CHAPTER 2- AUDITIING IT GOVERNANCE CONTROLS

Question 1

________ is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources.

Answer 1

Information technology (IT) governance

Question 2

Under the ___________model, all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization

Answer 2

centralized data processing

Question 3

Centrally organized companies maintain their data resources in a central location that is
shared by all end users. In this shared data arrangement, an independent group headed
by the __________is responsible for the security and integrity of the database.

Answer 3

database administrator (DBA)

Question 4

The __________ manages the computer resources used to perform the day-to-day processing of transactions. It consists of the following organizational functions:
data conversion, computer operations, and the data library

Answer 4

data processing group

Question 5

The _________function transcribes transaction data from hard-copy source documents into computer input.

Answer 5

data conversion

Question 6

The electronic files produced in data conversion are later processed by the central computer, which is managed by the _________groups.

Answer 6

computer operations

Question 7

The __________ is a room adjacent to the computer center that provides safe storage for the off-line data files. Those files could be backups or current data files.

Answer 7

data library

Question 8

__________gather facts about the user’s problem, analyze the facts, and formulate a solution. The product of their efforts is a new information system.

Answer 8

Systems professionals

Question 9

_________ are those for whom the system is built. They are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities.

Answer 9

End users

Question 10

_________are individuals inside or outside the firm who have an interest in the system, but are not end users. They include accountants, internal auditors, external auditors, and others who oversee systems development.

Answer 10

Stakeholders

Question 11

The term ____ refers to making changes to program logic to accommodate shifts in user needs over time

Answer 11

maintenance

Question 12

Systems development and maintenance professionals should create (and maintain) systems for users, and should have no involvement in entering data, or running
applications (i.e., computer operations). Operations staff should run these systems and
have no involvement in their design.

Answer 12

Separating Systems Development from Computer Operations

Question 13

The DBA function is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion. Delegating these responsibilities to others who perform incompatible tasks threatens database integrity.

Answer 13

Separating Database Administration from Other Functions

Question 14

The ______group works with the users to produce detailed designs of the new systems.

Answer 14

systems analysis

Question 15

The__________group codes the programs according to these design specifications.

Answer 15

programming

Question 16

True or false
When the original programmer of a system is also assigned maintenance responsibility, the potential for fraud is increased. Program fraud involves making unauthorized changes to program modules for the purpose of committing an illegal act

Answer 16

True

Under program fraud

Question 17

The _______ group is responsible for designing, programming, and implementing new systems projects.

Answer 17

new systems development

Question 18

_____ involves reorganizing the central IT function into small IT units that are placed under the control of end users.

Answer 18

Distributed Data Processing (DDP)

Question 19

_________ is actually a variant of the centralized model; the difference is that terminals (or microcomputers) are distributed to end users for handling input and output. This eliminates the need for the centralized data conversion groups, since the user now performs this tasks. Under this model, however, systems development, computer operations, and database administration remain centralized.

Answer 19

Alternative A

Question 20

_________ is a significant departure from the centralized model. This alternative distributes all computer services to the end users, where they operate as standalone units.
The result is the elimination of the central IT function from the organizational structure.

Answer 20

Alternative B

decentralized

Question 21

An ________ provides the linkage between a company’s financial activities (transactions) and the financial statements that report on those activities.

Answer 21

audit trail

Question 22

Achieving an adequate segregation of duties may not be possible in some distributed environments. The distribution of the IT services to users may result in the creation of small independent units that do not permit the desired separation of incompatible functions.

Answer 22

Inadequate Segregation of Duties

Question 23

End-user managers may lack the IT knowledge to evaluate the technical credentials and relevant experience of candidates applying for IT professional positions. Also, if the organizational unit into which a new employee is entering is small, the opportunity for personal growth, continuing education, and promotion may be limited. For these reasons, managers may experience difficulty attracting highly qualified personnel. The risk of programming errors and system failures increases directly with the level of employee incompetence

Answer 23

Hiring Qualified Professionals

Question 24

Because of the distribution of responsibility in the DDP environment, standards for developing and documenting systems, choosing programming languages, acquiring hardware and software, and evaluating performance may be unevenly applied or even nonexistent. Opponents of DDP argue that the risks associated with the design and operation of a DDP system are made tolerable only if such standards are consistently applied

Answer 24

Lack of Standards

Question 25

What are the advantages of DDP?

Answer 25

Cost Reductions.
Improved Cost Control Responsibility.
Improved User Satisfaction.
Backup Flexibility.

Question 26

This activity provides technical help to users during the installation of new software and in troubleshooting hardware and software problems. The creation of an electronic bulletin board for users is an excellent way to distribute information about common problems and allows the sharing of user-developed programs with others in the organization

Answer 26

User Services.

Question 27

The corporate group can contribute to this goal by establishing and distributing to user areas appropriate standards for systems development, programming, and documentation.

Answer 27

Standard-Setting Body

Question 27

The corporate group can contribute to this goal by establishing and distributing to user areas appropriate standards for systems development, programming, and documentation.

Answer 27

Standard-Setting Body

Question 28

The corporate group is often better equipped than users to evaluate the technical credentials of prospective systems professionals. Although the systems professional will actually be part of the end-user group, the involvement of the corporate group in employment decisions can render a valuable service to the organization

Answer 28

Personnel Review

Question 29

The __________ of the computer center directly affects the risk of destruction to a natural or man-made disaster. To the extent possible, the computer center should be away from human-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults.

The center should be away from normal traffic, such as the top floor of a building or in a separate, self-contained building. Locating a computer in the basement building increases its risk to floods

Answer 29

physical location

Question 30

Ideally, a computer center should be located in a single-story building of solid construction with controlled access . Utility (power and telephone) lines should be underground. The building windows should not open and an air filtration system should be in place that is capable of extracting pollens, dust, and dust mites.

Answer 30

Construction

Question 31

_____ to the computer center should be limited to the operators and other employees who work there.

Physical controls, such as locked doors, should be employed to limit access to the center.

Access should be controlled by a keypad or swipe card, though fire exits with alarms are necessary.

To achieve a higher level of security, access should be monitored by closed-circuit cameras and video recording systems.

Computer centers should also use sign-in logs for programmers and analysts who need access to correct program errors.

Answer 31

Access

Question 32

Computers function best in an air-conditioned environment, and providing adequate air conditioning is often a requirement of the vendor’s warranty.

Answer 32

Air conditioning

Question 33

Computers operate best in a temperature range of _______ degrees Fahrenheit and a relative humidity of ______percent . Logic errors can occur in computer hardware when temperatures depart significantly from this optimal range.

Also, the risk of circuit damage from static electricity is increased when humidity drops. In contrast, high humidity can cause molds to grow and paper products (such as source documents) to swell and jam equipment

Answer 33

70 to 75 // 50

Question 34

_______ is the ability of the system to continue operation when part of the system fails because of hardware failure, application program error, or operator error. Implementing this control ensures that no single point of potential system failure exists.

Answer 34

Fault tolerance

Question 35

> > Need for clean power, at a acceptable level

|&raquo_space; Uninterrupted power supply

Answer 35

Power supply

Question 36

__________ involves using parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks

Answer 36

Redundant arrays of independent disks (RAID)

Question 37

Commercially provided electrical power presents several problems that can disrupt the computer center operations, including total power failures, brownouts, power fluctuations, and frequency variations.

The equipment used to control these problems includes voltage regulators, surge protectors, generators, and backup batteries. In the event of a power outage, these devices provide backup power for a reasonable period to allow commercial power service restoration.

In the event of an extended power outage, the backup power will allow the
computer system to shut down in a controlled manner and prevent data loss andcorruption that would otherwise result from an uncontrolled system crash

Answer 37

Uninterruptible power supplies.

Question 38

Audit procedures in computer center controls

Answer 38

Tests of physical construction
Tests of fire detection
Tests of access control
Tests of backup power supply
Tests for insurance coverage
Tests of operator documentation controls

Question 39

The auditor should establish that fire detection and suppression equipment, both manual and automatic, are in place and tested regularly. The fire-detection system should detect smoke, heat, and combustible fumes. The evidence may be obtained by reviewing official fire marshal records of tests, which are stored at the computer center

Answer 39

Tests of the Fire Detection System

Question 40

The auditor must establish that routine access to the computer center is restricted to authorized employees. Details about visitor access (by programmers and others), such as arrival and departure times, purpose, and frequency of access, can be obtained by reviewing the access log. To establish the veracity of this document, the auditor may covertly observe the process by which access is permitted, or review videotapes from cameras at the access point, if they are being used.

Answer 40

Tests of Access Control

Question 41

The auditor should obtain architectural plans to determine that the computer center is solidly built of fireproof material. There should be adequate drainage under the raised floor to allow water to flow away in the event of water damage from a fire in an upper floor or from some other source. In addition, the auditor should assess the physical location of the computer center. The facility should
be located in an area that minimizes its exposure to fire, civil unrest, and other
hazards.

Answer 41

Test of Physical Construction

Question 42

Most systems that employ RAID provide a graphical mapping of their redundant disk storage. From this mapping, the auditor should determine if the level of RAID in place is adequate for the organization, given the level of business risk associated with disk failure. If the organization is not employing RAID, the potential for a single point of system failure exists. The auditor should review with the system administrator alternative procedures for recovering from a disk failure.

Answer 42

Tests of Raid.

Question 43

The computer center should perform periodic tests of the backup power supply to ensure that it has sufficient capacity to run the computer and air conditioning. These are extremely important tests, and their results should be formally recorded. As a firm’s computer systems develop, and its dependency increases, backup power needs are likely to grow proportionally. Indeed, without such tests, an organization may be unaware that it has outgrown its backup capacity until it is too late

Answer 43

Tests of the Uninterruptible Power Supply

Question 44

The auditor should annually review the organization’s insurance coverage on its computer hardware, software, and physical facility. The auditor should verify that all new acquisitions are listed on the policy and that obsolete equipment and software have been deleted. The insurance policy should reflect management’s needs in terms of extent of coverage. For example, the firm may wish to be partially self-insured and require minimum coverage. On the other hand, the firm may seek complete replacement-cost coverage

Answer 44

Tests for Insurance Coverage

Question 45

What are the type of Disasters?

Answer 45

Natural
Human-made
System failure

Question 46

This is a comprehensive statement of all actions to be taken before, during, and after any type of disaster.

Answer 46

Disaster recovery plan (DRP)

1. Identify critical applications
2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedures

Question 47

Recovery efforts must concentrate on restoring those applications that are critical to the short-term survival of the organization.

Answer 47

Identify Critical Applications

Question 48

To avoid serious omissions or duplication of effort during implementation of
the contingency plan, task responsibility must be clearly defined and communicated to the personnel involved

Answer 48

Creating a Disaster Recovery Team

Question 49

A ____is an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster

Answer 49

mutual aid pact

Question 50

The ________ is an arrangement wherein the company buys or leases a building that will serve as a data center. In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary user needs to
run essential systems.

Answer 50

empty shell or cold site plan

Question 51

A ___________ is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, this service providers offer a range of technical services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications

Answer 51

Recovery operations center (ROC) or hot site

Question 52

Larger organizations with multiple data processing centers often prefer the self-reliance that creating internal excess capacity provides. This permits firms to develop standardized hardware and software configurations, which ensure functional compatibility among their data processing centers and minimize cutover problems in the event of a disaster

Answer 52

Internally provided back-up

Question 53

Based on results obtained in the critical applications step discussed previously, the DRP should include procedures to create copies of current versions of critical applications. In the case of commercial software, this involves purchasing backup copies of the latest software upgrades used by the organization.

Answer 53

Application Backup

Question 54

The system documentation for critical applications should be backed up and stored off-site along with the applications. System documentation can constitute a significant amount of material and the backup process is complicated further by frequent application changes

Answer 54

Backup Documentation

Question 55

A backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed.

Answer 55

Site Backup

Question 56

Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers).

Answer 56

Hardware Backup

Question 57

Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site.

Answer 57

System Software Backup

Question 58

Make sure copies of critical applications are available at the backup site

Answer 58

Application Software Backup

Question 59

One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.

Answer 59

Data Backup

Question 60

A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.

Answer 60

Supplies

Question 61

An adequate set of copies of user and system documentation.

Answer 61

Documentation

Question 62

The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).

Answer 62

Test