Chapter 8—Controlling Information Systems: Introduction to Pervasive and General ControlsTRUE/FALSE1. IT governance leads to better organizational performance such as profitability.ANS: T2. As an IT resource, information includes data in all their forms that are input, processed and output by information systems.ANS: T3. As an IT resource, applications are automated systems and manual procedures that process information.ANS: T4. The system of controls used in this text consists of the control environment, pervasive (and general controls, and IT general controls) control plans, and business process (and application) control plans.ANS: T5. As used in the text, the information systems organization (function) is synonymous with the accounting function.ANS: F6. The function composed of people, procedures, and equipment that is typically called the information systems department, IS department, or the IT department is the information systems organization.ANS: T7. The IS function with the principal responsibilities of guiding and advising the information systems organization is the IT steering committee.ANS: T8. The IS function with the principal responsibilities of insuring the security of all information systems function resources is data control.ANS: F9. The IS function of quality assurance conducts reviews to determine adherence to IT standards and procedures and achievement of IT objectives.ANS: T10. The chief information officer (CIO) prioritizes and selects IT projects and resources.ANS: F11. Within the data center, the data control group is responsible for routing all work into and out of the data center, correcting errors, and monitoring error correction.ANS: T12. The IS function of systems development provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks, loading printer paper, and responding to computer messages.ANS: F13. Within the data center, the data librarian function grants access to programs, data, and documentation to authorized personnel only.ANS: T14. Combining the functions of authorizing and executing events is a violation of the organizational control plan known as segregation of duties.ANS: T15. Segregation of duties consists of separating the four functions of authorizing events, executing events, recording events, and safeguarding the resources resulting from consummating the events.ANS: T16. Embezzlement is a fraud committed by two or more individuals or departments.ANS: F17. A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resource controls.ANS: F18. The functions of the security officer commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans.ANS: T19. Individual departments coordinate the organizational and IT strategic planning processes and reviews and approves the strategic IT plan.ANS: F20. The policy of requiring an employee to alternate jobs periodically is known as mandatory vacations.ANS: F21. Forced vacations is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place.ANS: T22. A fidelity bond indemnifies a company in case it suffers losses from defalcations committed by its employees.ANS: T23. The product life cycle is a formal set of activities, or a process, used to develop and implement a new or modified information system.ANS: F24. Computer software that is used to facilitate the execution of a given business process is called databasemanagement software.ANS: F25. The systems documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports.ANS: T26. Program documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings.ANS: T27. The user run manual gives detailed instructions to computer operators and to data control about a particular application.ANS: F28. The operations run manual describes user procedures for an application and assists the user in preparing inputs and using outputs.ANS: F29. Training materials are documentation that helps users learn their jobs and perform consistently in thosejobs.ANS: T30. Program change controls provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented.ANS: T31. The terms contingency planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the process that identifies events that may threaten an organization and provide a framework whereby the organization will continue to operate orresume operations with a minimum of disruption.ANS: T32. Continuity is the process of using backup measures to either reconstruct lost data, programs, or documentation, or to continue operations in alternative facilities.ANS: F33. With continuous data protection (CDP) all data changes are saved to secondary computer systems as changes are made on the primary system.ANS: T34. The disaster backup and recovery technique known as electronic vaulting is a service whereby changesbeing made on a computer are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party.ANS: T35. The disaster recovery strategy known as a cold site is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber fee.ANS: F36. A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a hot site.ANS: F37. In the case of a computer virus, a Web site is overwhelmed by an intentional onslaught of thousands ofsimultaneous messages, making it impossible for the attacked site to engage in its normal activities.ANS: F38. Biometric identification systems identify authorized personnel through some unique physical trait suchas fingers, hands, voice, eyes, face, or writing dynamics.ANS: T39. Antivirus is a technique to protect one network from another "untrusted" network.ANS: F40. The most common biometric devices perform retinal eye scans.ANS: F41. In an online computing environment, the operating system