Information Technology Governance Flashcards
Relating to IT governance, what is the best action an LARGE organization can take to increase internal control effectiveness? This does not apply to small organizations.
Segregation of duties
Relating to IT governance, what is the best action an SMALL organization can take to increase internal control effectiveness?
Engaging the owner in the activities of the business. This is an important COMPENSATING control.
- The uniformity of transaction processing is higher in automated than manual systems. True or false?
- A greater level of control is necessary in automated than manual systems. True or false?
Statement one = true
Statement two = false
An automated computerized accounting system ________ the incidences of clerical errors and __________ the incidences of systematic errors.
- Reduce instances of clerical errors. System automatically checks for errors.
- Increases instances of systematic errors. Errors in programming can occur.
Do computerized systems increase or decrease the need for access controls (logical and physical)?
Increase. Because computerized systems actually increase the number of points where the system can be accessed, increasing the need for both physical and logical access controls.
What is a key characteristic that distinguishes computer processing to manual processing? (Hint: related to data entry)
Computer processing virtually eliminates computational errors.
How does computerized accounting systems (online real-time processing) differ from manual accounting systems with regards to job functions?
It is common for computerized systems to combine functions that would be considered incompatible in a manual system.
With regards to accounting systems, ledgers, journals, and invoices are part of what accounting system?
Manual
With regards to accounting systems, e-vouchers, automated transactions, and concentration of information are part of what accounting system?
Automated
Are audit trails easier to follow and more transparent in automated or manual accounting systems?
Automated
Processing speed, fewer idiosyncratic errors, and lower likelihood of intrusion are advantages of what accounting system?
Automated
An automated system requires controls related to people, software, and hardware. Are access controls more or less of important in automated system as to manual?
More important. Highly important.
Compared to manual systems, automated systems have
1. ________ risks related to remote access
2. ________ risks related to concentration of information
3. ________ opportunities for directly observing processes
Answer: Either increase or decrease
- Increase risks for remote access
- Increase risks for concentration of info
- Decreased opportunities for observing processes
______ processing errors are the MOST IMPORTANT risk related to computer accounting systems.
Systematic
Authorization is often _____ in online systems. (Hint: automated or manual)
Automated
Do both manual and automated accounting systems require stringent internal controls? Can they both produce inaccuracy in financial reporting?
Yes and yes
Balancing risk versus return is over IT and its processes and strategically managing and acquiring IT resources in support of the organization’s mission is the primary goal of what?
IT Governance
Is COBIT (Control Objectives for Information and related Technology) a required framework that should be adopted and implemented?
No it’s not required. There are many IT governance models and frameworks that an organization can implement.
There are four domains and processes of IT COBIT framework. They are?
- Planning and organization
- Acquisition and implementation
- Delivery and support
- Monitoring
What are seven desired information attributes of COBIT framework?
- Effective
- Efficient
- Confidential
- Integrity
- Available
- Compliant
- Reliable
COBIT provides a framework for ______ and management of _________.
- IT Governance
2. Enterprise IT
Guiding managers, users, and auditors to adopt best practices related to the management of information technology is an important purpose of what?
COBIT.
Using the company’s IT strategic plan to consider how implementing something detracts or aligns with company’s business objectives is part of what domain in COBIT?
Planning and organization
Assessing how to acquire, implement, or develop IT solutions that address business objectives and integrate with critical business process is part of what domain of COBIT?
Acquisition and implementation
Relating to strategic decisions for IT management, which three of the four are the most important strategic decisions?
A. How a system can contribute to long-range business plan
B. How system would support daily business operations
C. How indicators can be developed to measure achievement of business objectives
D. How system reduces operating costs
First three are important. Reducing operating costs are least important.
What are the four IT monitoring processes of COBIT model?
- Monitor and evaluate IT performance (reviewing system response time logs)
- Monitor and evaluate Internal controls
- Ensure regulatory compliance
- Provide IT guidance
Assessing how to best deliver required IT services including operations, security, and training is part of what domain in COBIT?
Delivery and support
A formal review process to assess how to best assess IT quality and compliance with control requirements is part of what domain in COBIT?
Monitoring
COBIT is primarily focused on _______ organizational IT processes. COSO is primarily focus on ______ processes. (Hint: Answer is either internal or external)
COBIT - Internal
COSO - External
The primary target audience for COBIT is? (Hint: type of auditor)
Internal auditors. COBIT is primary focused on internal organization IT processes.
The primary target audience for COSO is? (Hint: type of auditor)
External auditors. COSO focuses primary of external processes.
Review of outsourcing contracts and policies to improve service quality is part of what domain of COBIT model?
Delivery and support. This is part of assessing how to best deliver required IT services including operations, security, and training.
Reviewing to determine if company complied with privacy REGULATIONS regarding customer data is part of what domain of COBIT model?
Monitoring. Analyzing compliance with privacy regulations is part of a formal review process to assess how to best assess IT quality and compliance with control requirements.
Assessing whether to purchase, or internally develop, a new CRM (customer relationship management) system is part of what domain of COBIT model?
Acquisition and implementation. This is a part of assessing how to acquire, implement, or develop IT solutions that address business objectives and integrate with critical business process.
IT staff, computer servers, network structure, and routers are examples of what? (Hint: IT _______)
IT resources
Standards for user response times is an example of what?
Information criterion
Improving responsiveness and flexibility, and aiding the decision-making processes in an organization, are important goals of an _________.
ERP system
An important goal of ERP is to ______ data redundancy and an ERP will _____ the costs of implementation and training.
- reduce data redundancy
- increase the costs of implementation
Regarding cloud service delivery models, _____ is the use of the cloud to access virtual hardware.
IaaS (Infrastructure as a service)
Regarding cloud service delivery models, ______ is the use of the cloud to create (not access) software.
PaaS (Platform as a service)
Regarding cloud service delivery models, _____ is the use of the cloud to use (not create) software.
SaaS (Software as a service). Example Office 365.
The _______________ incorporates data warehouse and data mining capabilities within the ERP.
Online analytical processing system (OLAP)
The _______________ (1) records the day-to-day operational transactions and enhances the visibility of these transactions throughout the system. It is primarily the ____ (2)and not the ____, (3) that provides an integrated view of transactions in all parts of the system.
- OLTP
- OLAP
- OLTP
The _______ is primary concerned with collecting data (and not analyzing it) across the organization.
Online transaction processing system (OLTP)
What is a key distinction between OLAP and OLTP with regards to data?
OLAP analyzes data
OLTP collects data
________ provide information to mid- and upper-level managers to assist them in managing non-routine problems and in long-range planning. (Hint: Type of system)
Decision support system (DSS)
_________ are a subset of DSS especially designed for forecasting and making long-range, strategic decisions; thus, these systems have a greater emphasis on external data. (Hint: Type of system)
Executive support system (ESS)
This system facilitate the work of clerical employees by providing information relevant to their day-to-day activities.
Office automation system
What is the most effective system to implement that integrates all functional areas within an organization to allow information exchange and collaboration among all parties involved in business operations?
Enterprise resource planning system
___ provide transaction processing, management support, and decision-making support in a single, integrated package. By integrating all data and processes of an organization into a unified system, ____ attempt to eliminate many of the problems faced by organizations when they attempt to consolidate information from operations in multiple departments, regions, or divisions. (Hint: Same answer for both blanks)
ERPs
Explain the primary objective of enterprise resource planning systems?
Integrate data from all aspects of an organization’s activities.
What type of management reporting system would encompass querying a data warehouse and drilling down into transaction and trend information via various network set-ups?
OLAP. On-line analytical processing system.
Data loss, vendor security failure, and system hacks are all risks of what? (Hint: type of computing)
Cloud-based computing.
Global visibility not a risk
The below are all motivations to implement what type of system?
- Reducing data redundancy
- Improving organizational agility
- Improving data analytic capabilities
ERP
ERPs increase or decrease system complexity?
Increase
What are the three most likely reasons an ERP system fails?
- Poor system development process
- Lack of management support
- Underestimating system implementation
Analyzing customer sales to determine optimal opening and closing times would be part of what type of system?
OLAP. This is an example of a data mining application within an online analytical processing (OLAP) system.
The preparation of a simple payroll report is an application of an ___________ system.
Online transaction processing system (OLTP). This deals with data collection.
Using ERM to determine which accounts would provide most profitable returns to a company would a be an application of what type of system?
CRM (Customer relationship management)
ERP (Enterprise resource planning) is an application software most likely to be used by what type of size organization?
Medium to large size
What are the three main functional areas within most IT departments?
- Applications development
- Systems administration and programming
- Computer operations
The functions below all relate to what functional area within IT department?
- Network maintenance
- Wireless access
- Antivirus management
Systems administration
Responsibilities do not need to be segregated
The functions below all relate to what functional area within IT department?
- Data entry
- Quality assurance
Operations
Responsibilities do not need to be segregated
Application programming occurs within what function of an IT department?
Applications development
With regards to IT departmental responsibilities, these should be segregated to different individuals ideally based on?
Different functional areas of IT
Why does data entry (operations) and application programming (development) need to be delegated to separate individuals? (Hint: Two reasons)
- This is because if one both enters data and changes the programs into which those data are entered, one can perpetrate consequential financial frauds
- Those responsibilities are in different functions (operations vs development)
With regards to IT responsibilities and functions, this position is responsible for managing the flow of documents and reports in and out of the computer operations department. What position is it?
Data control clerk
With regards to IT responsibilities and functions, this position keys (i.e.) enters, hand-written or printed records to convert them into electronic media. What position?
Data entry clerk
With regards to IT responsibilities and functions, this position is responsible for operating the computer, including loading program and data files, running the programs, and producing the output. What position?
Computer operator
With regards to IT responsibilities and functions, this position is responsible for maintaining control over the computer operations files, but not for controlling the flow of documents into and out of the computer operations department. What position?
File librarian
Managing remote access to the systems they control is a responsibility of who? (Hint: type of position)
Network administrator (or system administrator).
When a programmer who writes applications also has access to a file library, why is this is problem?
If she changes both live and archive copies of programs, changes that she has made may not be detected.
Evaluating the quality and nature of IT department staff training is essential to retaining ____________________,
Competent individuals within an organization
When a network administrator provides support to server (via dial-up connection) and then leaves the company, if the company fails to remove user account(s) among an employee leaving, then this will be a ____ risk to the company.
Control
Coding approved changes to a payroll program is an appropriate responsibility of an application programmer. Which of the following are should not be responsibilities of this position?
A. Have access to operating software to make modifications
B. Correcting data entry errors
C. Have access to program code or archive documentation
All of the above
This position is responsible for maintaining the hardware and software aspects of a computer network. What position is it?
Network administrator
Developing application programs is a function of what position?
Application programmers
Installing operating system upgrades is a function of what position?
System programmers
Limited access to employee master files to authorized employees in the personnel department could prevent an employee from getting paid an appropriate hourly wage, why?
Limiting access to employee master files to authorized employees would help prevent unauthorized changes in the wage rates in the master files.
When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an error report. The error report should most probably be reviewed and followed up by the?
Control group
________ responsible for providing a continuous review function by supervising and monitoring input, operations, and the distribution of output. Has INTERNAL AUDIT responsibilities.
Control group
This position has responsibility for the overall operation of the information systems department. What position?
Supervisor of computer operations
This position is responsible for designing the system. What position?
Systems analyst.
This position is charged with designing program flowcharts and writing computer programs based on the work of the systems analyst. What position?
Computer programmer
Machine operators _______ (by nature of operating the system) have access to error messages and will distribute them to the control group. Machine operators _____ have access to the systems manual. Machine operators _____ be supervised by programmer (Should or should not).
- Should
- Should not
- Should not
Good internal control in a computer system requires that operators, programmers, and the library function be _________.
Segregated
Which of the following are effective control measures?
- Periodic rotation of operators
- Mandatory vacations
- Controlled access to the facility
- Segregation of personnel for controlling input and output
All of the above
Modifying and adapting operating system software is a function of what position?
Systems programmer
Correcting detected data entry errors for the cash disbursement system is a function of what person(s)?
Data control personnel
Maintaining custody of the billing program code and its documentation is function of?
Data library personnel
_______ have the ability to add or update documentation items in data dictionaries.
Database administrators
_________ are given responsibility for maintaining system software, including operating systems and compilers.
Systems programmers
_______ is responsible for developing systems. (Unit type)
Applications development unit
The responsibility of ________ is to implement and maintain system-level software such as operating systems, access control software, and database systems software. (Unit type)
Systems programming unit
Help desks are usually a responsibility of _________ because of the operational nature of their functions (for example, assisting users with systems problems involving prioritization and obtaining technical support/vendor assistance). (Unit type)
Computers operations unit
The responsibility of ______ is to interact with application systems as planned.
User departments
________ is responsible for designing the computer system, including the goals of the system and means of achieving those goals, based upon the nature of the business and its information needs. The _________ also must outline the data processing system for the computer programmer with system flowcharts. (same answer)
Systems analyst
_______ write detailed programs based upon the work of the systems analyst.
Computer programmers
The _____ has overall responsibility for the computer operations function (systems design, programming, operations, library, etc.).
Data processing manager
Why would computer operators have access to operator instructions and detailed program listings lessen internal control?
computer operators who have access to detailed program listings have the opportunity to modify the programs.
Should a systems programmer maintain output controls?
No.
_________ are responsible for analyzing and designing computer systems; they generally lead a team of programmers who complete the actual coding for the system; they also work with end users to define the problem and identify the appropriate solution.
Systems analysts
_____ work under the direction of the systems analyst to write the actual programs that process data and produce reports.
Application programmers
______ responsible for management activities associated with the system they control. For example, they grant access to their system resources, usually with usernames and passwords.
Systems administrators (or network)
______ maintain the various operating systems and related hardware. For example, they are responsible for updating the system for new software releases and installing new hardware.
System programmers
______ must not be permitted to participate directly in systems operations.
System administrators
______ not permitted to have access to information about application programs or data files.
System programmers
