Student Forums CMA Part 1 Section E: Internal Controls E.2. System Controls and Security Measures Exam succes question about system general controls

Exam succes question about system general controls

  • This topic has 3 replies, 3 voices, and was last updated 3 years ago by Alexey Gnoevoy.
  • Creator
  • #107345
    Alexey Gnoevoy

    Hello, can you help me please to undestand next question

    CIA 596 3.48
    A company with several hundred stores has a network for the stores to transmit sales data to headquarters. The network is also used for:

    vendors to submit reorders,

    stores to transmit special orders to headquarters,

    regional distribution centers to communicate delivery and out-of-stock information to the stores,

    the national office to distribute training materials,

    store, regional, and national personnel to share any information they think helpful.
    In order to accommodate the large volume of transmissions, large stores have their own satellite receiving/transmitting stations. Small stores use leased lines.
    The information systems director is concerned that someone might be able to enter fictitious orders from store terminals. Of the following, the best control for minimizing the likelihood of such an occurrence is to:
    Correct answer: “Enforce password control procedures for users”
    My answer: “Require change control procedures for programs”

    In my mind even if you authorized person that doesnot mitigate risk that you can commit fraud, also chagne controls also include authorization control and include testings and documentation support. So i think that my answer is more applicable that the correct.

    Explain me please why correct answer is better than mine?

    Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Author
  • #107349
    Brian Hock
    HOCK international


    All of these controls would be good controls to have. However, they narrow the scope of the question for us by stating that the concern is that someone can enter fictitious transactions in a terminal. Since we are looking at entering fictitious transactions, the choices of encryption, change controls procedures and reporting suspicious activities are not really relevant controls for this issue.

    This question is a good example of a question in which all of the choices are good things to do, but the question itself narrows the scope of the question to a specific item, or issue.


    Lynn Roden
    HOCK international

    Hi Alexey,

    A change in a program does not necessarily include any change to authorizations. A fraudulent change in a program in this situation could be made to redirect orders to a different vendor (maybe a vendor owned by the employee who has made the fraudulent program change), for example. Program change controls would minimize the likelihood of a fraudulent change being made in a program. Yes, program change controls could also minimize the likelihood of a fraudulent change being made in authorizations. However, by themselves, program change controls would not minimize the likelihood that someone would be able to enter fictitious orders from store terminals if password control procedures were not being enforced. Without password control procedures, someone could obtain the password of an authorized employee and enter orders using that password.

    With multiple choice questions, often there will be more than one answer that could be correct. The goal is to select the answer choice that is the best answer from among those given. In this case, “enforce password control procedures for users” is a better answer than “require change control procedures for programs.” Both controls are important, but password control is more relevant to the situation described in the question. An example of a password control procedure would be requiring passwords to be changed at regular intervals and requiring them to meet certain minimum specifications.

    Here is a link to a sample password policy that exemplifies password control procedures:

    The key is the enforcement of whatever controls the organization has established in its written password policy. It does no good to have a password policy if the policy is not enforced by management.


    • This reply was modified 3 years ago by Lynn Roden.
    Alexey Gnoevoy

    Brian, Lynn Thank you! Now i understand!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.