CMA® > CMA® Part 1 > E.2. System and Application Controls > Flashcards

E.2. System and Application Controls Flashcards

Explore general and application-level IT controls, control classifications, and flowcharting methods. (63 cards)

Study These Flashcards
1
Q

What are the objectives of controls for an information system?

A
  • Promoting effectiveness and efficiency of operations
  • Maintaining the reliability of financial reporting
  • Assuring compliance with all laws, regulations, and managerial policies
  • Safeguarding assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Fill in the blanks:

The first line of defense against threats to an information system is _______ _______ ________.

A

Effective system controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the primary purposes of system controls in an organization?

A

To preserve the integrity of data and reduce the risk of loss from inadequate records, inaccurate accounting, business interruption, fraud, violations of the law, asset loss, and damage to the business’s competitive position.

System controls must not only exist but must also function effectively to achieve these objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the two main types of controls for a computer system?

A
  • General controls
  • Application controls

General controls relate to all systems components, processes, and data in a systems environment.

Application controls are specific to individual applications and are designed to prevent, detect, and correct errors and irregularities in transactions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What types of controls are included in general controls in an information system?

A
  • Administrative controls, including segregation of duties
  • Computer operations controls
  • Controls over development, maintenance, and modification of computer programs
  • Software controls
  • Hardware controls
  • Data security controls
  • Provision for disaster recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Application controls in an information system include what three classifications of controls?

A
  • Input controls
  • Processing controls
  • Output controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

One of the three classifications of application controls in an information system is input controls. What is the function of input controls?

A

They are designed to provide reasonable assurance that input to the system has proper authorization, has been converted to machine-sensible form, and has been entered accurately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

One of the three classifications of application controls in an information system is processing controls. What is the function of processing controls?

A

They are designed to provide reasonable assurance that processing has occurred properly and no transactions have been lost or incorrectly added.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

One of the three classifications of application controls used in an information system is output controls. What is the function of output controls?

A

They are designed to provide reasonable assurance that input and processing of the input have resulted in valid output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the focus of segregation of duties in system controls?

A

Separating the authority for a function from the responsibility for the function to limit opportunities for unauthorized use of and changes to the computer and its stored data and applications, although collusion between employees can still override controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the role of a systems analyst in an information systems department, and what other responsibilities are incompatible with systems analysis from a segregation of duties standpoint?

A

Systems analysts are responsible for reviewing the current system to ensure it meets the organization’s needs and providing design specifications for new systems.

Systems analysts should not do programming, nor should they have access to hardware, software, or data files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the role of the data control group in system controls?

A
  • Receives user input and logs it
  • Monitors processing
  • Reconciles input and output
  • Distributes output to authorized users
  • Checks for errors and corrects them when found

The data control group should be organizationally independent of computer operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the responsibilities of a database administrator?

(DBA)

A
  • Designing and maintaining database structures
  • Granting/revoking user access rights
  • Implementing data security controls and encryption
  • Managing database backups and recovery procedures
  • Establishing data validation rules
  • Implementing audit trails for data access and modifications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In accounting system controls, why are audit trails important?

A

They provide a step-by-step documented history of transactions, enabling an auditor or other examiner to trace a transaction from the general ledger back to the source document such as an invoice or a receipt.

The absence of audit trails can make the reliability of an accounting information system questionable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the three categories of general controls in system controls?

A
  • Controls over the organization and operation of the facilities and resources
  • General operating procedures
  • Software, hardware, and access controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In system controls, what are the functions of administrative controls?

A

In an information systems department, administrative controls provide for segregation of duties and supervision of personnel involved in control procedures to ensure that the controls are performing as intended.

Supervisors can spot weaknesses, correct errors, and identify deviations from standard procedures. Without adequate supervision, controls may be neglected or deliberately by-passed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the role of a computer operator in an information systems department, and what duties are incompatible with those of computer operators?

A

Computer operators perform the actual operation of computers for processing data.

Computer operators should not have programming functions or the ability to modify programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the significance of cost/benefit analysis in implementing controls?

A

Cost/benefit analysis means that management should not spend more on controls than the amount the company can expect to receive in benefits from the controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What should general operating procedures, a general system control, include?

A

Procedures should be documented for:

  • Start-up process
  • Job scheduling
  • Setup of processing jobs
  • Instructions for running jobs
  • Processing continuity during operator shift changes
  • Operations logs
  • Backup and recovery procedures
  • Procedures for connection and disconnection of links to remote operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a turnaround document and what is its purpose as a system control?

A

It is created by a computer, sent to another person or business where additional information is added, and returned to become an input document to the computer.

They limit input errors and reduce or eliminate the need for manual data entry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is Intelligent Character Recognition?

(ICR)

A

It uses artificial intelligence to recognize different kinds of handwriting and fonts, read them, and convert them to computer input.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Software controls, hardware controls, and access controls comprise one of three categories of general system controls.

What is the function of software controls?

A

To monitor the use of software, prevent unauthorized access to it, and prevent unauthorized changes to applications and systems.

System software controls are used for compilers, utility programs, operations reporting, file handling and file setup, and library activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Why are controls over system software particularly important?

A

System software performs overall control functions for the application programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the role of a compiler in software controls?

A

To convert source code into object code, which provides the instructions for the computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Software controls, hardware controls, and access controls comprise one of three categories of general system controls. What is the function of hardware controls?
They are measures to keep computer equipment physically secure, including protection from extremes of temperature and humidity, fire, and natural disasters.
26
What is checkpoint and rollback recovery processing in a systems environment?
Several times per hour, the system stops (checkpoint) and backs up all the data and other information needed to restart the system. If a hardware failure occurs, the system reverts (“rolls back”) to the last saved copy, restarts, and reprocesses only the transactions that were posted after the last checkpoint.
27
What are the two classifications of access controls in system controls?
* Logical security controls * Physical security controls ## Footnote **Logical security controls** are controls over access and the ability to use the equipment as well as data security controls to ensure that data files are not subject to unauthorized access, change, or destruction. **Physical security controls** protect the physical assets of the computer center: the hardware, peripherals, documentation, programs, and data files in the library.
28
System controls are broken down into (1) general controls and (2) application controls. What is the function of application controls?
They focus on preventing, detecting, and correcting errors in transactions as they flow through the input, processing, and output stages of an information system.
29
In system controls, what are application controls, and what are the three categories of application controls?
They are designed to prevent, detect, and correct errors and irregularities in transactions during the input, processing, and output stages. The three categories of application controls are: * Input controls * Processing controls * Output controls
30
In system controls, what are the three classifications of input controls?
* Data observation and recording * Data transcription - preparation of the data for processing * Edit tests - examine specific data fields and reject transactions if their data fields do not meet data quality standards
31
In system controls, what are point-of-sale devices, and how do they help reduce input errors?
Point-of-sale devices such as bar codes that are scanned eliminate the need to manually convert data to machine-readable format, thereby decreasing input errors.
32
In system controls, what are batch control totals, and what is their function?
These are manually calculated totals or counts applied to a group of transactions such as total sales revenue in a batch of billings. The application recalculates the batch total, compares it with the manual batch total, and rejects batches for which the control totals do not match. Control totals can detect missing transactions, duplicate processing, or computational errors that affect totals.
33
What is data transcription in an information systems environment?
It involves taking non-digital source data and using manual data entry to enter it into a computer to prepare it for processing.
34
In system controls, what is the role of format checks?
They are a data transcription control, a type of input control which verifies that each item of data is entered in the proper mode: numeric data in a numeric field, a date in a date field, and so forth.
35
In system controls, what are edit tests, and what are they used for?
They are a type of input control. They are input validation routines used to check the validity and accuracy of input data. Edit tests examine specific data fields and reject transactions if their data do not meet data quality standards.
36
In system controls, what is a completeness check, and what is it used for?
It's a type of edit test, an input control. It checks whether all required data has been entered. It ensures that input has been entered into all required fields. It cannot verify that the input is correct, but it can verify that it is there. ## Footnote For example, a completeness check would check that every employee record has a social security number entered in the correct field.
37
In system controls, what is a check digit, and what is it used for?
It is a type of edit test, an input control. It is one digit that is a function of the other digits within a number such as an account number. It is used to detect errors in transcription such as transposition errors that may take place during input.
38
What is key verification, also called keystroke verification, and what is its purpose as a system control?
A type of edit test, an input control. It is the process of requiring information to be input twice for comparison by the system. Its purpose is to check for accuracy in input. ## Footnote Key verification is often used when changing a password, to confirm that the password has been typed accurately.
39
Hash totals are a type of edit test, which is an input control, one of the categories of application controls in a systems environment. In system controls, what is a hash total?
A control total of nonmonetary information such as customer account numbers in a batch of transactions. ## Footnote A hash total can be run on a group of records to be input before processing and again after processing. If the hash total changes during processing, it indicates something has changed or some transactions may be lost
40
In system controls, what is the purpose of processing controls?
They are a classification of application controls. They are designed to provide reasonable assurance that processing has occurred properly and that no transactions have been lost or incorrectly added.
41
In system controls, what are the two classifications of processing controls?
Processing controls are a classification of application controls. They include: * Data access controls - processing controls at the time of data access * Data manipulation controls - controls involving data manipulation later in the processing
42
In system controls, batch control totals are input controls, —but what else are they?
They are any type of total or count applied to a specific group of transactions. They are calculated manually, and as the computer processes the batch, it compares the processed total with the manual batch control total. If they match, the batch is posted. If they do not match, the posting is rejected, and the difference must be investigated.
43
In system controls, what is a record count and what is it used for?
It is a type of processing control. The number of transaction items is counted twice, once when preparing the transactions in a batch and again when performing the processing, to confirm that the number of transactions has not changed during processing.
44
In system controls, what is system testing and what is its purpose?
It is a type of data manipulation control, a classification of processing controls. Output from one program is often input to another, and system testing tests the linkages between the programs.
45
In system controls, what is the purpose of activity, or proof, listings?
They are a type of validating control, one of two categories of output controls. Activity, or proof, listings document processing activity, provide detailed information about all changes to master files, and create an audit trail. When the proof listings are compared with the batch control totals that went along with the input and processing functions, they can be used to confirm that all the transactions were processed correctly.
46
In system controls, what is the purpose of printed output controls?
Printed output controls are one of two categories of output controls. They are used to provide reasonable assurance that the printed output is accurate and complete, that it is sent to the right people, that it is sent in a timely manner, and that the proper reports are retained for the appropriate length of time.
47
In system controls, what controls are necessary to maintain physical control over pre-numbered forms such as blank checks, and why?
1. Pre-numbered forms should be kept under lock and key, and only authorized persons should be permitted access. 2. The preprinted number on each form that is printed by the system must match the system-generated number for that form. If it does not, one or more blank forms could be missing, and an investigation is needed.
48
What is the difference between preventive controls and detective controls, and what are examples of each in a systems environment?
* **Preventive controls** prevent errors and fraud before they occur. Examples are segregation of duties, job rotation, and dual access controls. * **Detective controls** uncover errors and fraud after they have occurred. Examples are batch control totals, completeness checks, hash totals, check digits, and validity checks.
49
In system controls, what are feedback controls?
They produce feedback that can be monitored and evaluated to determine if the system is functioning as it is supposed to. ## Footnote Feedback controls help create a self-monitoring, self-regulating system.
50
What is a feedback loop in an information system?
It is a self-monitoring system, which uses feedback to measure differences between actual output and desired output. The output is then fed back into the system as input, adjusting the operation according to those differences. Thus, it self-corrects. ## Footnote A self-monitoring system is sometimes called a cybernetic system.
51
What is a system flowchart in an information system?
A **flowchart** is a diagram that creates a visual representation of processes or events. A **system flowchart** explains the functionality of a whole system. It documents the manual processes as well as the computer processes and the input, output, and processing steps.
52
What is the role of a flowchart in assessing controls?
It assists in properly identifying risks at each point in the process or system, identifying controls necessary to address the risks, and assessing the effectiveness of existing controls.
53
System and program development and change controls are a general operating procedure. What are the reasons for instituting system development controls during the development stage of an information system?
1. To ensure that all changes are properly authorized 2. To prevent errors in the resulting system 3. To limit the potential for other problems during the development process and after its completion. 4. To enhance accuracy, validity, safety, security, and adaptability of a new system's functions.
54
What is the importance of a cost-benefit analysis during the Investigation and Feasibility Study stage of development of an information system?
To evaluate all possible solutions, determine the technological feasibility of each potential solution, determine whether the new system will provide an adequate payback for its cost, and identify potential risks. ## Footnote This analysis helps determine if a project should proceed before major investments are made.
55
In an information systems environment, what are the benefits of well-managed system changes?
* Reduced errors and disruptions * Reduced resources and time required for changes * Reduced number of emergency fixes
56
What is a feedforward control system in a systems environment?
It attempts to predict problems and deviations before they happen so that necessary changes or actions to prevent the problem or deviation from occurring can be planned, such as system capacity planning to anticipate demand and prevent system slowdowns. ## Footnote Feedforward controls guide actions to prevent or minimize the effects of potential problems.
57
In information system development, what is the conceptual design?
It defines user expectations and system specifications, reducing interoperability problems and future modification costs. ## Footnote Proper conceptual design ensures better integration with existing systems.
58
What should be included in an implementation plan for a new information system?
Plans for: * Site preparation * Equipment acquisition and installation * User training * Installation of operating software changes * Implementation of operating procedures and conversion procedures
59
What are the types of documentation required for the implementation of a new information system?
* System documentation * Program documentation * Operating documentation * Procedural documentation * User documentation
60
What are the benefits of good documentation and controls during implementation of a new information system?
More seamless integration of the new system into existing business processes and greater user proficiency and satisfaction.
61
What are the methods of conversion to a new information system?
* Parallel * Phased * Pilot * Direct ## Footnote **Parallel** - running the old and the new systems together for a period of time **Phased** - converting only parts of the application or only a few locations at a time **Pilot** - testing the new system in one work site before full implementation **Direct** - changing over immediately from the old system to the new
62
What is the purpose of continuous monitoring and evaluation after implementation of a new or changed information system?
To determine what is working and what needs improvement, supporting continuous improvement of the system.
63
In an information systems environment, what are the concerns related to vendor package maintenance procedures?
1. Updates released by the vendor should be installed on a timely basis to ensure system compatibility. 2. If vendor-supplied software has had custom changes made to the vendor’s source code and the changes are not properly reinstalled on top of new releases, erroneous processing can result. 3. The organization should maintain change controls to verify that all custom changes are properly identified.
CMA® Part 1
flashcards
Decks in class (38)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions