【P1】信息系統(tǒng)內(nèi)控的知識要點
1、 What are some of the threats toinformation systems and data that systems controls can address?
Threats to information systems and data include:
1) Errors in system design.
2) Errors can occur in input or input manipulation.
3) Data can be stolen over the Internet.
4) Data and intellectual property, including trade secrets,can be stolen by employees.
5) Unauthorized alterations can be made to programs by programmers adding instructions that divert assets to their own use.
6) Data and programs can be damaged.
7) Data can be altered directly in the data file without recording any transaction that can be detected.
8) Viruses, Trojan Horses, and worms can infect a system, causing a system crash, stealing data, or damaging data.
9) Hardware can be stolen.
10) Physical facilities and the data maintained in them can be damaged by natural disasters, illegal activity or sabotage.
2、 What are the two types of systems controls?
The two types of systems controls are general controls,which relate to the environment, and application controls, which are specific to individual applications and aredesigned to prevent, detect and correct errors and irregularities in transactions during the input, processing and output stages.
3、 The most important organizational and operating general control is the segregation of duties. There are specific duties in the IT environment that should be separate from one another.
IS department personnel should be separated from the departments and personnel that they support (called“users”). This means:
1) Users initiate and authorize all systems changes, and a formal written authorization is required.
2) Asset custody remains with the user departments.
3) An error log is maintained and referred to the user for correction. The data control group follows up on errors.
4、 List examples of segregation of duties from other departments within the IS department as an example of a general computer control.
Effective segregation of duties should be instituted by separating the authority for and the responsibility within the IS function. Examples include:
1) Systems analysts should not do programming, nor should they have access to hardware, software or data files.
2) Programmers should not have the authority, opportunity or ability to make any changes in master records or files.
3) Computer operators should not have programming functions and should not be able to modify any programs.
4) The data control group should be organizationally independent of computer operations.
5) Data conversion operators should have no access to the library or to program documentation, nor should they have any input/output control responsibilities.
6) Librarians should have no access to equipment. The librarian should restrict access to the data files and programs to authorized personnel at scheduled times.
5、 List 3 reasons for implementing systems development controls at the beginning of the system development process, and describe the goals of these controls.
Controls are instituted at the beginning of the systems development process for several reasons including:
1) To ensure that all changes are properly authorized and are not made by individuals who lack sufficient understanding of control procedures, proper approvals
and the need for adequate testing.
2) To prevent errors in the resulting system that could cause major data processing errors.
3) To limit the potential for a myriad of other problems during the development process and after its completion.
Implementing systems development controls during the development stage of an information system enhance the ultimate accuracy, validity, safety, security and adaptability of the new system’s input, processing, output and storage functions.
6、 What are the 7 stages of system development where controls should be considered for implementation?
There are where controls should be considered f 7 stages in the system development process or implementation:
1) Statement of Objectives Stage
2) Investigation and Feasibility Study Stage
3) Systems Analysis Stage
4) Systems Design and Development Stage
5) Program Coding and Testing Stage
6) Systems Implementation Stage
7) Systems Evaluation and Maintenance Stage
7、 What are input controls in an information system and why are they necessary?
Input controls are the controls designed to provide reasonable assurance that data entered into the system has proper authorization, has been converted to machine sensible form and has been entered accurately. Input controls can also provide some assurance that data has not been lost, suppressed, added or changed.
Input is the stage where there is the most human involvement and, as a result, the risk of errors is higher than in the processing and output stages. Most errors in systems are the result of input errors. If information is not entered correctly, the output will be useless. Effective input controls are vital.
The three classifications of input controls are:
1) Data observation and recording.
2) Data transcription.
3) Edit tests.
8、 What are processing controls and why are they necessary?
Processing controls are controls designed to provide reasonable assurance that processing has occurred properly and that no transactions have been lost or incorrectly added.
Processing controls prevent or discourage the improper manipulation of data and ensure satisfactory operation of hardware and software.
9、 What are output controls and why are they necessary?
10、 What are the risks of using the Internet for data transmission instead of using secure transmission lines?
Risks of using the Internet for data transmission instead of secure transmission lines include:
1) Electronic eavesdropping.
2) Computer viruses, trojan horses and worms.
3) Intrusions into the telephone company lines and the company’s computer network.
4) Network integrity violations.
5) Privacy violations.
6) Industrial espionage.
7) Unauthorized use, access, modification, and destruction of hardware, software, data or network resources.
8) Unauthorized release of information (credit card numbers, social security numbers, identity theft).
9) Unauthorized copying of software and other copyright infringement.
10) Denying an end user access to his or her own hardware, software, data or network resources (Denial Of Service DOS - attacks).
11) Use of a computer or network resources to illegally obtain information or property.
11、What is data encryption and why is it needed when using the Internet?
Encryption is the best protection against traffic interception resulting in data leaks and possible corruption ofdata. Encryption converts data into a code, and then a key is required to convert the code back to data. Unauthorized proper key, cannot read it. Thus, an attacker may be able to see where the traffic came from and where it went, but not the content.
The encryption process can be either in the hardware or in the software.
There are two methods of software encryption: secret key and public key/private key.
12、What is a disaster recovery plan and why is it needed?
An organization should have a formal disaster recovery plan to fall back on in the event of a hurricane, fire, earthquake, flood, or criminal or terrorist act.
The objective of a disaster recovery plan is to minimizethe extent of disruptions, damages and losses, and to temporarily establish alternative means of processing information.
13、What should a disaster recovery plan include?
A disaster recovery plan should include:
1) Which employees will participate in disaster recovery and what their responsibilities will be.
2) What hardware, software, and facilities will be used.
3) The priority of applications that should be processed.
4) Arrangements for alternative facilities as a disaster recovery site and offsite storage of the company’s databases. An alternative facility might be a different facility owned by the company; or it might be a facility contracted by a different company. The different locations should be a good distance away from the original processing site.
Disaster recovery sites may be either hot sites or cold sites. A hot site is a backup facility that has a computer system similar to the one used regularly and is fully operational and immediately available. A cold site is a facility where power and space are available to install processing equipment, but it is not immediately available.
掃一掃免費獲取CMA中英文考試題庫