INFORMATION TECHNOLOGY
AUDITING 4TH EDITION HALL TEST BANK
Full download at link:
Test bank: https://testbankpack.com/p/test-bank-for-informationtechnology-auditing-4th-edition-hall-1133949886-9781133949886/
Solution Manual: https://testbankpack.com/p/solution-manual-forinformation-technology-auditing-4th-edition-hall-11339498869781133949886/
Chapter 5 Systems Development and Program Change Activities
TRUE/FALSE
1. The objective of systems planning is to link systems projects to the strategic objectives of the firm.
ANS: T PTS: 1
2. The Systems Development Life Cycle (SDLC) concept applies to specific applications and not to strategic systems planning.
ANS: F PTS: 1
3. An accountant’s responsibility in the SDLC is to ensure that the system applies proper accounting conventions and rules and possesses adequate control.
ANS: T PTS: 1
4. In the conceptual design phase of the Systems Development Life Cycle (SDLC), task force members are focused on selecting the new system design.
ANS: F PTS: 1
5. When determining the operational feasibility of a new system, the expected ease of transition from the old system to the new system should be considered.
ANS: T PTS: 1
6. One-time costs include operating and maintenance costs.
ANS: F PTS: 1
7. When preparing a cost-benefit analysis, design costs incurred in the systems planning, systems analysis and conceptual design phases of the Systems Development Life Cycle are relevant costs.
ANS: F PTS: 1
8. A tangible benefit can be measured and expressed in financial terms.
ANS: T PTS: 1
9. Instead of implementing an application in a single big-bang release, modern systems are delivered in parts continuously and quickly
ANS: T PTS: 1
10. When the nature of the project and the needs of the user permit, most organizations will seek a precoded commercial software package rather than develop a system in-house.
ANS: T PTS: 1
11. All of the steps in the Systems Development Life Cycle apply to software that is developed in-house and to commercial software.
ANS: F PTS: 1
12 During the detailed feasibility study of the project, the systems professional who proposed the project should be involved in performing the study.
ANS: F PTS: 1
13 Recurring costs include: hardware maintenance, software acquisition, software maintenance, insurance, supplies and personnel costs.
ANS: F PTS: 1
14. The payback method is often more useful than the net present value method for evaluating systems projects because the effective lives of information system tend to be short and shorter payback projects are often desirable.
ANS: T PTS: 1
15 Intangible benefits are not physical, but can be measured and expressed in financial terms.
ANS: F PTS: 1
16 Legal feasibility identifies conflicts between the proposed system and the company’s ability to discharge its legal responsibilities
ANS: T PTS: 1
17. Programs in their compiled state are very susceptible to the threat of unauthorized modification.
ANS: F PTS: 1
18 Maintenance access to systems increases the risk that logic will be corrupted either by the accident or intent to defraud.
ANS: T PTS: 1
19. Source program library controls should prevent and detect unauthorized access to application programs.
ANS: T PTS: 1
20. The user test and acceptance procedure is the last point at which the user can determine the system’s acceptability prior to it going into service.
ANS: T PTS: 1
MULTIPLE CHOICE
1 Which control is not associated with new systems development activities?
a. reconciling program version numbers
b. program testing
c. user involvement
d. internal audit participation
ANS: A PTS: 1
2. Which test of controls will provide evidence that the system as originally implemented was free from material errors and free from fraud? Review of the documentation indicates that
a. a cost-benefit analysis was conducted
b. the detailed design was an appropriate solution to the user's problem
c. tests were conducted at the individual module and total system levels prior to implementation
d. problems detected during the conversion period were corrected in the maintenance phase
ANS: C PTS: 1
3. Routine maintenance activities require all of the following controls except
a. documentation updates
b. testing
c. formal authorization
d. internal audit approval
ANS: D PTS: 1
4. Which statement is correct?
a. compiled programs are very susceptible to unauthorized modification
b. the source program library stores application programs in source code form
c. modifications are made to programs in machine code language
d. the source program library management system increases operating efficiency
ANS: B PTS: 1
5 Which control ensures that production files cannot be accessed without specific permission?
a. Database Management System
b. Recovery Operations Function
c. Source Program Library Management System
d. Computer Services Function
ANS: C PTS: 1
6. Program testing
a. involves individual modules only, not the full system
b. requires creation of meaningful test data
c. need not be repeated once the system is implemented
d. is primarily concerned with usability
ANS: B PTS: 1
7 Which statement is not true?
a. An audit objective for systems maintenance is to detect unauthorized access to application databases.
b. An audit objective for systems maintenance is to ensure that applications are free from errors.
c. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to program version numbers.
d. An audit objective for systems maintenance is to ensure that the production libraries are protected from unauthorized access.
ANS: A PTS: 1
8 When the auditor reconciles the program version numbers, which audit objective is being tested?
a. protect applications from unauthorized changes
b. ensure applications are free from error
c. protect production libraries from unauthorized access
d. ensure incompatible functions have been identified and segregated
ANS: A PTS: 1
9 Which is not a level of a data flow diagram?
a. conceptual level
b. context level
c. intermediate level
d. elementary level
ANS: A PTS: 1
10 Which statement is not correct? The structured design approach
a. is a top-down approach
b. is documented by data flow diagrams and structure diagrams
c. assembles reusable modules rather than creating systems from scratch
d. starts with an abstract description of the system and redefines it to produce a more detailed description of the system
ANS: C PTS: 1
11 The benefits of the object-oriented approach to systems design include all of the following except
a. this approach does not require input from accountants and auditors
b. development time is reduced
c. a standard module once tested does not have to be retested until changes are made
d. system maintenance activities are simplified
ANS: A PTS: 1
12 Evaluators of the detailed feasibility study should not include
a. the internal auditor
b. the project manager
c. a user representative
d. the system designer
ANS: D PTS: 1
13. A cost-benefit analysis is a part of the detailed
a. operational feasibility study
b. schedule feasibility study
c. legal feasibility study
d. economic feasibility study
ANS: D PTS: 1
14. Examples of one-time costs include all of the following except
a. hardware acquisition
b. insurance
c. site preparation
d. programming
ANS: B PTS: 1
15. Examples of recurring costs include
a. software acquisition
b. data conversion
c. personnel costs
d. systems design
ANS: C PTS: 1
16 A commercial software system that is completely finished, tested, and ready for implementation is called a
a. backbone system
b. vendor-supported system
c. benchmark system
d. turnkey system
ANS: D PTS: 1
17 Which of the following is not an advantage of commercial software? Commercial software
a. can be installed faster than a custom system
b. can be easily modified to the user’s exact specifications
c. is significantly less expensive than a system developed in-house
d. is less likely to have errors than an equivalent system developed in-house
ANS: B PTS: 1
18 Which step is least likely to occur when choosing a commercial software package?
a. a detailed review of the source code
b. contact with user groups
c. preparation of a request for proposal
d. comparison of the results of a benchmark problem
ANS: A PTS: 1
19. The output of the detailed design phase of the Systems Development Life Cycle (SDLC) is a
a. fully documented system report
b. systems selection report
c. detailed system design report
d. systems analysis report
ANS: C PTS: 1
20. The detailed design report contains all of the following except
a. input screen formats
b. alternative conceptual designs
c. report layouts
d. process logic
ANS: B PTS: 1
21. System documentation is designed for all of the following groups except
a. systems designers and programmers
b. end users
c. accountants
d. all of the above require systems documentation
ANS: D PTS: 1
22 Which type of documentation shows the detailed relationship of input files, programs, and output files?
a. structure diagrams
b. overview diagram
c. system flowchart
d. program flowchart
ANS: C PTS: 1
23 Typical contents of a run manual include all of the following except
a. run schedule
b. logic flowchart
c. file requirements
d. explanation of error messages
ANS: B PTS: 1
24 Computer operators should have access to all of the following types of documentation except
a. a list of users who receive output
b. a program code listing
c. a list of all master files used in the system
d. a list of required hardware devices
ANS: B PTS: 1
25. Which task is not essential during a data conversion procedure?
a. decomposing the system
b. validating the database
c. reconciliation of new and old databases
d. backing up the original files
ANS: A PTS: 1
26. When converting to a new system, which cutover method is the most conservative?
a. cold turkey cutover
b. phased cutover
c. parallel operation cutover
d. data coupling cutover
ANS: C PTS: 1
27. Site preparation costs include all of the following except
a. crane used to install equipment
b. freight charges
c. supplies
d. reinforcement of the building floor
ANS: C PTS: 1
28 The testing of individual program modules is a part of
a. software acquisition costs
b. systems design costs
c. data conversion costs
d. programming costs
ANS: D PTS: 1
29 When implementing a new system, the costs associated with transferring data from one storage medium to another is an example of
a. a recurring cost
b. a data conversion cost
c. a systems design cost
d. a programming cost
ANS: B PTS: 1
30 An example of a tangible benefit is
a. increased customer satisfaction
b. more current information
c. reduced inventories
d. faster response to competitor actions
ANS: C PTS: 1
31. An example of an intangible benefit is
a. expansion into other markets
b. reduction in supplies and overhead
c. more efficient operations
d. reduced equipment maintenance
ANS: C PTS: 1
32. A tangible benefit
a. can be measured and expressed in financial terms
b. might increase revenues
c. might decrease costs
d. all of the above
ANS: D PTS: 1
33 Intangible benefits
a. are easily measured
b. are of relatively little importance in making information system decisions
c. are sometimes estimated using customer satisfaction surveys
d. when measured, do not lend themselves to manipulation
ANS: C PTS: 1
34 Which technique is least likely to be used to quantify intangible benefits?
a. opinion surveys
b. simulation models
c. professional judgment
d. review of accounting transaction data
ANS: D PTS: 1
35 The formal product of the systems evaluation and selection phase of the Systems Development Life Cycle is
a. the report of systems analysis
b. the systems selection report
c. the detailed system design
d. the systems plan
ANS: B PTS: 1
36 Typically a systems analysis
a. results in a formal project schedule
b. does not include a review of the current system
c. identifies user needs and specifies system requirements
d. is performed by the internal auditor
ANS: C PTS: 1
37 A disadvantage of surveying the current system is
a. it constrains the generation of ideas about the new system
b. it highlights elements of the current system that are worth preserving
c. it pinpoints the causes of the current problems
d. all of the above are advantages of surveying the current system
ANS: A PTS: 1
38 Systems analysis involves all of the following except
a. gathering facts
b. surveying the current system
c. redesigning bottleneck activities
d. reviewing key documents
ANS: C PTS: 1
39 The systems analysis report does not
a. identify user needs
b. specify requirements for the new system
c. formally state the goals and objectives of the system
d. specify the system processing methods
ANS: D PTS: 1
40 The role of the steering committee includes
a. designing the system outputs
b. resolving conflicts that arise from a new system
c. selecting the programming techniques to be used
d. approving the accounting procedures to be implemented
ANS: B PTS: 1
41. Project planning includes all of the following except
a. specifying system objectives
b. preparing a formal project proposal
c. selecting hardware vendors
d. producing a project schedule
ANS: C PTS: 1
42. Aspects of project feasibility include all of the following except
a. technical feasibility
b. economic feasibility
c. logistic feasibility
d. schedule feasibility
ANS: C PTS: 1
43. Which of the following is not a tool of systems analysts?
a. observation
b. task participation
c. audit reports
d. personal interviews
ANS: C PTS: 1
44 When developing the conceptual design of a system,
a. all similarities and differences between competing systems are highlighted
b. structure diagrams are commonly used
c. the format for input screens and source documents is decided
d. inputs, processes, and outputs that distinguish one alternative from another are identified
ANS: D PTS: 1
45. The role of the accountant/internal auditor in the conceptual design phase of the Systems Development Life Cycle includes all of the following except
a. the accountant is responsible for designing the physical system
b. the accountant is responsible to ensure that audit trails are preserved
c. the internal auditor is responsible to confirm that embedded audit modules are included in the conceptual design
d. the accountant is responsible to make sure that the accounting conventions that apply to the module are considered by the system designers
ANS: A PTS: 1
46 Strategic systems planning is important because the plan
a. provides authorization control for the Systems Development Life Cycle
b. will eliminate any crisis component in systems development
c. provides a static goal to be attained within a five-year period
d. all of the above
ANS: A PTS: 1
47. Project feasibility includes all of the following except
a. technical feasibility
b. conceptual feasibility
c. operational feasibility
d. schedule feasibility
ANS: B PTS: 1
SHORT ANSWER
1. Contrast the source program library (SPL) management system to the database management system (DBMS).
ANS: The SPL software manages program files and the DBMS manages data files.
PTS: 1
2. List three methods used to control the source program library.
ANS: passwords, separate test libraries, audit trail and management reports, program version numbers, controlling access to maintenance commands
PTS: 1
3. New system development activity controls must focus on the authorization, development, and implementation of new systems and its maintenance. Discuss at least five control activities that are found in an effective system development life cycle.
ANS:
System authorization activities assure that all systems are properly authorized to ensure their economic justification and feasibility.
User specification activities should not be stifled by technical issues. Users can provide written description of the logical needs that must be satisfied by the system.
Technical design activities must lead to specifications that meet user needs. Documentation is both a control and evidence of control.
Internal audit involvement should occur throughout the process to assure that the system will serve user needs.
Program testing is to verify that data is processed as intended.
PTS: 1
4. List three advantages and one disadvantage of commercial software.
ANS: Advantages include very quick implementation time, relatively inexpensive software, and reliable, tested software.
Disadvantages include not being able to customize the system and difficulty in modifying the software.
PTS: 1
5. Describe a risk associated with the phased cutover procedure for data conversion.
ANS:
Incompatibilities may exist between the new subsystems and the yet-to-be replaced old subsystems.
PTS: 1
6. Why is it important that the systems professionals who design a project not perform the detailed feasibility study of the project?
ANS: Objectivity is essential to the fair assessment of each project design. To ensure objectivity, an independent systems professional should perform the study.
PTS: 1
7 ____________________ benefits can be measured and expressed in financial terms, while ____________________ benefits cannot be easily measured and/or quantified.
ANS: Tangible, intangible
PTS: 1
8 What is a systems selection report?
ANS: A systems selection report is a formal document that consists of a revised feasibility study, a costbenefit analysis, and a list and explanation of intangible benefits for each alternative design. The steering committee uses this report to select a system.
PTS: 1
9. Why is the payback method often more useful than the net present value method for evaluating systems projects?
ANS:
Because of brief product life cycles and rapid advances in technology, the effective lives of information system tends to be short. Shorter payback projects are often desirable.
PTS: 1
10 What are the auditor’s objectives relating to systems development?
ANS: The auditor’s objectives are to ensure that (1) systems development activities are applied consistently and in accordance with management’s policies to all systems development projects; (2) the system as originally implemented was free from material errors and fraud; (3) the system was judged necessary and justified at various checkpoints throughout the SDLC; and (4) system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities.
PTS: 1
11. Describe a test of controls that would provide evidence that only authorized program maintenance is occurring.
ANS: reconcile program version numbers, confirm maintenance authorizations
PTS: 1
12 What are program version numbers and how are the used?
ANS:
The SPLMS assigns a version number automatically to each program stored on the SPL. When programs are first placed in the libraries (at implementation), they are assigned version number zero. With each modification to the program, the version number is increased by one.
PTS: 1
13. Explain why accountants are interested in the legal feasibility of a new systems project.
ANS:
Legal feasibility identifies conflicts between the proposed system and the company’s ability to discharge its legal responsibilities. Accountants are often tasked with the legal requirements associated with developing the internal control system and securing information from inappropriate disclosure.
PTS: 1
14. Explain an advantage of surveying the current system when preparing a systems analysis for a new systems project.
ANS: An analysis of the current system will identify what aspects of the current system should be retained; facilitate the conversion from the old to the new system; and may uncover causes of reported problems.
PTS: 1
15. What are two purposes of the systems project proposal?
ANS:
First, it summarizes the findings of the study conducted to this point into a general recommendation for a new or modified system. This enables management to evaluate the perceived problem along with the proposed system as a feasible solution. Second, the proposal outlines the linkage between the objectives of the proposed system and the business objectives of the firm. It shows that the proposed new system complements the strategic direction of the firm.
PTS: 1
16. List two ways that a systems project can contribute to the strategic objectives of the firm.
ANS:
A new system can improve the operational performance by eliminating nonessential activities and costs, provide a method of differentiating the product or service from the competitors, and provide information that will help improve management decision-making.
PTS: 1
17 List four types of facts that should be gathered during an analysis of a system.
ANS: data sources; operation users; data stores; processes; data flows; controls; transaction volumes; error rates; resource costs; bottlenecks; and redundant operations
PTS: 1
18. Distinguish between escapable and inescapable costs. Give an example.
ANS:
Escapable costs are directly related to the system, and they cease to exist when the system ceases to exist. An example would be an annual software support fee for purchased software. If the system ceases to exist, the support for the software will no longer be necessary. Inescapable costs, on the other hand, represent costs which will not be eliminated if the system is scrapped. An example would be an overhead charge for office space in a building which is owned by the company. If the system ceases to exist, these costs will be allocated to the remaining departments.
PTS: 1
19. Why is cost-benefit analysis more difficult for information systems than for many other types of investments organizations make?
ANS:
The benefits of information systems are oftentimes very difficult to assess. Many times the benefits are intangible, such as improved decision making capabilities. Also, maintenance costs may be difficult to predict. Most other investments that organizations make, i.e. purchase of a new piece of equipment, tend to have more tangible and estimable costs and benefits.
PTS: 1
ESSAY
1. Outline the five controllable activities that relate to new systems development
ANS:
Systems Authorization Activities: All systems should be properly authorized to ensure their economic justification and feasibility. This requires a formal environment in which users submit requests to systems professionals in written form.
User Specification Activities: Users need to be actively involved in the systems development process. Users should create a detailed written description of their needs. It should describe the user’s view of the problem, not that of the systems professionals.
Technical Design Activities: The technical design activities translate user specifications into a set of detailed technical specifications for a system that meets the user’s needs. The scope of these activities includes systems analysis, feasibility analysis, and detailed systems design.
Internal Audit Participation: The internal auditor plays an important role in the control of systems development activities. The auditor should become involved at the inception of the process and continue through all phases of development and in the maintenance phase. In addition, the
User Test and Acceptance Procedures: Prior to system implementation, the individual modules of the system need to be formally and rigorously tested as a whole. The test team should comprise of user personnel, systems professionals, and internal auditors. The details of the tests performed and their results need to be formally documented and analyzed. Once the test team is satisfied that the system meets its stated requirements, the system can be transferred to the user.
PTS: 1
2. Discuss the three groups that participate in systems development.
ANS: System professionals are systems analysts, systems engineers, database designers, and programmers. These individuals actually build the system.
End users are those for whom the system is built. There are many users at all levels in an organization. These include managers and operations personnel, including accountants. During systems development, systems professionals work with primary users to obtain an understanding of users’ problems and a clear statement of their needs.
Stakeholders are individuals who have an interest in the system but are not formal end users. These include the internal steering committee and internal and external auditors. Stakeholders work with the development team to ensure user’s needs are met, adequate internal controls are designed into the systems and that the systems development process itself is properly implemented and controlled.
PTS: 1
3. Define the feasibility measures that should be considered during project analysis and give an example of each.
ANS:
Technical feasibility is an assessment as to whether the system can be developed under existing technology or if new technology is needed. An example might be a situation where a firm wants to completely automate the sales process. A question would be-Is technology available that allows sales to be made without humans?
Economic feasibility is an assessment as to the availability of funds to complete the project. A question would be-Is it cost feasible to purchase equipment to automate sales?
Legal feasibility identifies any conflicts with the proposed system and the company’s ability to discharge its legal responsibilities. An example would be a firm that is proposing a new mail order sales processing system for selling wine.
Operational feasibility shows the degree of compatibility between the firm’s existing procedures and personnel skills and the operational requirements of the new system. Do the firm have the right work force to operate the system? If not, can employees be trained? If not, can they be hired?
Schedule feasibility pertains to whether the firm can implement the project within an acceptable time frame. An example would be a new ticket sales system for a sports team. The system would need to be implemented prior to the start of the new season.
PTS: 1
4. Explain the role of accountants in the conceptual design stage.
ANS:
Accountants are responsible for the logical information flows in a new system. Alternate systems considered must be properly controlled, audit trails must be preserved, and accounting conventions and legal requirements must be met. Auditability of a new system depends in part on its design.
PTS: 1
5. Discuss the advantages and disadvantages of the three methods of converting to a new system: cold turkey cutover, phased cutover, and parallel operation cutover.
ANS:
Cold turkey–This is the fastest, quickest and least expensive cutover method. It is also the most risky. If the system does not function properly, there is no backup system to rely on.
Phased cutover–The phased cutover avoids the risk of total system failure because the conversion occurs one module at a time. The disadvantage of this method is the potential incompatibilities between new modules that have been implemented and old modules that have not yet been phased out.
Parallel operation cutover–This is the most time consuming and costly of the three methods, but it also provides the greatest security. The old system is not terminated until the new system is tested for accuracy.
PTS: 1
6. What is the purpose of the auditor's review of SDLC documentation?
ANS:
In reviewing the SDLC documentation, the auditor seeks to determine that completed projects now in use reflect compliance with SDLC policies including:
• User and computer services management properly authorized the project.
• A preliminary feasibility study showed that the project had merit.
• A detailed analysis of user needs was conducted that resulted in alternative conceptual designs.
• A cost-benefit analysis was conducted using reasonably accurate figures.
• The detailed design was an appropriate and accurate solution to the user’s problem.
• Test results show that the system was thoroughly tested at both the individual module and the total system level before implementation. (To confirm these test results, the auditor may decide to retest selected elements of the application.)
• There is a checklist of specific problems detected during the conversion period, along with evidence that they were corrected in the maintenance phase.
• Systems documentation complies with organizational requirements and standards
PTS: 1
7. Classify each of the following as either a one-time or recurring costs:
training personnel
initial programming and testing
system design-one
hardware costs
software maintenance costs
site preparation
rent for facilities
data conversion from old system to new system
insurance costs
installation of original equipment
hardware upgrades
ANS:
training personnel-one-time
initial programming and testing-one-time
system design-one-time
hardware costs-one-time
software maintenance costs-recurring
site preparation-one-time
rent for facilities-recurring
data conversion from old system to new system-one-time
insurance costs-recurring
installation of original equipment-one-time
hardware upgrades-recurring
PTS: 1
8. Explain how application version numbers can be used as an audit to0l for assessing program change controls.
ANS:
The SPLMS assigns a version number automatically to each program stored on the SPL. When programs are first placed in the libraries (at implementation), they are assigned version number zero. With each modification to the program, the version number is increased by one. This feature, when combined with audit trail reports, provides a basis for detecting unauthorized changes to the application program. An unauthorized change is signaled by a version number on the production load module that cannot be reconciled to the number of authorized changes. For example, if 10 changes were authorized but the production program is Version 11, then two possible control violations may have happened: (1) an authorized change occurred, which for some reason went undocumented, or (2) an unauthorized change was made, which incremented the version number.
PTS: 1