TURNER, WEICKGENNANT & COPELAND ACCOUNTING INFORMATION SYSTEMS CONTROLS AND PROCESSES

CHAPTER 4
INTERNAL CONTROLS AND RISKS IN IT SYSTEMS

1. What is the difference between general controls and application controls?

2. What kinds of risks or problems can occur if an organization does not authenticate
users of its IT systems?
3. What is the difference between authentication and authorization?
4. What is the difference between business continuity planning and disaster recovery
planning?
5. What kinds of duties should be segregated in IT systems?
6. Why do you think the uppermost managers should serve on the IT governance
committee?
7. Why should accountants be concerned about risks inherent in a complex software
system such as the operating system?
8. How can control totals serve as input, processing, and output controls?
9. Categorize each of the following as either a general control or an application control:
a. validity check
b. encryption
c. security token
d. batch total
e. output distribution
f. penetration testing
g. vulnerability assessment
h. firewall
i. antivirus software

10. Each of the given situations is independent of the other. For each, list the
programmed input validation check that would prevent or detect the error.
a. The zip code field was left blank on an input screen requesting a mailing
address.
b. An invalid state abbreviation of “NX” was entered in the state field.
c. A number was accidentally entered in the last name field.
d. For a weekly payroll, the hours entry in the “hours worked"
field was 400.
e. A pay rate of $80.00 per hour was entered for a new employee. The job code
indicates an entry-level receptionist.

1/2
 TURNER, WEICKGENNANT & COPELAND ACCOUNTING INFORMATION SYSTEMS CONTROLS AND PROCESSES

11. Which application controls would correspond to the following data creation rules?
- “the values in the cell are less than 70”
- “the values in the cell are between 15 and 65”
- “the values in the cell are positive”
- “the values in the cell are only numeric”
- “the cell accepts no more than 40 characters of text”
- “the cell’s value is less than 75% of the cell to its left”
- “the value exists in a list of allowable values”

12. What is the difference between using self-checking digit verification and using a
validity check to test the accuracy of an account number entered on a transaction
record?

13. For each AICPA Trust Services Principles category shown, list a potential risk and a
corresponding control that would lessen the risk. An example is provided.
Example:
Security:
Risk: a hacker could alter data.
Control: use firewall to limit unauthorized access.
In a similar manner, list a risk and a control in each of the following categories:
Security, Availability, Processing Integrity, Confidentiality.

14. Control totals include batch totals, hash totals, and record counts. Which of these
totals would be useful in preventing or detecting IT system input and processing
errors or fraud described as follows?
a. A payroll clerk accidentally entered the same time card twice.
b. The accounts payable department overlooked an invoice and did not enter it
into the system because it was stuck to another invoice.
c. A systems analyst was conducting payroll fraud by electronically adding to his
“hours worked” field during the payroll computer run.
d. To create a fictitious employee, a payroll clerk removed a time card for a
recently terminated employee and inserted a new time card with the same
hours worked.

2/2