Chapter 7

Control Activities

MULTIPLE CHOICE QUESTIONS

1. Control activities can be designed to provide reasonable assurance that all except
which of the following will happen?
A. Transactions will be recorded to permit preparation of financial
statements.
B. All risks will be eliminated.
C. Access to assets will be permitted only in accordance with management’s
authorization.
D. The recorded accountability for assets will be compared with the existing
assets at periodic intervals.
B

2. Which of the following control activities would most likely influence the behavior
of managers?
A. Monitoring compliance with internal controls
B. Limiting direct access to assets by physical isolation and security devices
C. Establishing budgets or standards and identifying variances from these
budgets or standards
D. Supporting employees with the resources necessary to discharge their
responsibilities
C

3. Of the following control activities, which is the most effective?

A. Bonding of employees
B. Segregation of duties
C. Rotation of assignments
D. Enforced vacations
B

4. The segregation of duties between the custody of cash and the recording of cash
receipts best illustrates which of the following control concepts?
A. Oversight
B. Isolation
C. Redundancy
D. Accountability
B
5. What is the single most effective control that avoids allowing one person to be in
a position to perpetrate and then conceal errors or inappropriate activities?
A. The segregation of authorization of transactions, custody of related assets,
and modification or creation of related data and program files (or paper-
based records).
B. The requirement that each employee take a vacation each year.
C. The establishment of an internal auditing department.
D. The bonding of personnel in positions that necessitate handling cash and
negotiable securities.
[CIA adapted]
A

6. Which of the following duties should be segregated for good internal control?
A. Approval of credit from issuance of sales orders
B. Shipment of goods and entry of shipping transaction data
C. Receipt of cash and maintenance of the cash account
D. All of the above are proper segregation of duties.
D

7. The authority to grant credit for returns and allowances should be independent of
which function?
A. Shipping
B. Sales order processing
C. Billing (sometimes called customer invoicing)
D. Cash receipts
C

8. Which of the following would be the most effective user password?

A. Smith
B. 123456789
C. tuttle236cog
D. ssssssssssss
C

9. Which of the following controls is the most effective for preventing unauthorized
access to data and program files?
A. No access except during normal working hours
B. Fingertip scanners
C. Policy prohibiting unauthorized access
D. Passwords
B

10. For what purpose would the system administrator be likely to use a user rights
table?
A. To create an audit trail for detecting access violations
B. To plan for access security
 C. To encrypt data for high-level protection
D. To store user authentication codes
B

11. To enable a user to access data and program files, what should the user be
required to enter?
A. A parity check
B. A personal identification code
C. A self-diagnosis test
D. An echo check
B

12. What is the purpose of user authentication?

A. To verify that the user is entitled to enter transaction data
B. To verify the identity of the user
C. To verify that the user can access data files
D. To verify that the transaction was authorized
B

13. Data access control activities include which of the following?

A. User authentication, encryption, firewall, automatic log off
B. Encryption, batch controls, directory and file attributes
C. User authentication, user rights, callback device, check digit
D. Segregation of duties, user authentication, automatic rollback
A

14. Which of the following controls most likely would assure that an organization can
reconstruct its files?
A. Hardware controls that are built into the computer by the computer
manufacturer.
B. Backup copies of data and program files that are stored away from
originals.
C. Personnel, who are independent of data input, perform parallel
simulations.
D. System flowcharts that provide accurate descriptions of input and output
operations.
B

15. Which of the following represents weak internal control?

A. The design and implementation is performed in accordance with
management's specific authorization.
B. Any and all changes in application programs have the authorization and
approval of management.
C. Provisions exist to protect data files from unauthorized access,
modification, or destruction.
 D. Application developers test their own new or modified applications before
the applications are implemented.
[CMA adapted]
D

16. General controls apply to the reliability and consistency of the overall information
processing environment. To what do application controls apply?
A. All information processing activities
B. The flow of data in and among individual applications
C. The assignment and supervision of personnel
D. Accounting systems that use databases
B

17. Which of the following transactions is least likely to require the entry of a specific
authorization code?
A. Weekly payroll totaling $10,000
B. Cash disbursement for $1,000
C. $2,000 write-down of obsolete inventory
D. $500 credit sale to a new customer
A

18. What is the most common computer-related problem confronting organizations?

A. Hardware malfunction
B. Input errors
C. Disruption to the processing activities as a result of natural disasters
D. Fraud
[CIA adapted]
B

19. What is the most likely source of errors in a computerized accounting system?
A. Operator action
B. Output
C. Processing
D. Input
[CMA adapted]
D

20. What kind of reasonable assurance do check digits, screen properties, and
reasonableness tests provide?
A. Processing has been performed as intended without omission or double
counting of transactions.
B. Only authorized persons have access to files.
C. Data have been correctly entered.
D. Coding of data internal to the computer did not change when the data were
moved from one internal storage location to another.
[CIA adapted]
C

21. An employee in the receiving department keyed in a receiving record and

inadvertently omitted the purchase order number. What control will prevent this error?
A. Anticipation of contents
B. Sequence check
C. Reasonableness test
D. Smartcard
[CMA adapted]
A

22. Some of the more important control activities in computerized accounting

information systems are validity checks, reasonableness checks, and checks for logical
relationships. How are these activities classified?
A. Control total validation routines
B. Hash totals
C. Output controls
D. Input verification controls
D

23. A clerk was entering a sales transaction in her cash register and accidentally
entered a sales representative code for a terminated employee. This error could have been
detected if the system included a
A. Dual read check
B. Valid code check
C. Valid character check
D. Reasonableness test
B

24. Which of the following would detect a data input error in the entry of a customer
code?
A. A logic check
B. A combination check
C. A valid code check
D. A parity check
C

25. Which of the following is an example of a data verification check?

A. The system checks that a numerical amount in a field does not exceed
some predetermined amount.
B. As the system corrects errors and data are successfully resubmitted, the
causes of the errors are printed out.
C. The system returns an error message if the value entered in a field does not
match one in a reference file of permissible values.
D. After transaction data are entered, certain data are sent back to the
workstation for comparison with data originally sent.
C

26. Omen Company is a manufacturer of men’s shirts and distributes weekly sales
reports to each sales manager. The quantity 2R5 appeared in the quantity sold
column for one of the items on the weekly sales report for one of the sales
managers. What is the most likely explanation for what occurred?
A. The output quantity was stated in hexadecimal numbers.
B. The computer malfunctioned during execution.
C. The printer malfunctioned and the “R” should have been a decimal point.
D. The system did not contain a verification control for input data.
CMA adapted]
D

27. What kind of input control is involved when a self-checking digit is appended to a
customer account number?
A. Data verification control
B. Data capture control
C. Classification and identification control
D. Hash control
A

28. While entering data into a cash receipts transaction file, an employee transposed
two numbers in a numeric code. Which of the following controls would have
prevented this type of error?
A. Sequence check
B. Record check
C. Self-checking digit
D. Field-length check
C

29. The authority for establishing credit policy normally resides with which of the
following?
A. Treasurer and upper management
B. Controller and upper management
C. Sales department and upper management
D. Credit department and upper management
D

30. The authority for establishing selling prices normally resides with which of the
following?
A. Treasurer and upper management
B. Controller and upper management
C. Sales department and upper management
D. Credit department and upper management
C
31. The authority for ordering goods and services normally resides with which of the
following?
A. Treasurer
B. Originating department manager
C. Controller
D. Employee who initiates the order
B

32. The authority for receiving incoming shipments of goods and the responsibility
for checking them normally resides with which of the following?
A. Receiving department and quality control personnel
B. Purchasing agent and quality control personnel
C. Employee who initiated the order and quality control personnel
D. Quality control personnel
A

33. The authority for approving employee time data normally resides with which of
the following?
A. The payroll department
B. The personnel department
C. An employee’s immediate supervisor
D. The controller
C

34. The authority for disbursing cash for vendor payments or payroll disbursements
normally resides with which of the following?
A. The cash disbursements clerk
B. The treasurer
C. The credit manager
D. The purchasing agent
B

35. The need for prenumbered documents best relates to which of the following?
A. Validation of transactions
B. Segregation of duties
C. Authorization of transactions
D. Processing of all transactions
D

36. What type of control is control total analysis?

A. Input control
B. Processing control
C. Output control
D. Access control
B
37. In the processing of a batch of purchase transactions, which of the following
would be used to compute a hash total?
A. Vendor account numbers
B. Dollar amounts of vendor invoices
C. Number of vendor invoices in batch
D. Number of inventory items purchased
A

38. The accuracy and completeness of the general ledger update process can be tested
y comparing the accounts receivable balance before the update, the total debits
and credits to the accounts receivable account in the sales transaction file, and the
accounts receivable balance after the update. What does this process use?
A. Check digit analysis
B. Control total analysis
C. Validity analysis
D. Hash total analysis
B

39. What is a function of control totals?

A. To ensure that all authorized transactions are processed once and only
once
B. To ensure that as a batch transmittal ticket progresses through the various
processing stages it is not altered
C. To verify the accuracy and completeness of programmed processing
D. To ensure that an initial computation is correct and has not been altered
during processing
C

40. When data are to be maintained at a company’s site, which keys should be used
for encryption?
A. Private
B. Public
C. Digital
D. Both A and B
A

41. When using both private and public keys for cryptography, which of the
following statements is correct?
A. The digital certificate is used for encryption.
B. The private key is used for decryption.
C. The public key is used for decryption.
D. The digital certificate is used for decryption.
B

42. Which of the following statements regarding cryptography is not correct?

A. Much emphasis is placed on the encryption side of cryptography.
 B. When using private and public keys, the decrypting key is never sent
anywhere.
C. A solution to the problem of securing data that leave their original location
is the private key.
D. Locating encryption keys on Web servers is not as difficult as once
believed.
C

43. Disaster recovery plans should include all of the following EXCEPT:
A. An alternative means to continue processing after disaster.
B. A strong audit trail for all transactions.
C. Required employee training and periodic testing of the plan.
D. All of the above should be included in the disaster recovery plan.
B

44. Disaster recovery plans help reduce which of the following types of risk?
A. Business risk.
B. Information access risk.
C. General controls risk.
D. All of the above.
A

45. The BEST explanation for the absence of complete information on computer
crime would be:
A. Abuse is handled as an internal matter.
B. Hesitant disclosure of abuse due to embarrassment.
C. Documentation of abuses hasn't caught up with actual abuses.
D. Most computer crime is not caught and/or reported.
D

46. Of the following control activities, which is the MOST effective for minimizing
the possibility of fraudulent activity?
A. Bonding of employees.
B. Segregation of duties.
C. Rotation of assignments.
D. Enforced vacations.
B

47. When auditing a client's database, the purpose of extracting high value and old
invoices is to:
A. Determine which vendors and employees have the same addresses.
B. Determine potential invoices for review.
C. Determine unusual relationships between high dollar amounts and past
due invoices.
D. Determine which invoices are open and are past due.
B
48. What is the advantage of having a “hot site” as a back-up control?
A. Power and space are available at the site to set up processing equipment
on short notice (e.g., after a disaster)..
B. The site is located in another branch of the company in a neighboring
county.
C. The system is configured in a manner similar to the normal day-to-day
processing and is available for immediate use.
D. All of the above are advantages of having a hot site.
C

49. Which of the following are methods of auditing in computerized environments?

A. Auditing around the computer.
B. Auditing with the computer.
C. Auditing through the computer.
D. B and C only.
E. All of the above.
E

50. Which of the following defines the integrated test facility (ITF) method of
auditing through the computer?
A. Hypothetical data are used to test programmed controls and logic.
B. The auditor uses another program to test actual data and compare them to
the company’s results.
C. Artificial data are used to test the accounting information system.
D. A module is inserted into the application to monitor and collect data.
C

51. What are controls that concern all computer activities?

A. General controls.
B. Application controls.
C. Change controls.
D. IT audit controls.
A

52. What is (are) included in IT governance?

A. The corporate charter, policies, and bylaws of the corporation.
B. The issues surrounding IT management and security.
C. The entire organization’s management of resources and risks.
D. All of these are included in IT governance.
D

53. Which of the following statements about computer forensics experts is (are)
TRUE?
A. Erasing all data on the computer by the fraud perpetrator makes it
impossible for the forensics expert to extract evidence.
 B. Computer forensic experts collect evidence and information for use in
fraud cases using legally accepted methods.
C. Computer forensics experts are NOT allowed to train the company’s
employees.
D. All of these statements are true.
B

54. Which of the following controls would be most effective in assuring the proper
custody of investment securities?
A. Direct access to securities in the safety deposit box is limited to only one
corporate office.
B. Personnel who post investment security transactions in the general ledger
master file are prohibited from updating the investment securities master
files
C. The purchase and sale of investment securities are executed upon the
specific authorization of the board of directors.
D. The balances in the investment security master file are periodically
compared with the physical investment securities by independent
personnel.
D

55. The total computed on which of the following would be a hash total for payroll
applications?
A .Hours worked.
B. Total debits/credits.
C. Net pay.
D. Department numbers.
D

56. Segregation of duties reduces the opportunities for a person to be in a position to

do which of the following?
A. Perpetrate and conceal errors and inappropriate acts.
B. Record both cash receipts and cash disbursements.
C. Journalize entries and prepare financial statements.
D. Establish control activities and authorize transactions.
A

57. ABC Company inputs sales transaction data in batches that are subject to edit
checks. What would be a direct output of the edit checks?
A. Printout of all user IDs and passwords.
B. Report of all missing sales invoices.
C List of all voided shipping documents.
D. Report of all rejected sales transactions.

D
58. Which of the following is (are) application controls
A. Access security.
B. Passwords.
C. Input controls.
D. All of the above.
E. None of the above.
C

59. Self-checking digits are used to detect which of the following errors?
A. Processing data in the wrong sequence.
B. Losing data between processing functions.
C. Assigning a valid code to the wrong customer.
D. Entering an invalid customer code.
D

60. Which of the following procedures is most likely to prevent the improper
disposition of equipment?
A. A periodic analysis of the scrap sales and the repairs and maintenance
accounts.
B. The segregation of duties between those authorized to dispose of
equipment and those authorized to enter the disposition transaction.
C. The use of serial numbers to identify equipment that can be sold.
D. A periodic comparison of equipment removal work orders with the
authorizing documentation.
B

61. What should be the role of an information services steering committee?

A. Initiate all applications development; set priorities for implementing,
applications; develop system security.
B. Assign duties to systems personnel; prepare and monitor application
implementation plans; prepare system flowcharts.
C. Establish/approve information processing policies, system projects, and
priorities for implementing systems; evaluate effectiveness of processing
operations; monitor processing activities.
D. Decide on specific information needs; prepare detailed plans for system
evaluations; set priorities for developing applications; decide what
computer hardware will be purchased.
C

62. A company updates its account receivable master file weekly and retains the
master files and corresponding transaction files for the most recent two-week
period. What is the purpose of this practice?
A. Permit reconstruction of the master file if needed.
B. Match logical relationships to detect errors in the master file records.
C. Verify run-to-run totals.
D. Match logical relationships to detect errors in the master file records.
A

63. What is a control to ensure that transactions are reconstructed correctly after an
unplanned termination of processing?
A. Automatic rollback.
B. Record count and control total.
C. Anticipation and hash total.
D. Concurrence and sequence number.
A

64. What is a popular way of shielding an organization’s private network from

intruders outside of the organization?
A. File attributes.
B. Uninterruptible power supply.
C. Auxiliary power supply.
D. Firewall.
D

65. Which of the following concepts relate to control activities?

A. Isolation and accountability.
B. Redundancy and oversight.
C. Comparison and assistance.
D. A and B only.
E. All of the above.
E

66. which of the following is (are) categories of control activities?

A. Information processing.
B. Physical controls.
C. Performance reviews.
D. Segregation of duties.
E. A, B, and D only.
F. All of the above.
F

67. Which of the following represent physical controls?

A. Separation of the authorization and modification functions of purchasing.
B. Alarms and surveillance cameras for the warehouse.
C. Back-ups of all master files.
D. All of the above.
B

68. What are general computer controls?

A. Controls related to the flow of data in and among support applications.
B. Controls related to the reliability and consistency of the processing
environment.
 C. Controls that separate functions that are not compatible.
D. Controls to authorize staff to use specific programs.

69. What is automatic rollback?

A An in-house backup that is completed through the Internet.
B. A pricing method used by retailers.
C. feature that backs out incomplete transactions.
D. A feature that aids in the recovery of data.
C

70. Which of the following is a valid method for monitoring internal control?
A. Conducted as a separate project by IT auditors and supervisory personnel.
B. Conducted on an ongoing basis by flagging items that should be
investigated.
C. Conducted as a separate project by IT auditors and supervisory personnel
or conducted on an ongoing basis by flagging items that should be
investigated.
D. None of these is a valid method for monitoring internal control.
C

71 Which of the following is the most effective type of internal control?

A. Automated detective controls.
B. Automated preventive controls.
C. Manual detective controls.
D. Manual preventive controls.
B

72. A disaster recovery plan is which of the following?

A. An application control.
B. An automated preventive control.
C. A general control.
D. An automated application control.
C

73. What are the three types of firewalls?

A. On-screen applications, operating system-based firewalls, and general
firewalls.
B. On-screen applications, offline firewalls, and applications-based firewalls.
C. Screen routers, offline firewalls, and general firewalls.
D. Screen routers, operating system-based firewalls, and applications-based
firewalls.
D
74. A warehouse employee of a retail company was able to conceal the theft of items
of inventory by entering adjustment transactions to the inventory transactions to
the inventory transaction file indicating that the items had been damaged or lost.
What control would have prevented the adjustments from being recorded?
A. Including a check digit in the inventory part number.
B. Requiring separate authorization for input of adjustment transactions.
C. Including a parity check on the inventory part number.
D. Providing an edit check for the validity of the inventory part number.
[CIA adapted]
B

75. An accounts payable program posted a payable to a vendor not included in the
vendor master file. What is a control that would have prevented this error?
A. Validity check.
B. Range check.
C. Reasonableness test.
D. Parity check.
[CIA adapted]
A

76. What principle of segregation of duties is demonstrated by segregating the duties

of hiring personnel from distributing payroll checks?
A. Authorization of transactions from the custody of related assets.
B. Operational responsibility from recordkeeping responsibility.
C. Human resources function from the controllership function.
D. Administrative controls from the internal accounting controls.
[CMA adapted]
A

77. Which of the following is an effective way to reduce business risk?

A. Having a strong internal control system
B. Having well-documented management policies and procedures.
C. Having regular assessments of the risks to information assets.
D. Having a documented and regularly tested disaster recovery plan.
D

TRUE/FALSE QUESTIONS

1. A network that uses fiber optic cable provides better access security than cables
that transmit electrical impulses.
T

2. To provide a high level of assurance, a large organization would normally not

need more than fifty controls.
F
3. Computer hardware controls are built in by the manufacturer.
T

4. General controls apply to the reliability and consistency of the overall information
processing environment, and they support application controls.
T

5. A trend is a movement away from programming controls into computer software

and toward placing controls in human operating procedures.
F

6. Control activities include a variety of operational procedures, may be physical in

nature, and include techniques that ensure the security of computer programs,
files, and networks.
T

7. In the process of identifying control activities, you must first identify risks.
T

8. A current trend with respect to the placement of controls is a movement away

from controls programmed into computer software toward controls in human
operating procedures.
F

9. According to SAS 94, control activities can be classified into performance

reviews, physical controls, segregation of duties, and authorizations.
F

10. Performance measures should be quantitative as opposed to qualitative.

T

11. Physical controls protect assets from theft and destruction.

T

12. Duties that should be segregated are authorization of transaction and other events,
custody of assets, and modification or creation of related data and program files.
T

13. General controls relate to the flow of data in and among individual applications,
such as customer billing and cash receipts.
F

14. A disaster recovery plan is an application control.

F
15. The monitoring of internal control can be conducted on an ongoing basis, as a
separate project, or as a combination of both.
T

16. Disaster recovery plans should be practiced regularly so that everyone knows
what they are supposed to do in the event of a disaster.
T

17. Hiring trustworthy employees is the best way to minimize the opportunity for
fraudulent activity,
T

18. Computer crimes are always reported and easily investigated.

F

19. Computer forensics involves putting together the facts and computer evidence
necessary to prosecute computer criminals.
T

20. SAS 94 allows auditing around the computer in complex IT environments.

F

SHORT ANSWER/ESSAY QUESTIONS

1. Monitoring control activities to determine if they are adequate and effective can
be done on an ongoing basis, as a separate project, or as a combination of both.
Briefly compare monitoring on an ongoing basis versus monitoring as a separate
project.

Answer:
Ongoing monitoring includes various comparisons and reconciliations that are
inherent in routine supervisory activities. Examples of on-going monitoring
activities are preparing and investigating items on exception reports, being alert
to data that do not “look” right, comparing inventory that has been counted to the
inventory balances in the accounts, comparing investment securities stored in a
vault with the balances in the accounts, reconciling the bank statement with the
cash account, reconciling data prepared for operational purposes with data on
financial statements, and making other comparisons to ensure that the accounting
records correspond to economic reality.

Monitoring conducted as a separate project provides for a more concentrated

focus on the adequacy and effectiveness of control activities than does an ongoing
monitoring process. Monitoring projects are generally the responsibility of an
organization’s internal auditors.
2. Identify and briefly describe the classification scheme for control activities.

Answer:
Performance reviews are designed to mitigate risks that can have an adverse effect
on meeting objectives in the broad category of effectiveness and efficiency of
operations.

Physical security control activities mitigate risks that can an adverse effect on the
achievement of management objectives in the broad categories of effectiveness
and efficiency of operations.

Segregation of duties ensures that a single individual cannot both perpetrate and
conceal an error or an inappropriate act and mandates that certain duties be
segregated.

Information processing control activities are designed to mitigate risks that have
an adverse effect on achieving objectives in all three categories-quality of
information, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations.

3. Identify the general control activities that are desirable for information processing
systems.

Answer:
a. Access security
b. Network and data service center operation controls
c. System software acquisition, implementation, and maintenance controls
d. Application software selection (or development), implementation, and
maintenance controls

4. List and describe the two basic types of encryption.

Answer:
Transposition rearranges (or scrambles) the order of the bits, characters, or blocks
of characters. Substitution replaces the actual bits, characters, or blocks of
characters with substitutes; for example, a number replaces a letter.

5. Identify five commonly used input verification controls.

Answer:
Students may list any five of the following:
a. Valid codes
b. Reasonableness of amounts
c. Valid data type
d. Valid field length
e. Logical relationships
 f. Anticipated contents
g. Valid date

6. Describe the process of cryptography using private and public keys.

Answer:
If a business requests sensitive data from another party, it can forward to the
sending party an encrypting key, or public key. The sending party will then use
the public key to encrypt data and then send the encrypted data to the requesting
party. The requesting party will use its related private key, or decrypting key, to
decode the information.

7. Explain what key(s) would be used by a business transmitting sensitive data and
why the key(s) would be used.

Answer:
If a business keeps data on site, there is no need to maintain a separate key to
decode encrypted information so only a private key is needed. However, the
problem of security arises when data leave their original location. For instance,
data are encrypted using the private key, which will also be needed by the
recipient of the information to decrypt it. The security of the information will be
compromised when the private key is sent from sender to receiver. Therefore, a
second key, or public key, must be used to transmit data.

8. What are the underlying fundamental concepts of control activities?

Answer:
Isolation, redundancy, comparison, assistance, oversight, and accountability

9. What are the three types of firewalls?

Answer:
Screening routers, operating-system based firewalls, and application-based
firewalls.

10. Name and define the three kinds of batch backup strategies.

Answer:
Full–All data, regardless of when or if it has previously been backed up.
Incremental–All data that have been modified since the last incremental backup.
Differential–All data that have been modified since the last full backup.
11. List AND describe three of the four methods available for auditing through the
computer described in SAS 94. Indicate the LEVEL of IT knowledge necessary
for each of the methods you describe (e.g., extensive knowledge, or little
knowledge).

Answer:
Test data (auditor uses hypothetical transactions to audit programmed controls
and logic--little knowledge of IT required), parallel simulation (auditor
simulates/duplicates firm's output with another computer program to test actual
data--some knowledge of IT required), integrated test facility (auditor uses
artificial data to test how AIS performs tasks--requires high level of IT
knowledge), embedded audit module (auditor installs module to monitor system
and collect data--requires high level of IT knowledge).

12. Define computer forensics. Include in your explanation a list of 5 of the activities
that computer forensic experts can do.

Answer:
Computer forensics experts put together the facts and computer evidence
necessary to prosecute computer criminals. Using legally accepted methods, they
can: 1) access information (even if it was deleted by the user) and prepare the
case, 2) testify in court, and 3) train IT auditors and security staff to help in the
investigation. Computer forensic experts can also 4) train employees in security
awareness and 5) provide an evaluation (with recommendations) of the
company’s IT security environment.