IT Flashcards
A parity check is..
Not an input control. It is a hardware control that makes certain each piece of data has the appropriate odd or even number of data components, or data bits.
Distributed Processing Environment
Various processes are performed separately by the individuals responsible in their locations and are integrated into a central system
Define “Integrated Test Facility (ITF).”
Dummy division and fictitious transactions ran along with client data (Use auditor and client data in the client’s computer system)
* Another use of ITF is embedded audit modules
What is the purpose of test data procedures?
To process known errors to see if the client’s system catches them. The auditor only needs to include those errors that are important to the auditor (that is, the auditor need not include every possible type of error). There may be a danger of contaminating the client’s database with the test data.
Who should have responsibility of modifying and adapting operating system software?
System Analysts
Describe a hot site..
Location has redundant hardware and software that’s already configured and ready to preserve the continuity in disaster
What are VANs?
Links files of different companies together (connects trading partners)
Systems Development Life Cycle
- Planning- feasibility study to determine objectives, is existing system meeting requirements, etc
- Analysis- define problem and qualitative solutions (custom or vendor supplied)
- Design- baseline for system and specs needed, or select purchased system (proposal)
- Development- use specs to program formalized process, unit testing (watch for scope creep); if purchased configure new system to org needs
- Testing- establish actual operation, final testing and user sign off (meet needs? intended objectives?)
- Implementation- implement formal process, assess adequacy, cost/benefit, ROI, end user management
- Maintenance- monitoring and support, training
COBIT 5 core principles
- Meeting stakeholders needs
- End to end application (seamless governance a sa whole and mngmt of IT apply to all components)
- Development of single integrated framework
- Enabling a holistic approach
- Separating governance from management
Application controls include:
Preventative
Detective
Corrective
** They are NOT company wide controls
Test Data
Data- Auditor
Program- Client
Controlled Reprocessing
Data - Client
Program- Client, but auditor computer
ITF
Data - Auditor and client
Program- Client
Parallel Simulation
Data- Client
Program- Auditor (going around their system)
Primary purpose of disaster recovery plan
To specify the steps required to resume operations
Systems Programmers
- Writes, updates, maintains software and systems and compilers
- For controls, can’t also have application programming duties and can’t be a Systems Operator
List the Management Reporting Systems
Mngmt Info (MIS) Decision Support (DSS) Enterprise Resource Planning (ERP)- automate/integrate business process, share data, access real time Executive Support Info (MA, etc) Analytical Processing (query, retrieval) Expert System
End to End Application
COBIT 5 approaches:
- System for IT should seamlessly integrate into system of governance for enterprise as a whole
- Systems for governance of IT should apply to all components both internally and externally
Limit Test
Confirms information against established limits (minimum age, etc)
Segregated IT roles
Operators (Administrators)
Programmers (Engineers)
Librarians (Custodians)
The least risky strategy for conversion from a manual to computerized payroll system would be a
Parallel conversion
Which of the following best describes a time-sharing center?
A computer remotely accessed by a number of different users, who are unaware of each other
IT Functions Segregation
{COPAL}
Control group- responsible for IT, passwords, etc
Operators- convert data into machine read-able
Programmer- develops and writes computer programs, debugging programs, writes manual
Analyst- designs overall system, prepares flowchart
Librarian- keeps track of program/files; maintains storage data and backups; controls access
IT input controls
Provide reasonable assurance that data rec’v by IT have been authorized, converted to machine sensible form (transaction entry; file maintenance; inquiry transactions; error correction)
Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data?
Validity check- only authorized codes will be accepted
Systems Operator
- Schedules and monitors jobs (Administrators)
- Runs IT help desk
- Control, can’t be a Systems Programmer
What is the primary objective of data security controls?
To ensure that storage media are subject to authorization prior to access, change, or destruction
Executive Information System
- Specialized for company executive needs
- Assists with strategy only
- No decision-making capabilities
Which controls are typically included in an organization’s disaster recovery plan?
Backup and downtime controls (data transmission, data input, and data processing controls are not disaster recovery plan but part of normal operations)
Cloud computing/Data storage
- More convenient
- Cost effective
- Risk of unauthorized access (not the best way to store sensitive company info)
- 3rd parties manage data and risk
What is the Network Administrator responsible for
Design and implementation of security policies
