IT Processes & Controls

Question 1

What is COBIT, and what is included in the basic framework?

Answer 1

COBIT is a widely used international standard that aims to align IT and business goals/strategies to help mgmt ID how much to invest in IT security and auditing. The basic framework includes objectives surrounding business processes, planning & organization, acquisition and implementation, delivery & support, and monitoring.

Question 2

What is SaaS?

Answer 2

Software-as-a-Service: The use of the cloud to access software.

Question 3

What is PaaS?

Answer 3

Platform-as-a-Service: The use of the cloud to create software.

Question 4

What is IaaS?

Answer 4

Infrastructure-as-a-Service: The use of the cloud to access virtual hardware.

Question 5

What are the risks of cloud-based computing?

Answer 5

1. Increased risk of data loss
2. Increased risk of system penetration by hackers, etc.
3. Diligence in vendor screening and selection is essential to security and success

Question 6

What are the OLAP and OLTP?

Answer 6

Online Analytical Processing System - incorporates data warehouse and mining capabilities within the ERP and is primarily concerned with providing an integrated view of transactions for analysis.
Online Transaction Processing - records day to day operational transactions and enhances visibility throughout the system and is primarily concerned with data collection.

Question 7

What is the cold site approach to disaster recovery?

Answer 7

Hardware and records are delivered to a new site after a disaster occurs. Less expensive but more risky than a hot site approach, where data and information processing equipment is in place beforehand.

Question 8

What individual role is in charge of overall program logic and functionality?

Answer 8

The Lead Systems Analyst is generally responsible for direct contact with the end user and development of program logic/functionality.

Question 9

In an IT environment, what is the role of the end user?

Answer 9

Identifying problems and proposing initial solutions

Question 10

What implementation approach divides users into small groups and trains one group at a time on the new system?

Answer 10

Pilot

Question 11

What is the ‘Cold Turkey’ implementation approach?

Answer 11

AKA ‘sink or swim’ - the old system is dropped and the new system is put in place all at once.

Question 12

At which stage is the requirements definition document signed?

Answer 12

System analysts work with end users to understand and document biz processes and system requirements during the ANALYSIS stage.

Question 13

What is the principal duty of the IT Steering Committee?

Answer 13

Approving and prioritizing system development proposals.

Question 14

What is the Systems Documentation?

Answer 14

Provides an overview of program and data files, processing logic, and interactions with each of the other programs and systems and is appropriate for the auditor to gain familiarity with the system.

Question 15

What is a reasonableness check?

Answer 15

This type of verification looks at the values in 2 related fields to ensure that they make sense as a unit.

Question 16

What is a source code comparison?

Answer 16

Used to compare an archived version of a program to the program actually in use; may be used to verify that no unauthorized changes have been made.

Question 17

What are the common forms of application input/origination control?

Answer 17

Edit check, closed loop verification, reasonableness check, batch controls. . .

Question 18

What is the primary objective of data security controls?

Answer 18

To ensure that storage media are subject to authorization prior to access, change, or destruction.

Question 19

What is viral marketing?

Answer 19

The use of e-commerce to increase brand awareness or sales.

Question 20

What is a value-added network (VAN), and what is the common motivation for use?

Answer 20

A private network provider that leases communication lines to subscribers - it provides increased security for data transmissions (EDI).

Question 21

Is a cash card involved in an EFT process?

Answer 21

No. Cash cards do not involve bank clearing processes and are not considered EFT.

Question 22

What are some common benefits of using an EDI?

Answer 22

Reduction in ordering costs, faster transaction processing, reduction in lead time b/t placing an order and receiving goods. . .

Question 23

What is an ESS (Executive Support System)?

Answer 23

A subset of decision support systems that are especially designed for forecasting and making long-range, strategic decisions that places greater emphasis on external vs internal data.

Question 24

What is middleware?

Answer 24

A term used to describe separate products that act as glue between 2 applications. IE, a database server to a web application.

Question 25

Are programming languages a category of computer software?

Answer 25

Yes.

Question 26

What is the purpose of data manipulation language?

Answer 26

Allows users to add new records, delete old records, and update existing records.

Question 27

How does an accounting system that uses a batch method and detailed posting type work?

Answer 27

Individual transactions are assigned to groups before posting, and each transaction has its own line entry in the appropriate ledger.

Question 28

What transaction processing mode provides the most accurate and complete information for decision-making?

Answer 28

Online processing provides the most up-to-date and complete information for decision-making.

Question 29

What is online real time processing?

Answer 29

Characterized by one transaction processing at a time, random processing technology, and processing of transactions immediately.

Question 30

What is one of the risks associated with a decentralized/distributed system?

Answer 30

These systems are more risky because data processing in a decentralized system is carried out at multiple locations instead of a single, centralized location.

Question 31

When is a distributed processing environment most beneficial?

Answer 31

When large volumes of data are generated at many locations and fast access is required.

Question 32

What is an example of a low-cost, low quality transmission medium?

Answer 32

Twisted pair

Question 33

What is a data warehouse?

Answer 33

Database archive of historical data over a period of years, including some external factors: economic indicators, stock prices.

Question 34

What is a flat file system?

Answer 34

Early IT systems used this technology. For the purpose of the exam, they are uniformly ‘bad’ - data is redundant, independence causing difficulty in cross functional reporting and reformatting.

Question 35

If complete segregation of duties is impossible in a small business, what two functions could be combined?

Answer 35

Authorization and review/auditing. Though not desirable, these two functions are the least risky combo.

Question 36

What is the TCP/IP?

Answer 36

Transmission Control Protocol/Internet Protocol - standard for transmitting data over networks and basis for standard internet protocols.

Question 37

What type of control would help a company recover from a corrupted database?

Answer 37

Checkpoint/restart controls would be an appropriate way to reprocess only transactions that took place after the last valid run. (Mostly used in batch systems.)

Question 38

What kind of backup is common in an online real-time system?

Answer 38

Rollback and recovery - procedure in which periodic snapshots are taken of a master file and if a problem is detected, the system reprocesses all transactions since the snapshot.

Question 39

What kind of control is an audit trail in an IT system?

Answer 39

Example of a processing control

Question 40

What is a parity check?

Answer 40

Detects errors in data transmission

Question 41

What is a firewall?

Answer 41

An electronic device that isolates a network segment from the main network while maintaining the connection between networks.

Question 42

What is the difference between an application firewall and a network firewall?

Answer 42

Network - low level filtering

Application - much more sophisticated verification and provide better control vs network

Question 43

What is halon?

Answer 43

A chemical that is an environmental hazard and should not be used in fire suppression systems in a computer facility.

Question 44

What is a major disadvantage to the use of a private key to encrypt data?

Answer 44

In order to decrypt a message decrypted by private key, both sender and receiver must have access to the key, and transmission of the key is inherently insecure.

Question 45

What is a denial of service attack?

Answer 45

Takes advantage of network communications protocol to tie up the server’s communication ports so that legitimate users cannot gain access to the server. Servers are overwhelmed with incomplete access requests causing them to hang in a useless state.