【P1】信息系統(tǒng)內(nèi)控的知識要點
  1、 What are some of the threats toinformation systems and data that systems controls can address?
  Threats to information systems and data include:
  1) Errors in system design.
  2) Errors can occur in input or input manipulation.
  3) Data can be stolen over the Internet.
  4) Data and intellectual property, including trade secrets,can be stolen by employees.
  5) Unauthorized alterations can be made to programs by programmers adding instructions that divert assets to their own use.
  6) Data and programs can be damaged.
  7) Data can be altered directly in the data file without recording any transaction that can be detected.
  8) Viruses, Trojan Horses, and worms can infect a system, causing a system crash, stealing data, or damaging data.
  9) Hardware can be stolen.
  10) Physical facilities and the data maintained in them can be damaged by natural disasters, illegal activity or sabotage.
  2、 What are the two types of systems controls?
  The two types of systems controls are general controls,which relate to the environment, and application controls, which are specific to individual applications and aredesigned to prevent, detect and correct errors and irregularities in transactions during the input, processing and output stages.
  3、 The most important organizational and operating general control is the  segregation of duties. There are specific duties in the IT environment that should be separate from one another.
  IS department personnel should be separated  from the departments  and  personnel  that  they  support  (called“users”). This means:
  1) Users initiate and authorize all systems changes, and a formal written authorization is required.
  2) Asset custody remains with the user departments.
  3) An error log is maintained and referred to the user for correction. The data control group follows up on errors.
  4、 List examples of segregation of duties from other departments within the IS department as an example of a general computer control.
  Effective segregation of duties should be instituted by separating the authority for and the   responsibility within the IS function. Examples include:
  1) Systems analysts   should  not  do  programming,  nor should they have access to hardware, software or data files.
  2) Programmers should not have the authority, opportunity or ability to make any changes in master records or files.
  3) Computer operators  should  not  have  programming functions and should not be able to modify any programs.
  4) The   data control group  should be organizationally independent of computer operations.
  5) Data conversion operators should have no access to the library or to program documentation, nor should they have any input/output control responsibilities.
  6) Librarians   should have no access to equipment. The librarian should restrict access to the data files and programs to authorized personnel at scheduled times.
  5、 List 3 reasons for implementing systems development controls at the beginning of the system development process, and describe the goals of these controls.
  Controls are instituted at the beginning of  the systems development process for several reasons including:
  1) To ensure  that all  changes are properly authorized and are not made by individuals who lack sufficient understanding of control procedures, proper approvals
  and the need for adequate testing.
  2) To prevent errors in the resulting system that could cause major data processing errors.
  3) To limit the potential for a myriad of other problems during the development process and after its completion.
  Implementing systems development controls during the development stage of an information system enhance the ultimate accuracy, validity, safety, security and adaptability of the new system’s input, processing, output and storage functions.
  6、 What are the 7 stages of system development where controls should be considered for implementation?
  There are where controls should be considered f 7 stages in the system development process  or implementation:
  1) Statement of Objectives Stage
  2) Investigation and Feasibility Study Stage
  3) Systems Analysis Stage
  4) Systems Design and Development Stage
  5) Program Coding and Testing Stage
  6) Systems Implementation Stage
  7) Systems Evaluation and Maintenance Stage
  7、 What are input controls in an information system and why are they necessary?
  Input controls   are the controls designed to provide reasonable assurance that data entered into the system has proper  authorization,  has  been  converted  to machine sensible form and has been entered accurately. Input controls can also provide some assurance that data has not been lost, suppressed, added or changed.
  Input is the stage where there is the most human involvement and, as a result, the risk of errors is higher than in the processing and output stages. Most errors in systems are the result of input errors. If information is not entered correctly, the output will be useless. Effective input controls are vital.
  The three classifications of input controls are:
  1) Data observation and recording.
  2) Data transcription.
  3) Edit tests.
  8、 What are processing controls and why are they necessary?
  Processing controls are controls designed to provide reasonable assurance that processing has occurred properly and that no transactions have been lost or incorrectly added.
  Processing controls prevent or discourage the improper manipulation of data and ensure satisfactory operation of hardware and software.
  9、 What are output controls and why are they necessary?
  10、 What are the risks of using the Internet for data transmission instead of using secure transmission lines?
  Risks of using the Internet for data transmission instead of secure transmission lines include:
  1) Electronic eavesdropping.
  2) Computer viruses, trojan horses and worms.
  3) Intrusions  into  the  telephone  company  lines  and  the company’s computer network.
  4) Network integrity violations.
  5) Privacy violations.
  6) Industrial espionage.
  7) Unauthorized use, access, modification, and destruction of hardware, software, data or network resources.
  8) Unauthorized  release of  information (credit card numbers, social security numbers, identity theft).
  9) Unauthorized  copying of  software and other  copyright infringement.
  10) Denying an end user access to his or her own hardware, software, data or network resources (Denial Of Service DOS - attacks).
  11) Use of a computer or network resources to illegally obtain information or property.
  11、What is data encryption and why is it needed when using the Internet?
  Encryption   is the best protection against traffic interception  resulting  in  data  leaks  and  possible  corruption  ofdata. Encryption converts data into a code, and then a key is required to convert the code back to data. Unauthorized proper key, cannot read it. Thus, an attacker may be able to see where the traffic came from and where it went, but not the content.
  The encryption process can be either in the hardware or in the software.
  There are two methods of software encryption: secret key   and public key/private key.
  12、What is a disaster recovery plan and why is it needed?
  An organization should have a formal disaster recovery plan   to  fall  back  on  in  the  event  of  a  hurricane,  fire, earthquake, flood, or criminal or terrorist act.
  The objective of a disaster recovery plan is to minimizethe  extent  of  disruptions,  damages  and  losses,  and  to temporarily  establish  alternative  means  of  processing information.
  13、What should a disaster recovery plan include?
  A disaster recovery plan should include:
  1) Which employees will participate in disaster recovery and what their responsibilities will be.
  2) What hardware, software, and facilities will be used.
  3) The priority of applications that should be processed.
  4) Arrangements for alternative facilities as a disaster recovery site and offsite storage of the company’s databases.  An alternative facility might be  a  different facility owned by the company; or it might be a facility contracted by a different company. The different locations should be a good distance away from the original processing site.
  Disaster recovery sites may be either hot sites or cold sites. A hot site is a backup facility that has a computer system similar to the one used regularly and is fully operational and immediately available. A cold site is a facility where power and space are available to install processing equipment, but it is not immediately available.

 CMA官方微信
掃一掃免費獲取CMA中英文考試題庫

        高頓網(wǎng)校特別提醒:已經(jīng)報名2015年CMA考試的考生可按照復習計劃有效進行!另外,高頓網(wǎng)校2015年CMA考試輔導高清課程已經(jīng)開通,通過針對性地講解、訓練、答疑,對學習過程進行全程跟蹤、分析、指導,可以幫助考生全面提升備考效果。
 
  報考指南: 2015年CMA考試報考指南 
  考前沖刺:CMA考試試題   經(jīng)驗分享  網(wǎng)絡(luò)課程:CMA高清課程   考試輔導