production planning department prepares a master
production schedule (MPS) that lists which shoe styles and quantities are to be produced during the
41
next week. A production order preparation program accesses the MPS and the operations list
(stored on a permanent disk file) to prepare a production order for each shoe style that is to be
manufactured. Each new production order is added to the open production order master file stored
on disk.

Each day, parts department clerks review the open production orders and the MPS to determine
which materials need to be released to production. All materials are bar-coded. Factory workers
work individually at specially designed U-shaped work areas equipped with several machines to
assist them in completely making a pair of shoes. Factory workers scan the bar-codes as they use
materials. To operate a machine, the factory workers swipe their ID badge through a reader. This
results in the system automatically collecting data identifying who produced each pair of shoes and
how much time it took to make them.

Once a pair of shoes is finished, it is placed in a box. The last machine in each work cell prints a bar-
code label that the worker affixes to the box. The completed shoes are then sent to the warehouse.

a. Prepare a data flow diagram of all operations described.

42
 QOH inventory

1.0
Plan
Production sales forecasts

Scheduled
MPS Production

operations list open

production
orders
2.0
Prepare
Production Production
bill of materials Order Orders

Production Operations
Order Card

Work
3.0 Activity
Perform
Production
Operation

b. What control procedures should be included in the system?

A large number of controls are possible, including the following:

 Access Control - User ID and Password

 Compatibility Test - Password
 Preformatting or Prompting -All Data Entered
 Record Count - # of Transactions
 Validity Check - Product Code Number
 Limit Check - Production Quantity
 Field Check - Production Date
 Field Check - Quantity
 Completeness Test - Each Record
 File Library - Log Master Files
 External Labels - Master Files
43
  Header Labels - Master Files
 Backup Copy - Operations List and Bill of Materials
 Backup Copy - Production Orders
 Record Count - # of Operations
 Sequentially Numbered Product Orders
 Reasonableness Check - Date Completed versus date started
 Validity Check - Employee Number
 Reasonableness Test - Elapsed Time

15.2 What internal control procedure(s) would be most effective in preventing the following errors or
fraudulent acts?

a. An inadvertent data entry error caused an employee’s wage rate to be overstated in the
payroll master file.

• Have the personnel department maintain a hash total of employee wage rates

• Check hash total against payroll master file total after each update.

• Test the reasonableness of wage rate changes during data entry to detect large errors.

• Have supervisors review departmental payroll expenses as a way of detecting these kinds of
problems.

b. A fictitious employee payroll record was added to the payroll master file.

• Use strong multifactor authentication techniques to restrict access to the payroll master
data to authorized personnel in the HR department..

• Have the personnel department maintain a record count of the number of employees and
check it against a record count generated during each payroll-processing run.

Require positive identification of recipients as each paycheck is distributed. This would likely
result in the paycheck not being claimed, which would then trigger an investigation.

• Periodically print and verify all changes to the payroll master file

c. During data entry, the hours worked on an employee’s time card for one day were accidentally
entered as 80 hours, instead of 8 hours.

 Use a limit check during data entry to check the hours-worked field for each employee
transaction record. Management would set a limit that makes sense in their organization. If
overtime was never allowed, they could use 8 hours for the limit. If overtime was permitted,
they might decide instead to use 9 or 10 hours.
44
d. A computer operator used an online terminal to increase her own salary.

• Use passwords and an access control matrix to restrict access to authorized personnel.

• Use a compatibility test on all transactions entered to verify that the operator’s password
allows access and modification authority.

• Have the the personnel department maintain a batch total of all salaries and check it against
the corresponding total generated during each payroll run as a backup control,

e. A factory supervisor failed to notify the HRM department that an employee had been fired.
Consequently, paychecks continued to be issued for that employee. The supervisor pocketed
and cashed those paychecks.

 Implement a policy prohibiting supervisors from picking up or distributing paychecks.

Instead, have the payroll department distribute all paychecks.

 Investigate all unclaimed paychecks.

f. A factory employee punched a friend’s time card in at 1:00 P.M. and out at 5:00 P.M. while the
friend played golf that afternoon.

 Use biometric controls to record time in and time out

 Observe (in person or by video surveillance) time clock activity to uncover punching other
people’s cards

 Collect detailed job time data and prior to payroll processing reconcile it with data
o Prepared or approved by factory supervisors, or
o Captured with automated data collection equipment

g. A programmer obtained the payroll master file and increased his salary.

• Implement physical access controls such as a file library function to prevent programmers
from having unsupervised access to production databases

• Implement authentication and authorization controls such as user ID’s, passwords, and
access control matrix to limit access to all master files to authorized personnel

• Have supervisors review reports of all changes to payroll master data to detect this type of
fraud

• Have the the personnel department maintain a batch total of all salaries and check it against
the corresponding total generated during each payroll run as a backup control,

h. Some time cards were lost during payroll preparation; consequently, when paychecks were
distributed, several employees complained about not being paid.
45
 • Prepare a record count of job time records before they are submitted for processing and
compare record count subsequent to data entry against the number of paychecks prepared.

• Reconcile job time records to employee clock cards

• Print a payroll register report with the paychecks. The total number of employees should
match the number in the payroll master file

• Promptly investigate any discrepancies.

i. A large portion of the payroll master file was destroyed when the disk pack containing the file
was used as a scratch file for another application.

 Use internal and external file labels to identify the contents and expiration date of all active
files

 Train computer operators to carefully examine external file labels before file processing
begins.

 Have all programs check internal file labels prior to processing.

 Maintain backup copies of all current files.

j. The organization was fined $5000 for making a late quarterly payroll tax payment to the IRS.

 Use IRS Publication Circular E, which provides instructions for making required remittances
of payroll taxes, to configure the system to make payroll tax payments.

 Set up a quarterly “tickler” or reminder message to the cashier about making the required
payroll tax remittance.

Problem 15.4 Although most medium and large companies have implemented sophisticated payroll and
HRM systems like the one described in this chapter, many smaller companies still maintain
separate payroll and HRM systems that employ many manual procedures. Typical of such small
companies is the Kowal Manufacturing Company, which employs about 50 production workers
and has the following payroll procedures:

 The factory supervisor interviews and hires all job applicants. The new employee prepares a
W-4 form (Employee’s Withholding Exemption Certificate) and gives it to the supervisor. The

46
 supervisor writes the hourly rate of pay for the new employee in the corner of the W-4 form
and then gives the form to the payroll clerk as notice that a new worker has been hired. The
supervisor verbally advises the payroll department of any subsequent pay raises.
 A supply of blank time cards is kept in a box near the entrance to the factory. All workers take
a time card on Monday morning and fill in their names. During the week they record the time
they arrive and leave work by punching their time cards in the time clock located near the
main entrance to the factory. At the end of the week the workers drop the time cards in a box
near the exit. A payroll clerk retrieves the completed time cards from the box on Monday
morning. Employees are automatically removed from the payroll master file when they fail to
turn in a time card.
 The payroll checks are manually signed by the chief accountant and then given to the factory
supervisor, who distributes them to the employees. The factory supervisor arranges for
delivery of the paychecks to any employee who is absent on payday.
 The payroll bank account is reconciled by the chief accountant, who also prepares the various
quarterly and annual tax reports.

a. Identify weaknesses in current procedures, and explain the threats that they may allow to
occur.

Weakness Threat

1. Factory supervisor hires all job The factory supervisor could hire fictitious
applicants and forwards their W-4 employees and submit their W-4 form.
form to the payroll clerk.

2. Factory supervisor verbally informs No documentation on pay raises could lead to

payroll of all employee pay raises. employee disputes and litigation.

The factory supervisor could give the fictitious

employees raises.

3. Factory supervisors determine pay Factory supervisors can overpay or underpay

rates new hires

4. Blank time cards are readily available. An employee could have another employee fill
out a time card when they were late or not
even at work.

5. Weekly time cards are not collected Time cards could be altered over the weekend
until the next Monday. with fictitious or false information in the case
of a vendetta against another employee.

Someone could “fire” an employee by

removing his timecard over the weekend

6 Employees are automatically A sick employee or one on vacation could be

removed from the payroll master if “fired” because they did not turn in a
they do not turn in a timecard timecard.

47
 7. The factory supervisor distributes pay The supervisor can conveniently keep the pay
checks. checks of fictitious or fired employees.

8. Payroll account reconciled by chief The Chief Accountant has opportunities to

accountant who also signs conceal fraud by altering the records.
paychecks.

b. Suggest ways to improve the Kowal Manufacturing Company’s internal controls over hiring
and payroll processing.

1. A system of advice forms should be installed so that new hires, terminations, rate changes,
etc., are reported to the payroll department in writing. Such forms should be submitted by
the employee and verified by the appropriate supervisor.
2. Before applicants are hired, their backgrounds should be investigated by contacting
references to determine that they are honest and have no undesirable personal
characteristics.
3. The supply of blank time cards should be removed. At the beginning of each week the
payroll department should provide each worker with a time card with his name typed or
printed on it.
4. The foreman should collect the time cards at the end of the week, approve them, and turn
them over to the payroll clerk. All time cards should be accounted for and any missing cards
investigated.
5. The payroll checks should be distributed to the workers by a responsible person other than
the foreman. Unclaimed checks should be sent to internal audit until claimed by the worker.
6. A responsible person other than the chief accountant and the payroll clerks should reconcile
the payroll bank account.
7. If the Company has a cost system that requires the workers to prepare production reports or
to account for their time by work tickets, the time cards and the production reports or work
tickets should be compared.
8. The payroll checks should be prenumbered to control their issuance.
9. From time to time, an officer of the Company should witness a payroll distribution on a
surprise basis.

Problem 11.12 Which of the following should have the primary responsibility to detect and correct
data processing errors? Explain why that function should have primary responsibility and why the others
should not.

a. The data processing manager – The data processing manager should have primary responsibility to
detect and correct data processing errors. The data processing manager has primary responsibility
for the four stages of the data processing cycle, which are data input, data processing, data storage,
and information output. Setting up a system that will detect and correct data processing errors falls
squarely into the data processing cycle.
48
b. The computer operator – Although the computer operator is responsible for the operation of the
hardware and software of the organization, he is not responsible for detecting and correcting data
processing errors. Being able to both process data and correct data processing errors would allow
the operator to “fix” non-existent errors in a way that would benefit the operator personally; that is,
it would allow the perpetrator to commit and conceal fraud.

c. The corporate controller – The corporate controller has overall responsibility for the operation of
the accounting function, but would not have primary responsibility to detect and correct data
processing errors.

d. The independent public accountant – The independent auditor has no responsibility to detect and
correct a client’s data processing errors. The independent auditor’s responsibility is to attest to
fairness of the financial statements.

Problem 3.8 A mail-order skin and body care company advertises in magazines. Magazine sub- scribers
initiate most orders by completing and sending coupons directly to the company. The firm also takes orders
by phone, answers inquiries about products, and handles payments and cancellations of orders. Products
that have been ordered are sent either directly to the customer or to the company’s regional offices that
handle the required distribution. The mail-order company has three basic data files, which contain
customer mailing information, product inventory information, and billing information based on invoice
number. During the next few years, the com- pany expects to become a multimillion-dollar operation.
Recognizing the need to computerize much of the mail-order business, the company has begun the process
by calling you.

REQUIRED

Draw a context diagram and at least two levels of DFDs for the preceding operations.

Context Level Data Flow Diagram

Coupon Order Invoice

Phone Order Shipping Notice
Cancellation
Payment Cancellation Response

Mail Order
Customer Customer
System
Order Inquiry
Order Inquiry Response

Product Inquiry Product Inquiry

Response
Payment Payment Inquiry
Inquiry Response

49
 phone order cancellation response
coupon order
product inquiry
order inquiry response Customer
1.0
Process
Customer
Order order inquiry
Transaction response
order valid order
cancellation
product inquiry
invoice
Order File
product Customer
details
valid shipping
order notice
customer
details
2.0
Product File Process
Shipment
product
details

billed
order
Customer
File

payment
Accounts inquiry
Receivable Customer
File

billed
order
payment
3.0
Process
Payment payment
Transaction inquiry
response

Level 0 Data Flow Diagram

50
 Customer
order
cancellation

1.2
1.1
cancelled Process cancellation
Process valid order order order response
Order
cancellation
order

Order File

Customer

order
details
Product File

order inquiry
product
details

1.4
1.3
Process
Process
product
order inquiry
inquiry

product product
inquiry inquiry
inquiry response
response

Customer

Level 1 Data Flow Diagram

Problem 3.9 The local college requires that each student complete an online registration request form.
The system checks the accounts receivable subsystem to ensure that no fees are owed. Next, for each
course, the system checks the student transcript to ensure that he or she has completed the course
prerequisites. Then the system checks class availability and, if there is room, adds the student’s Social
Security number to the class list.

The report back to the student shows the result of registration processing: If the student owes fees, a bill is
sent and the registration is rejected. If prerequisites for a course are not fulfilled, the student is notified and
that course is not registered. If the class is full, the student request is annotated with “course closed.” If a
student is accepted into a class, then the day, time, and room are shown next to the course number.
Student fees and total tuition are computed and shown on the report. Student fee data is interfaced to the
accounts receivable subsystem. When registration is complete, course enrollment reports are prepared for
the instructors.

REQUIRED

Prepare a context diagram and at least two levels of DFDs for this process.

Context Level Data Flow Diagram

51
 Registration request
Course enrollment
reports
Course
Student Registration Instructor
System

Fees notice
Prerequisite notice
Course closed notice
Student acceptance
notice

Level 0 Data Flow Diagram

accounts receivable file

Instructor
student records file

course enrollment
Registration
class lists file report
details
2.0
1.0 Prepare
Student Register course records file course
fees student enrollment
notice reports
prerequisite
notice
course closed
notice
student
acceptance
notice

Level 1 Data Flow Diagram

52
 accounts receivable file

1.1 student record file

Check
fees due paid
registration
details
course file
fees notice
registration
details
1.2
Check
prerequisites

class list file

valid
prerequisite registration
notice details

1.3
Check
class
accepted
availability
registration
closed course details
notice
1.4
Student Register
student student
acceptance
notice

Case 3-1: Dub 5

You are the systems analyst for the Wee Willie Williams Widget Works (also known as Dub 5). Dub 5 has
been producing computer keyboard components for more than 20 years and has recently signed an
exclusive 10-year contract to provide the keyboards for all Dell and HP personal computers. As the systems
analyst, you have been assigned the task of documenting Dub 5’s order-processing system.

Customer orders, which are all credit sales, arrive via e-mail and by phone. When an order is processed, the
following documents are created:

 Order processing creates a packing slip, which the warehouse uses to fill the order.

 A customer invoice is prepared and sent once the goods have been shipped.

 When orders are not accepted, an order rejection is sent to the customer, explaining why the order
cannot be filled.

 A receivables notice, which is a copy of the customer invoice, is sent to the accounting department
so accounts receivable records can be updated.

After reviewing your notes, you write the following narrative summary:

When an order comes in, the order-processing clerk checks the customer’s credit file to confirm credit
approval and ensure that the amount falls within the credit limit. If either of these conditions is not met,
the order is sent to the credit department. If an order meets both conditions, the order-processing clerk

53
enters it into the system on a standard order form. The data on the form is used to update the company’s
customer file (in which the name, address, and other data are stored), and the form is placed in the
company’s open order file.

When the credit department receives a rejected order, the credit clerk determines why the order has been
rejected. If the credit limit has been exceeded, the customer is notified that the merchandise will be
shipped as soon as Dub 5 receives payment. If the customer has not been approved for credit, a credit
application is sent to the customer along with a notification that the order will be shipped as soon as credit
approval is granted.

Before preparing a packing slip, the system checks the inventory records to determine whether the
company has the products ordered on hand. If the items are in stock, a packing slip is prepared and sent to
the warehouse.

Once notification of shipped goods has been received from the warehouse, a customer invoice is prepared.
A copy is filed by the order-processing department, another is sent to the customer, and another is sent to
the accounting department so that accounts receivables can be updated. A note is placed in the customer
file indicating that the invoice has been sent.

REQUIRED

From the information presented, complete a context diagram, a Level 0 DFD for order processing, a Level 1
DFD for the credit review process for Dub.

Level 0 DFD for Dub 5:

54
3-1 Level 1 DFD for Dub 5:

55
Note: The Order Rejection notice shown on the context level diagram and the level 0 diagram can take two
forms: The Over Credit Limit Notice or the Credit Application. These two items are shown on the level 1
DFD.

56