| A |
Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication poses a serious risk of financial loss.
|
| B |
An excessive turnaround time is an inconvenience, but not a serious risk.
|
| C |
The integrity of EDI transactions is important, but not as significant as the risk of unauthorized transactions
|
| D |
The failure of the application interface is a risk, but not the most serious issue. Usually such a problem is temporary and easily fixed.
|
| A |
Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.
|
| B |
Deletion or manipulation of transactions prior to, or after, establishment of application controls is an example of risk. Logging detects any alteration to the data, and the impact is not as great as that of unauthorized transactions.
|
| C |
Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, lack of transaction authorization is the greatest risk.
|
| D |
Loss or duplication of electronic data interchange transmissions is an example of risk, but because all transactions should be logged,.the impact is not as great as that of unauthorized transactions.
|
| A |
One-for-one checking validates that transactions are accurate and complete but does not map data.
|
| B |
Manual recalculations are used to verify that the processing is correct but do not map data.
|
| C |
Key verification is used for encryption and protection of data but not for data mapping.
|
| D |
Acting as an audit trail for electronic data interchange transactions, functional acknowledgments are one of the main controls used in data mapping.
|
| A |
Encryption algorithms are too detailed for this phase. They would only be outlined, and any cost or performance implications shown.
|
| B |
The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.
|
| C |
Internal control procedures are too detailed for this phase. They would only be outlined, and any cost or performance implications shown.
|
| D |
Third-party agreements are too detailed for this phase. They would only be outlined, and any cost or performance implications shown.
|
| A |
Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders.
|
| B |
An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern.
|
| C |
Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received.
|
| D |
Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers.
|
| A |
Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions.
|
| B |
Physical control is important and may provide protection from unauthorized people accessing the system but does not provide protection from unauthorized transactions by authorized users.
|
| C |
The electronic data interchange trading partner agreements minimize exposure to legal issues but do not resolve the problem of unauthorized transactions.
|
| D |
Change control procedures do not resolve the issue of unauthorized transactions.
|