Chapter 7: Information Technology Risk and Controls Flashcards
The software that manages the interconnectivity of the system hardware devices is the:
a. Application software.
b. Utility software.
c. Operating system software.
d. Database management system software.
C is the best answer. The operating system controls the basic input, processing, and output of the computer and manages the interconnectivity of the system hardware devices. Application software includes accounting software that is used to process transactions as well as other types of software, such as word processing and spreadsheet software that enable end users to perform their assigned tasks. Utility software augments the operating system with functionality such as encryption, disk space optimization, and protection against viruses. Database management system software manages the data stored in the database, controls access to the database, and automatically backs up the data-base.
An internet firewall is designed to provide protection against:
a. Computer viruses.
b. Unauthorized access from outsiders.
c. Lightning strikes and power surges.
d. Arson.
B is the best answer. Firewall software enforces access control between two networks by allowing only authorized data transmissions to pass through the firewall in both directions.
Which of the following best illustrates the use of EDI?
a. Purchasing merchandise from a company’s internet site.
b. Computerized placement of a purchase order from a customer to its supplier.
c. Transfer of data from a desktop computer to a database server.
d. Withdrawing cash from an ATM.
B is the best answer. EDI involves the computer-to-computer exchange of business documents in elec-tronic form between an organization and its trading partners.
The possibility of someone maliciously shutting down an information system is most directly an element of:
a. Availability risk.
b. Access risk.
c. Confidentiality risk.
d. Deployment risk.
A is the best answer. Availability risk is the risk that a system will be unavailable when needed. Causes of availability risk include, for example, hardware/software failures, unscheduled maintenance, and viruses and other malicious acts.
An organization’s IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility?
a. Aligning investments in IT with business strategies.
b. Overseeing changes to IT systems.
c. Monitoring IT security procedures.
d. Designing IT application-based controls.
D is the best answer. IT application system development teams, which include risk and controls experts, are responsible for designing application-based controls. IT governance committees, the mem-bers of which include the chief information officer (CIO) and other senior executives, are responsible for directing and overseeing day-to-day IT governance activities.
If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error was most likely detected by a:
a. Completeness check.
b. Limit check.
c. Validity check.
d. Reasonableness check.
C is the best answer. A validity check compares the data in a field with a predetermined set of autho-rized values to ensure the field contains valid data. A completeness check examines the data input to ensure that all critical fields contain values. A limit check examines a field to determine whether the amount is ≤ a prescribed upper limit or ≥ a prescribed lower limit. A reasonableness check compares the data in a field with data in related fields to determine whether the value is reasonable
The purpose of logical security controls is to:
a. Restrict access to data.
b. Limit access to hardware.
c. Record processing results.
d. Ensure complete and accurate processing of data.
A is the best answer. Logical access controls provide security over software and information imbedded in the system and include such things as firewalls, encryption, login IDs, passwords, authorization tables, and computer activity logs. Physical access controls provide security over tangible IT resources and include such things as locked doors, surveillance cameras, and security guards.
Which of the following statements regarding an internal audit function’s continuous auditing responsibilities is/are true?
I. The internal audit function is responsible for assessing the effectiveness of management’s continuous monitoring activities.
II. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls.
a. Only statement I is true.
b. Only statement II is true.
c. Both statements I and II are true.
d. Neither statement I nor statement II is true.
C is the best answer. The internal audit function is responsible for assessing the effectiveness of man-agement’s continuous monitoring activities. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls.
Which of the following is not one of the top 10 technology risks facing organizations?
a. Cybersecurity.
b. Use of older technology.
c. IT governance.
d. Mobile computing.
B is the best answer. Although older technology presents risks to the organization since they have been in existence for a longer period of time, they tend to have improved controls. Cybersecurity is one of the highest risks facing the organization. IT governance is an area that many organizations are struggling with today and continues to be a high-risk area. Mobile computing continues to expand and present new risks and challenges to the organization in providing improved controls.
Requiring a user ID and password would be an example of what type of control?
a. Detective.
b. Corrective.
c. Preventative.
d. Reactive.
C is the best answer. Password controls stop unauthorized users from accessing systems. Detective controls are after the fact. Corrective and reactive controls are not related to user ID and password controls.
Which is NOT a benefit of user-developed applications (UDAs)?
a. Quick to develop and use.
b. Readily available and at a low cost.
c. More configurable and flexible.
d. Easy to control access to.
D is the best answer. The challenge for UDAs is the ability to provide adequate security and controls over their use. At the same time they can be quickly developed at a very low cost and can involve tools such as Excel that are readily available. They are typically easy to configure and extremely flexible.
Which of the following is true about new and emerging technologies?
a. New technologies have security login controls built into them.
b. New technologies take time for the users to transition and adapt to the new technology, so training is critical.
c. New technologies always come from large multinational companies.
d. New technologies have the best controls embedded in them.
B is the best answer. It is imperative that training accompany the adoption of new technology. The other answers are not necessarily true of new technology.
Which of the following is the best source of IT audit guidance within the IPPF?
a. Control Objectives for Information and Related Technologies (COBIT).
b. GTAG.
c. National Institute of Standards and Technology (NIST).
d. ITIL.
B is the best answer. The Global Technology Audit Guides are provided by The IIA as guidance in per-forming IT audits. Cobit is a framework for IT controls provided by ISACA. NIST is from the National Institute of Standards and Technology, not from The IIA. ITIL, an acronym for Information Tech-nology Infrastructure Library, is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
Which of the following best describes continuous auditing?
a. Development of computer-assisted audit techniques (CAATs).
b. Oversight of continuous monitoring.
c. The use of continuous risk assessment, continuous controls assessment, and assessment of continuous monitoring.
d. The ability of internal auditors to continually perform auditing steps.
C is the best answer. Answer C contains all aspects of continuous auditing. Continuous auditing involves review of all control phases of the organization.
When discussing integration of IT into audit engagements, which of the following is the most desirable integration of IT into specific engagements?
a. Developing and integrating testing of IT controls into process-level audits.
b. Developing and performing computer audit software steps into process-level audits.
c. Auditing controls around the computer to make sure the computer controls are working effectively.
d. Developing and performing computer audit software steps into the process-level audits along with testing of IT controls.
D is the best answer. Although answers A and B are good steps to integrate, by including both areas into audits, answer D, the auditor is covering all IT aspects in their review of process-level audits.
