1. Information Technology Governance

Question 1

What are 3 steps of manual AIS (accounting information system) and corresponding automated AIS term for each step?

Answer 1

1. Journalize: record entries = input
2. Post: to general ledger = process
3. Summarize: prepare a trial balance = output

Question 2

What are 3 steps of automated AIS?

Answer 2

1. Input: record or capture event data in system, (input to storage)
2. Process: update data storage
3. Output: retrieve master data from storage

Question 3

What are 4 main categories of AIS accounting records?

Answer 3

1. Source “documents”/data capture
2. Data accumulation records/journals
3. Subsidiary ledgers/registers
4. General ledger, FS, reports

Question 4

What is the least predictable element in most accounting systems?

Answer 4

People.

Question 5

What are 5 elements of accounting systems?

Answer 5

People, procedures, hardware, software, data (automated or programmed controls increasingly important)

Question 6

What are 2 elements of manual accounting systems?

Answer 6

People and procedures (manual controls still relevant).

Question 7

What is manual historically and now?

Answer 7

H: An AIS with no computers.
N: Instructions for users (user procedures manual, operations manual)

Question 8

What are 6 potential differences between manual and computer system controls?

Answer 8

1. Segregation of duties
2. Audit trail
3. Transaction processing
4. Computer initiated transactions
5. Risk of errors and defalcations
6. Management review

Question 9

Describe manual and computer system controls in each 6 elements.

Answer 9

1. Segregation of duties
   M: Possible in medium to large organizations
   C: Combine previously segregated functions, include compensating (automated) controls
2. Audit trail
   M: Physical (paper) trails
   C: Electronic audit trails
3. Transaction processing
   M: More clerical errors
   C: Potential for systematic (logic) errors
4. Computer initiated transactions
   M: None = less efficient
   C: Increase efficiency
5. Risk of errors and defalcations
   M: no remote access, paper records, manual processes, separate functions
   C: Remote access risk, data concentration, less human observation, manipulation of errors in application programs
6. Management review
   M: Isolated data = not useful for analytics
   C: Greater data accessibility, embedded controls

Question 10

What are 4 risks in computer-based systems?

Answer 10

Systems, programs, and people (FUNI)

• Reliance on Faulty systems or programs (F)
• Unauthorized changes in master files, systems, or programs (U)
• Failure to make Needed changes (N)
• Inappropriate Intervention (by people) (I)

Question 11

What is IT security goals?

Answer 11

Security, availability, processing integrity, confidentiality, privacy

Question 12

What is COBIT?

Answer 12

The Control Objectives for Information and Related Technology.

Question 13

What is the purpose of COBIT?

Answer 13

• Align IT and business goals/strategies.
• Link business risks, controls needs and IT.
• Common language for users, auditors, management, and business process owners in identifying risks and structuring controls.
• Provide framework: how much IT security must management invest in? - IT security and control. Auditing and oversight.

Question 14

What is the framework flow of COBIT?

Answer 14

Business requirement - IT resources - IT processes.

Question 15

What is COBIT framework definition?

Answer 15

To provide the information that the organization needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.

Question 16

Why is COBIT framework needed?

Answer 16

Process orientation to exercise responsibilities, achieve goals and manage risks.

Question 17

COBIT framework: what are 7 criteria for business objectives?

Answer 17

Effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability.

Question 18

COBIT framework: What are 5 IT resources?

Answer 18

Data, application systems, technology, facilities, people.

Question 19

COBIT framework: what are 4 IT processes?

Answer 19

Plan and organize, acquire and implement, deliver and support, monitor and evaluate.

Question 20

What is the difference between COSO and COBIT and what are both focusing on?

Answer 20

COSO: Organizational control and processes
COBIT: IT controls and processes
Both: focus on monitoring of organizational processes

Question 21

COBIT process: monitor and evaluate: What are 2 activities?

Answer 21

• Regularly assess IT processes for quality and compliance

* Includes management oversight of control process and independent assurance

Question 22

COBIT process: monitor and evaluate: what are 4 processes?

Answer 22

• Monitor the process
• Assess internal control adequacy
• Obtain independent assurance
• Provide for independent audit

Question 23

What are 3 major components of the COBIT model?

Answer 23

Domains and processes, information criteria, IT resources.

Question 24

What is ERP?

Answer 24

Enterprise-wide or Enterprise Resource Planning.

Question 25

What are the goal of ERP?

Answer 25

• Integration: management support, knowledge work support, and operational support into one system
• Cost savings: reduce system maintenance costs
• Employee empowerment: improves communication and decision making by increasing information availability
• Best practices: Include most successful business processes of an industry

Question 26

ERP: what is a typical architecture? Current?

Answer 26

Typical: client/server network configuration
Current: Internet-and-intranet-based

Question 27

What is an example of ERP architecture?

Answer 27

2-or-3-tier architecture: 3-tier separates application and database functions (needed in large or complex systems).

Question 28

How is ERP systems typically purchased? What is this practice called? What is required when using this practice?

Answer 28

in modules (e.g. sales, logistics, planning, financial reporting).
Called choosing "best of breed" components.
Requires building "bridges" between systems from different vendors.

Question 29

What is OLTP?

Answer 29

Online transaction processing system: one of ERP modules that include core business functions: sales, production, purchasing, payroll, financial reporting etc.

Question 30

What is OLAP?

Answer 30

Online analytical processing system: Data warehouse and data mining capabilities within ERP.

Question 31

What is cloud-based systems and storage?

Answer 31

A virtual data pool often managed by a third party vendor.

Question 32

What is IaaS?

Answer 32

Infrastructure as a Service: Access to virtual hardware (Amazon Web Services and Carbonite).

Question 33

What is Paas?

Answer 33

Platform as a Service: Access to operating system and related services including development (Salesforce.com’s Force.com).

Question 34

What is SaaS?

Answer 34

Software as a Service: Access to software (Office 465, Google docs).

Question 35

What are 4 clouds deployment models?

Answer 35

• Public Clouds: available to public or large industry group, owned by an organization selling cloud services (Google, IBM, Microsoft etc).
• Private Clouds: For one organization, maybe outsourced on or off site.
• Community Clouds: shared by common users for one organization (e.g. municipal governments, an industry association, related to compliance requirements).
• Hybrid Clouds: two or more of the above with partitions between types of services.

Question 36

Cloud-based systems and storage: what are 6 benefits?

Answer 36

1. Universal access: system data is available at any site with Internet access
2. Cost reduction: Eliminate multiple systems, pay-for-use “demand” pricing, no or low fixed costs
3. Scalability: grow with organization
4. Outsourcing and economies of scale: outsource to provider with lower costs
5. Enterprise-wide integration: synergies with ERP
6. Deployment speed: outsourcing often much faster than insourcing

Question 37

Cloud-based systems and storage: 5 risks?

Answer 37

1. Data loss: Increase risk of data loss and outages.
2. Increase system penetration risk.
3. Vendor failure risk
4. More vulnerable to actions by other tenants for data stored in community and public clouds
5. Storing data with a high-profile cloud service provider can make one a high profile target for cyber attackers

Question 38

What are IT dept risks?

Answer 38

1. Physical asset theft and destruction

2. Intellectual property (IP) (software) risks: theft, undetected alteration, destruction

Question 39

IT dept: What are common functions?

Answer 39

• Built applications
• Support the delivery of IT services in the organization
• Manage database, data stores, and data archives

Question 40

IT dept: what is CIO? What does she do?

Answer 40

Chief Information Officer.

• Oversees IT dept
• In some organizations, vice president of information technology or chief technology officer (CTO)
• Generally reports to the chief executive officer (CEO)
• Responsible for existing and future systems
• Accountable for organization’s hardware and software operations

Question 41

IT dept: what are 3 functions that must be segregated?

Answer 41

1. Application development
2. Systems administration and programming
3. Computer operations

Question 42

IT dept: what are the roles for 3 main functions?

Answer 42

• Application development: safeguards assets (applications in development: create/maintain = done in a test environment. Use non live copies of programs)
• Systems administration and programming: grant authorization (access), maintain computer hardware and computing infrastructure.
• Computer operations: execute events, safeguard archived IP, day-to-day operations of systems.

Question 43

IT dept: Application development: what are 2 key roles?

Answer 43

• System analysts: analyze and design new systems, lead teams of programmers, partner with end users to define problems and solutions.
• Application programmers: write application programs under the direction of system analyst, work in a test environment, must not have access to live copies of program or archived software.

Question 44

IT dept: Systems administration and programming: key roles?

Answer 44

• System administrators (e.g. database administrator, network admin, web admin).
• System programmers: maintain operating systems and related hardware (e.g. new software and hardware releases), must not have access to programs under development or archived software.

Question 45

IT dept: computer operations: what are examples?

Answer 45

Batch input, data conversion, scheduling computer activities, run programs, printing and/or distributing output, system backup

Question 46

IT dept: computer operations: roles?

Answer 46

1. Data control (clerk): control document flows, schedule batches for data entry and editing, reconcile control totals (reconciling + authorizing function)
2. Computer operators: operate the (main frame) computer, load program and data files, run programs (execute transactions)
3. File librarian: maintain files and data that are not online in file library, check files in and out to support scheduled jobs.

Question 47

IT dept: how is segregation of duties selected?

Answer 47

Software identifies roles and creates matrix of needed segregations - semi automated process that is driven by a large complex spreadhseet.

Question 48

IT dept: who has access to live system?

Answer 48

Computer operators (live programs + data).
Systems programmers (live systems).

Question 49

IT dept: who has access to application programming?

Answer 49

Application programmers, system analysts, data administrator.

Question 50

IT dept: who has access to systems programming?

Answer 50

Systems programmers (live systems).

Question 51

IT dept: what is the weakest security element? What can the dept do?

Answer 51

Users.

• Must communicate evolving threats and risks.
• Monitor user’s security compliance
• Targeted security education

Question 52

IT dept: what are some procedures re: termination?

Answer 52

Clearly specified procedures especially for involuntary terminations.

• Disable username and keycard before notification
• Escort terminated employee from building