Chapter 16—IT Controls Part II: Security and Access

TRUE/FALSE

1. In a computerized environment, the audit trail log must be printed onto paper documents.

ANS: F

2. Disguising message packets to look as if they came from another user and to gain access to the host’s
network is called spooling.

ANS: F

3. Access controls take on increased importance in a computerized environment because all of the
records may be found in one place.

ANS: T

4. Computer viruses usually spread throughout the system before being detected.

ANS: T

5. A worm is software program that replicates itself in areas of idle memory until the system fails.

ANS: T

6. Viruses rarely attach themselves to executable files.

ANS: F

7. Subschemas are used to authorize user access privileges to specific data elements.

ANS: F

8. A recovery module suspends all data processing while the system reconciles its journal files against
the database.

ANS: F

9. The Database Management System controls program files.

ANS: F

10. Operating system controls are of interest to system professionals but should not concern accountants
and auditors.

ANS: F

11. The most frequent victims of program viruses are microcomputers.

ANS: T
12. Access controls protect databases against destruction, loss or misuse through unauthorized access.

ANS: T

13. Operating system integrity is not of concern to accountants because only hardware risks are involved.

ANS: F

14. Audit trails in computerized systems are comprised of two types of audit logs: detailed logs of
individual keystrokes and event-oriented logs.

ANS: T

15. In a telecommunications environment, line errors can be detected by using an echo check.

ANS: T

16. Firewalls are special materials used to insulate computer facilities

ANS: F

17. The message authentication code is calculated by the sender and the receiver of a data transmission.

ANS: T

18. The request-response technique should detect if a data communication transmission has been diverted.

ANS: T

19. Electronic data interchange translation software interfaces with the sending firm and the value added
network.

ANS: F

20. A value added network can detect and reject transactions by unauthorized trading partners.

ANS: T

21. Electronic data interchange customers may be given access to the vendor's data files.

ANS: T

22. The audit trail for electronic data interchange transactions is stored on magnetic media.

ANS: T

23. A firewall is a hardware partition designed to protect networks from power surges.

ANS: F

24. To preserve audit trails in a CBIS environment, transaction logs are permanent records of transactions.

ANS: T
25. Examining programmer authority tables for information about who has access to Data Definition
Language commands will provide evidence about who is responsible for creating subschemas.

ANS: T

MULTIPLE CHOICE

1. The operating system performs all of the following tasks except

a. translates third-generation languages into machine language
b. assigns memory to applications
c. authorizes user access
d. schedules job processing
ANS: C

2. Which of the following is considered an unintentional threat to the integrity of the operating system?
a. a hacker gaining access to the system because of a security flaw
b. a hardware flaw that causes the system to crash
c. a virus that formats the hard drive
d. the systems programmer accessing individual user files
ANS: B

3. A software program that replicates itself in areas of idle memory until the system fails is called a
a. Trojan horse
b. worm
c. logic bomb
d. none of the above
ANS: B

4. A software program that allows access to a system without going through the normal logon procedures
is called a
a. logic bomb
b. Trojan horse
c. worm
d. back door
ANS: D

5. All of the following will reduce the exposure to computer viruses except
a. install antivirus software
b. install factory-sealed application software
c. assign and control user passwords
d. install public-domain software from reputable bulletin boards
ANS: D

6. Which backup technique is most appropriate for sequential batch systems?

a. grandfather-father-son approach
b. staggered backup approach
c. direct backup
d. remote site, intermittent backup
 ANS: A

7. When creating and controlling backups for a sequential batch system,

a. the number of backup versions retained depends on the amount of data in the file
b. off-site backups are not required
c. backup files can never be used for scratch files
d. the more significant the data, the greater the number of backup versions
ANS: D

8. Hackers can disguise their message packets to look as if they came from an authorized user and gain
access to the host’s network using a technique called
a. spoofing.
b. spooling.
c. dual-homed.
d. screening.
ANS: A

9. In a direct access file system

a. backups are created using the grandfather-father-son approach
b. processing a transaction file against a maser file creates a backup file
c. files are backed up immediately before an update run
d. if the master file is destroyed, it cannot be reconstructed
ANS: C

10. Which of the following is not an access control in a database system?

a. antivirus software
b. database authorization table
c. passwords
d. voice prints
ANS: A

11. Which is not a biometric device?

a. password
b. retina prints
c. voice prints
d. signature characteristics
ANS: A

12. Which of the following is not a basic database backup and recovery feature?
a. checkpoint
b. backup database
c. transaction log
d. database authority table
ANS: D

13. All of the following are objectives of operating system control except
a. protecting the OS from users
b. protesting users from each other
c. protecting users from themselves
d. protecting the environment from users
 ANS: D

14. Passwords are secret codes that users enter to gain access to systems. Security can be compromised by
all of the following except
a. failure to change passwords on a regular basis
b. using obscure passwords unknown to others
c. recording passwords in obvious places
d. selecting passwords that can be easily detected by computer criminals
ANS: B

15. Audit trails cannot be used to

a. detect unauthorized access to systems
b. facilitate reconstruction of events
c. reduce the need for other forms of security
d. promote personal accountability
ANS: C

16. Which control will not reduce the likelihood of data loss due to a line error?
a. echo check
b. encryption
c. vertical parity bit
d. horizontal parity bit
ANS: B

17. Which method will render useless data captured by unauthorized receivers?
a. echo check
b. parity bit
c. public key encryption
d. message sequencing
ANS: C

18. Which method is most likely to detect unauthorized access to the system?
a. message transaction log
b. data encryption standard
c. vertical parity check
d. request-response technique
ANS: A

19. All of the following techniques are used to validate electronic data interchange transactions except
a. value added networks can compare passwords to a valid customer file before message
transmission
b. prior to converting the message, the translation software of the receiving company can
compare the password against a validation file in the firm's database
c. the recipient's application software can validate the password prior to processing
d. the recipient's application software can validate the password after the transaction has been
processed
ANS: D

20. In an electronic data interchange environment, customers routinely access

 a. the vendor's price list file
b. the vendor's accounts payable file
c. the vendor's open purchase order file
d. none of the above
ANS: A

21. All of the following tests of controls will provide evidence that adequate computer virus control
techniques are in place and functioning except
a. verifying that only authorized software is used on company computers
b. reviewing system maintenance records
c. confirming that antivirus software is in use
d. examining the password policy including a review of the authority table
ANS: B

22. Audit objectives for the database management include all of the following except
a. verifying that the security group monitors and reports on fault tolerance violations
b. confirming that backup procedures are adequate
c. ensuring that authorized users access only those files they need to perform their duties
d. verifying that unauthorized users cannot access data files
ANS: A

23. All of the following tests of controls will provide evidence that access to the data files is limited except
a. inspecting biometric controls
b. reconciling program version numbers
c. comparing job descriptions with access privileges stored in the authority table
d. attempting to retrieve unauthorized data via inference queries
ANS: B

24. Audit objectives for communications controls include all of the following except
a. detection and correction of message loss due to equipment failure
b. prevention and detection of illegal access to communication channels
c. procedures that render intercepted messages useless
d. all of the above
ANS: D

25. When auditors examine and test the call-back feature, they are testing which audit objective?
a. incompatible functions have been segregated
b. application programs are protected from unauthorized access
c. physical security measures are adequate to protect the organization from natural disaster
d. illegal access to the system is prevented and detected
ANS: D

26. In an Electronic Data Interchange (EDI) environment, when the auditor compares the terms of the
trading partner agreement against the access privileges stated in the database authority table, the
auditor is testing which audit objective?
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. authorized trading partners have access only to approved data
d. a complete audit trail is maintained
 ANS: C

27. Audit objectives in the Electronic Data Interchange (EDI) environment include all of the following
except
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. a complete audit trail of EDI transactions is maintained
d. backup procedures are in place and functioning properly
ANS: D

28. In determining whether a system is adequately protected from attacks by computer viruses, all of the
following policies are relevant except
a. the policy on the purchase of software only from reputable vendors
b. the policy that all software upgrades are checked for viruses before they are implemented
c. the policy that current versions of antivirus software should be available to all users
d. the policy that permits users to take files home to work on them
ANS: D

29. Which of the following is not a test of access controls?

a. biometric controls
b. encryption controls
c. backup controls
d. inference controls
ANS: C

30. In an electronic data interchange environment, customers routinely

a. access the vendor's accounts receivable file with read/write authority
b. access the vendor's price list file with read/write authority
c. access the vendor's inventory file with read-only authority
d. access the vendor's open purchase order file with read-only authority
ANS: C

31. In an electronic data interchange environment, the audit trail

a. is a printout of all incoming and outgoing transactions
b. is an electronic log of all transactions received, translated, and processed by the system
c. is a computer resource authority table
d. consists of pointers and indexes within the database
ANS: B

32. All of the following are designed to control exposures from subversive threats except
a. firewalls
b. one-time passwords
c. field interrogation
d. data encryption
ANS: C

33. Many techniques exist to reduce the likelihood and effects of data communication hardware failure.
One of these is
a. hardware access procedures
b. antivirus software
 c. parity checks
d. data encryption
ANS: C

34. Which of the following deal with transaction legitimacy?

a. transaction authorization and validation
b. access controls
c. EDI audit trail
d. all of the above
ANS: D

35. Firewalls are

a. special materials used to insulate computer facilities
b. a system that enforces access control between two networks
c. special software used to screen Internet access
d. none of the above
ANS: B

36. The database attributes that individual users have permission to access are defined in
a. operating system.
b. user manual.
c. database schema.
d. user view.
e. application listing.
ANS: D

37. An integrated group of programs that supports the applications and facilitates their access to specified
resources is called a (an)
a. operating system.
b. database management system.
c. utility system
d. facility system.
e. object system.
ANS: A

SHORT ANSWER

1. Briefly define an operating system.

ANS:
An integrated group of programs that supports the applications and facilitates their access to specified
resources.

2. What is a virus?

ANS:
A virus is a program that attaches itself to another legitimate program in order to penetrate the
operating system.

3. Describe one benefit of using a call-back device.

 ANS:
Access to the system is achieved when the call-back device makes contact with an authorized user.
This reduces the chance of an intruder gaining access to the system from an unauthorized remote
location.

4. Contrast the Private Encryption Standard approach with the Public Key Encryption approach to
controlling access to telecommunication messages.

ANS:
In the Private Encryption Standard approach, both the sender and the receiver use the same key to
encode and decode the message. In the Public Key Encryption approach all senders receive a copy of
the key used to send messages; the receiver is the only one with access to the key to decode the
message.

5. List three methods of controlling unauthorized access to telecommunication messages.

ANS:
call-back devices, data encryption, message sequence numbering, message authentication codes,
message transaction logs, and request-response technique

6. Describe two ways that passwords are used to authorize and validate messages in the electronic data
interchange environment.

ANS:
value-added networks use passwords to detect unauthorized transactions before they are transmitted to
recipients; the recipient of the message can validate the password prior to translating the message; the
recipient of the message can validate the password prior to processing the transaction

7. Explain how transactions are audited in an electronic data interchange environment.

ANS:
Firms using electronic data interchange maintain an electronic log of each transaction as it moves from
receipt to translation to communication of the message. This transaction log restores the audit trail that
was lost because no source documents exist. Verification of the entries in the log is part of the audit
process.

8. Describe are some typical problems with passwords?

ANS:
users failing to remember passwords; failure to change passwords frequently; displaying passwords
where others can see them; using simple, easy-to-guess passwords

9. Discuss the key features of the one-time password technique:

ANS:
The one-time password was designed to overcome the problems associated with reusable passwords.
The user’s password changes continuously.
This technology employs a credit card-sized smart card that contains a microprocessor programmed
with an algorithm that generates, and electronically displays, a new and unique password every 60
seconds.
 The card works in conjunction with special authentication software located on a mainframe or network
server computer. Each user’s card is synchronized to the authentication software, so that at any point
in time both the smart card and the network software are generating the same password for the same
user.

10. Describe two tests of controls that would provide evidence that the database management system is
protected against unauthorized access attempts.

ANS:
compare job descriptions with authority tables; verify that database administration employees have
exclusive responsibility for creating authority tables and designing user subschemas; evaluate
biometric and inference controls

11. What is event monitoring?

ANS:
Event monitoring summarizes key activities related to system resources. Event logs typically record
the IDs of all users accessing the system; the time and duration of a user’s session; programs that were
executed during a session; and the files, databases, printers, and other resources accessed.

12. What are the auditor's concerns in testing EDI controls?

ANS:
When testing EDI controls, the auditor's primary concerns are related to ascertaining that EDI
transactions are authorized, validated, and in compliance with organization policy, that no
unauthorized organizations gain access to records, that authorized trading partners have access only to
approved data, and that adequate controls are in place to maintain a complete audit trail.

13. What is a database authorization table?

ANS:
The database authorization table contains rules that limit the actions a user can take. Each user is
granted certain privileges that are coded in the authority table, which is used to verify the user’s action
requests.

14. What is a user-defined procedure?

ANS:
A user-defined procedure allows the user to create a personal security program or routine to provide
more positive user identification than a password can. For example, in addition to a password, the
security procedure asks a series of personal questions (such as the user’s mother’s maiden name),
which only the legitimate user is likely to know.

15. What are biometric devices?

ANS:
Biometric devices measure various personal characteristics such as fingerprints, voiceprints, retina
prints, or signature characteristics. These user characteristics are digitized and stored permanently in a
database security file or on an identification card that the user carries. When an individual attempts to
access the database, a special scanning device captures his or her biometric characteristics, which it
compares with the profile data stored internally or on the ID card. If the data do not match, access is
denied.
 ESSAY

1. What are the three security objectives of audit trails? Explain.

ANS:
Audit trails support system security objectives in three ways. By detecting unauthorized access to the
system, the audit trail protects the system from outsiders trying to breach system controls. By
monitoring system performance, changes in the system may be detected. The audit trail can also
contribute to reconstructing events such as system failures, security breaches, and processing errors. In
addition, the ability to monitor user activity can support increased personal accountability.

2. What is an operating system? What does it do? What are operating system control objectives?

ANS:
An operating system is a computer’s control program. It controls user sharing of applications and
resources such as processors, memory, databases, and peripherals such as printers. Common PC
operating systems include Windows 2000, Windows NT, and Linux.

An operating system carries out three primary functions: translating high level languages into machine
language using modules called compilers and interpreters; allocating computer resources to users,
workgroups, and applications; and managing job scheduling and multiprogramming.

Operating systems have five basic control objectives:

1. to protect itself from users,
2. to protect users from each other,
3. to protect users from themselves,
4. to protect it from itself, and
5. to protect itself from its environment.

3. Discus three sources of exposure (threats) to the operating system.

ANS:
1. Privileged personnel who abuse their authority. Systems administrators and systems programmers
require unlimited access to the operating system to perform maintenance and to recover from system
failures. Such individuals may use this authority to access users’ programs and data files.
2. Individuals both internal and external to the organization who browse the operating system to
identify and exploit security flaws.
3. Individuals who intentionally (or accidentally) insert computer viruses or other forms of destructive
programs into the operating system.

4. There are many techniques for breaching operating system controls. Discuss three.

ANS:
Browsing involves searching through areas of main memory for password information.
Masquerading is a technique where a user is made to believe that he/she has accessed the operating
system and therefore enters passwords, etc., that can later be used for unauthorized access.
A virus is a program that attaches itself to legitimate software to penetrate the operating system. Most
are destructive.
A worm is software that replicates itself in memory.
A logic bomb is a destructive program triggered by some "logical" condition–a matching date, e.g.,
Michelangelo's birthday.

5. A formal log-on procedure is the operating system’s first line of defense. Explain this works.
 ANS:
When the user logs on, he or she is presented with a dialog box requesting the user’s ID and password.
The system compares the ID and password to a database of valid users. If the system finds a match,
then the log-on attempt is authenticated. If, however, the password or ID is entered incorrectly, the
log-on attempt fails and a message is returned to the user. The message should not reveal whether the
password or the ID caused the failure. The system should allow the user to reenter the log-on
information. After a specified number of attempts (usually no more than five), the system should lock
out the user from the system.

6. Explain the concept of discretionary access privileges.

ANS:
In centralized systems system administrator usually determines who is granted access to specific
resources and maintains the access control list. In distributed systems, however, resources may be
controlled (owned) by end users. Resource owners in this setting may be granted discretionary access
privileges, which allow them to grant access privileges to other users. For example, the controller, who
is the owner of the general ledger, may grant read-only privileges to a manager in the budgeting
department. The accounts payable manager, however, may be granted both read and write permissions
to the ledger. Any attempt by the budgeting manager to add, delete, or change the general ledger will
be denied. The use of discretionary access control needs to be closely supervised to prevent security
breaches because of its liberal use.

7. One purpose of a database system is the easy sharing of data. But this ease of sharing can also
jeopardize security. Discuss at least three forms of access control designed to reduce this risk.

ANS:
Many types of access control are possible. A user view is a subset of a database that limits a user’s
“view” or access to the database. The database authorization table contains rules that limit what a user
can do, i.e., read, insert, modify, delete. A user-defined procedure adds additional queries to user
access to prevent others from accessing in a specific user’s place. To protect the data in a database,
many systems use data encryption to make it unreadable by intruders. A newer technique uses
biometric devices to authenticate users.

8. Explain how the one-time password approach works.

ANS:
Under this approach, the user’s password changes continuously. To access the operating system, the
user must provide both a secret reusable personal identification number (PIN) and the current one-time
only password for that point in time. One technology employs a credit-card-sized device (smart card)
that contains a microprocessor programmed with an algorithm that generates, and visually displays, a
new and unique password every 60 seconds. The card works in conjunction with special authentication
software located on a mainframe host or network server computer. At any point in time both the smart
card and the network software are generating the same password for the same user. To access the
network, the user enters the PIN followed by the current password displayed on the card. The
password can be used one time only.

9. Network communication poses some special types of risk for a business. What are the two broad areas
of concern? Explain.

ANS:
Two general types of risk exist when networks communicate with each other–risks from subversive
threats and risks from equipment failure.
 Subversive threats include interception of information transmitted between sender and receiver,
computer hackers gaining unauthorized access to the organization’s network, and denial-of-service
attacks from remote locations on the Internet. Methods for controlling these risks include firewalls,
encryption, digital signatures, digital certificates, message transaction logs, and call-back devices.
Equipment failure can be the result of line errors. The problems can be minimized with the help of
echo checks, parity checks, and good backup control.

10. What is EDI? How does its use affect the audit trail?

ANS:
Electronic data interchange is an arrangement which links the computer systems of two trading
partners to expedite sales/purchases. The buying company’s purchasing system creates and transmits a
purchase order electronically in an agreed format, either directly or through a value-added network.
The selling company receives the information, and it is converted electronically into a sales order.

The absence of paper documents in an EDI transaction disrupts the traditional audit trail. This can be
compensated for through the use of transaction logs which can be reconciled.