Chapter 2 Flashcards
- What is data conversion in an IT environment?
The data conversion function transcribes transaction data from hard-copy source documents into computer input. For example, data conversion could involve keystroking sales orders into a sale order application in modern systems, or transcribing data into magnetic media (tape or disk) suitable for computer processing in legacy type systems.
- Why does the temperature in a computer room need to be controlled?
Computers function best in an airconditioned environment, and providing adequate air conditioning is often a requirement of the vendor’s warranty. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors can occur in computer hardware when temperatures depart significantly from this optimal range. Also, the risk of circuit damage from static electricity is increased when humidity drops. In contrast, high humidity can cause molds to grow and paper products (such as source documents) to swell and jam equipment.
3-5 Primary IT services/ functions of a centralized data processing structure
- Database administration
- Data processing
- Systems development and maintenance
- The area of the IT department which provides safe storage of offline data files, original copies of commercial software and their licenses.
Data Library
7-9 Technically, who are considered system professionals?
analysts, database designers, and programmers who design and build the system
10 - 11 What are some problems encountered when a client utilizes systems programmers to perform program maintenance functions?
- Inadequate documentation
- Potential for program fraud
- Why is it difficult to hire qualified IT professionals in a DDP?
If the organizational unit into which a new employee is entering is small, the opportunity for personal growth, continuing education, and promotion may be limited.
13 - 15 Give three (3) potential problems arising from implementing DDP.
- Inefficient use of resources
- Destruction of audit trails
- Inadequate segregation of duties
- Difficulty in hiring qualified professionals
- Lack of standards
16 - 17 What does IT governance intend to achieve or what are its objectives?
- To reduce risk
- To ensure that investments in IT resources add value to the corporation
- What is a compensating control
in small organizations or in
functional areas that lack sufficient personnel, management must compensate for the absence of segregation controls with close supervision.
19-22 What are the services / functions of a corporate IT group formed for the purpose of controlling a DDP environment?
- Central Testing of Commercial Software and Hardware
- User Services
- Standard-setting Body
- Personnel Review
23 - 25 Give three (3) audit procedures to verify that the structure of the IT department provides for the segregation of incompatible functions in a CDP.
- Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions.
- Review systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are not also the original design programmers.
- Verify that computer operators do not have access to the operational details of a system’s internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, should not be part of the operation’s docu-
mentation set. - Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures.
26 - 28 What IT functions should be segregated? (Give at least 2 incompatible functions in each number)
- Separating Systems Development from Computer Operations
- Separating Database Administration from Other Functions
- Separating New Systems Development from Maintenance
29 - 30 Give some advantages of adapting DDP.
- Cost reductions
- Improved Cost Control Responsibility
- Improved User Satisfaction
- Backup flexibility
- Give the meaning of RAID.
Redundant arrays of independent disks
32 - 35 Give one audit procedure to test the compliance of our client to standards on the computer center on: (what documents to check (reasons why) what items to look for) #s
- physical construction
- RAID
- Access control
- Insurance coverage
What do accountants examine during their annual audit of the computer center?
Accountants routinely examine the physical environment of the computer center as part of their annual audit.
What is the objective of assessing the computer center?
The objective is to present computer center risks and the controls that help to mitigate risk and create a secure environment.
What factors should be considered regarding the physical location of a computer center?
The computer center should be away from human-made and natural hazards, such as processing plants, water mains, airports, high-crime areas, flood plains, and geological faults.
What is the ideal construction for a computer center?
A computer center should ideally be located in a single-story building of solid construction with controlled access.
What type of access control should be implemented for a computer center?
Access should be limited to operators and employees, using physical controls like locked doors, keypads, or swipe cards.
What is the optimal temperature and humidity range for computer operation?
Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent.
What is the most serious threat to a firm’s computer equipment?
Fire is the most serious threat to a firm’s computer equipment.
What are key features of an effective fire suppression system?
Key features include automatic and manual alarms, an automatic fire extinguishing system, manual fire extinguishers, sound construction to withstand water damage, and clearly marked fire exits.
Areas of potential exposure that can impact the quality of information, accounting
records, transaction processing, and the effectiveness of other more conventional internal
controls.
- Physical Location
- Construction
- Access
- Air conditioning
- Fire Suppression
- Fault Tolerance
What is fault tolerance?
The ability of the system to continue operation when part of the system fails due to hardware failure, application program error, or operator error.
What is the purpose of implementing fault tolerance control?
To ensure that no single point of potential system failure exists.
What can cause total failure in a system with fault tolerance?
Total failure can occur only if multiple components fail.
What does RAID stand for?
Redundant arrays of independent disks.
How does RAID work?
It involves using parallel disks that contain redundant elements of data and applications, allowing lost data to be reconstructed if one disk fails.
True or False: Halon is a fire-fighting gas that is still allowed by federal law.
False.
What problems can commercially provided electrical power present?
- Total power failures
- Brownouts
- Power fluctuations
- Frequency variations
What devices are used to control power problems in a computer center?
- Voltage regulators
- Surge protectors
- Generators
- Backup batteries
What is the auditor’s objective regarding computer center security?
To evaluate the controls governing computer center security.
What should the auditor verify about the controls in place?
- Adequate protection from physical exposures
- Compensation for destruction or damage to the computer center
What should the auditor obtain to assess the physical construction of the computer center?
Architectural plans.
What is important for the drainage system under a raised floor in a computer center?
It should allow water to flow away in the event of water damage.
What should fire detection systems in a computer center be capable of detecting?
- Smoke
- Heat
- Combustible fumes
What access control measures should be in place for the computer center?
Routine access should be restricted to authorized employees.
How can the auditor verify visitor access to the computer center?
By reviewing access logs detailing arrival and departure times, purpose, and frequency.
What should the auditor do if the organization is not employing RAID?
Review alternative procedures for recovering from a disk failure.
What periodic tests should be conducted on the uninterruptible power supply?
Tests to ensure sufficient capacity to run the computer and air conditioning.
What should the auditor review annually regarding insurance?
The organization’s insurance coverage on its computer hardware, software, and physical facility.
Fill in the blank: The insurance policy should reflect management’s needs in terms of _______.
[extent of coverage]
What are the two types of insurance coverage a firm may seek?
- Partial self-insurance with minimum coverage
- Complete replacement-cost coverage
What are the tests of physical security controls?
- Tests of Physical Construction
- Tests of the Fire Detection System
- Tests of Access Control
- Tests of Raid
- Tests of Uninterruptible Power Supply
- Tests for Insurance Coverage
What should an insurance policy reflect in terms of management’s needs?
The extent of coverage, which may include partial self-insurance or complete replacement-cost coverage.
Insurance policies should align with the organization’s risk management strategy.
What are the three categories of disasters that can impact an organization’s IT resources?
- Natural disasters
- Human-made disasters
- System failures
These categories encompass a range of events from environmental to human errors.
Which type of disaster is considered the most potentially devastating from a societal perspective?
Natural disasters, such as hurricanes, widespread flooding, and earthquakes.
These disasters can affect many organizations simultaneously.
What is the impact of human-made disasters on organizations?
They can be destructive but tend to be limited in their scope of impact compared to natural disasters.
Examples include sabotage and human errors.
What are system failures often less severe than but more likely to occur?
Natural and human-made disasters.
Examples of system failures include power outages and hard-drive failures.
What can disasters deprive an organization of?
Data processing facilities and the ability to deliver products or services.
This can halt business functions reliant on technology.
How can the impact of a disaster be mitigated?
Through careful contingency planning and a disaster recovery plan (DRP).
A well-prepared organization can absorb the disaster’s impact.
What is a disaster recovery plan (DRP)?
A comprehensive statement of all actions to be taken before, during, and after any type of disaster.
It focuses on recovery and maintaining business continuity.
What are the four common features of all workable disaster recovery plans?
- Identify critical applications
- Create a disaster recovery team
- Provide site backup
- Specify backup and off-site storage procedures
These features ensure an organized response to disasters.
What is the first essential element of a DRP?
Identify the firm’s critical applications and associated data files.
Recovery efforts should focus on short-term survival.
What should a DRP focus on immediately following a disaster?
Short-term survival and restoration of functions that generate cash flows.
This includes critical business operations that satisfy short-term obligations.
List some functions that affect the cash flow position of a firm.
- Customer sales and service
- Fulfillment of legal obligations
- Accounts receivable maintenance and collection
- Production and distribution decisions
- Purchasing functions
- Cash disbursements (trade accounts and payroll)
These functions are vital for maintaining business continuity.
Audit Procedures in verifying that management’s DRP is a realistic solution for dealing with a catastrophe:
- Critical Application List
- Software Backup
- Data Backup
- Backup Supplies, Documents, and Documentation
- Disaster Recovery Team
Risks Inherent to IT Outsourcing
- Failure to Perform
- Vendor Exploitation
- Outsourcing Costs Exceed Benefits
- Reduced Security
- Loss of Strategic Advantage
IT outsourcing includes:
- improved core business performance,
- improved IT performance (because of the vendor’s expertise),
- and reduced IT costs
