Auditing-IT-Governance-Controls_CIS Flashcards
Understand the risks of incompatible functions and how to structure the IT function. Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. Understand the key elements of a disaster recovery plan. Be familiar with the benefits, risks, and audit issues related to IT outsourcing.
What are the key objectives of IT governance?
Reduce risk and ensure investments in IT resources add value to the corporation
All corporate stakeholders must be active participants in key IT decisions.
What issues are addressed by SOX and the COSO internal control framework in IT governance?
- Organizational structure of the IT function
- Computer center operations
- Disaster recovery planning
What characterizes centralized data processing?
All data processing performed at a central site with end users competing for resources based on need.
What roles are included in the primary service areas of centralized data processing?
- Database administrator
- Data control/data entry
- Computer operations
- Data library
- System development and maintenance
What is the role of the database administrator (DBA) in centralized data processing?
Responsible for the security and integrity of the database.
What are the functions of the data processing group?
- Data conversion
- Computer operations
- Data library
What is the purpose of segregation of incompatible IT functions?
To prevent errors and fraud by separating systems development from computer operations.
True or False: The DBA should have involvement in entering data or running applications.
False
What are the risks associated with Distributed Data Processing (DDP)?
- Inefficient use of resources
- Destruction of audit trails
- Inadequate segregation of duties
- Hiring qualified professionals
- Lack of standards
What are the advantages of Distributed Data Processing (DDP)?
- Cost reductions
- Improved cost control responsibility
- Improved user satisfaction
- Backup flexibility
What should be evaluated during an audit of the IT function?
Ensure individuals in incompatible areas are segregated in accordance with risk levels.
What are some key areas of potential exposure in a computer center?
- Physical location
- Construction
- Access
- Air conditioning
- Fire suppression
- Fault tolerance
What is a Disaster Recovery Plan (DRP)?
A comprehensive statement of all actions to be taken before, during, and after any type of disaster.
What are essential elements of an effective DRP?
- Identify critical applications
- Create a disaster recovery team
- Provide site backup
- Specify backup and off-site storage procedures
What is the significance of identifying critical applications in disaster recovery?
Recovery efforts must concentrate on restoring applications critical to the organization’s short-term survival.
What are the most common options for providing second-site backup?
- Mutual aid pact
- Empty shell (cold site)
- Recovery operations center (hot site)
- Internally provided backup
What are the risks inherent to IT outsourcing?
- Failure to perform
- Vendor exploitation
- Outsourcing costs exceed benefits
- Reduced security
- Loss of strategic advantage
What does SAS 70 provide for auditors regarding IT outsourcing?
Knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors.
Fill in the blank: The ability of the system to continue operation when part of the system fails is known as _______.
Fault tolerance
What should be included in tests for a disaster recovery plan (DRP)?
- Evaluate adequacy of backup site arrangements
- Review list of critical applications for completeness
- Verify copies of critical applications and operating systems are stored off-site
