IT RISKS AND INTERNAL CONTROL

Question 1

Five components of internal control - CRIM C

Answer 1

Control environment
Risk assessment
Information and Communication
Monitoring 
Control Activities

Question 2

Reliable system?

Answer 2

sb capable of operating
without material error, fault, or failure
during a specified period
in a specified environment

Question 3

AICPA Trust Services

Answer 3

developed a framework for a reliable system

using 5 principles

Question 4

5 Principles of a reliable system - PASCO

Answer 4

Processing integrity
Availability
Security
Confidentiality
Online Privacy

Question 5

Security?

Answer 5

protect the system
against unauthorized access
both physical and logical

Question 6

Security Risks

Answer 6

physical and logical access risks

Question 7

Physical access security risks

Answer 7

Failure results in damage to the system
from:

weather
acts of war
disgruntled employees

Question 8

Logical access

Answer 8

Failure results in

malicious or accidental alteration, damage
to files and/or system
computer-based fraud
unauthorized access to confidential data

Question 9

Availability control

Answer 9

system available for operation
use as committed or agreed
in conformity with entity’s policies

Question 10

Availability failure results in

Answer 10

interruption of business operations

loss of data

Question 11

Processing integrity?

Answer 11

complete system processing

accurate, timely, authorized

Question 12

Failure of processing integrity control results in

Answer 12

invalid, inaccurate, incomplete

data input and output
data processing
master file

Question 13

Online privacy?

Answer 13

all personal information
collected
used
disclosed
retained as agreed

Question 14

Failure of online privacy control results in

Answer 14

compromise of customers’ personal information

Question 15

Confidentiality?

Answer 15

keep information confidential and protected as agreed

Question 16

Failure of confidentiality control results in

Answer 16

disclosure of confidential transactions data
business plans
banking and legal docs
confidential operations

Question 17

5 components of internal control

1. Control environment - principles?

Answer 17

commitment to integrity and ethical values
board independence and oversight
appropriate structures, reporting lines, authorities and responsibilities
commitment to attract, develop, and retain competent personnel
hold individuals accountable for internal control responsibilities

Question 18

2 distinct functions of the information systems department

Answer 18

systems development

data processing

Question 19

Steps in SD life cycle

Answer 19

Software concept - identify the need
Requirements analysis - need of users
Architectural design- resources-hardware, software, people needed
Coding and Debugging - acquiring and testing
System testing - testing and evaluation

Question 20

Organization Structure of the Information System

Answer 20

Segregate the functions of:

systems development manager - information systems department

data processing manager - user department

Question 21

Information systems department

Answer 21

Cannot initiate or authorize transactions

Question 22

Minimum segregation of duties:

Answer 22

Operations
Programming
Library

Question 23

Organization structure in detail

Answer 23

Information Systems Manager
Systems development manager
Data processing manager

Systems development manager
  systems analysis
  systems programming
  applications programming
  database administration

Data processing manager

data preparation
operations
data library
data control

Question 24

Systems Analyst Duties

Answer 24

analyze the present user environment and requirements

recommend specific changes
recommend purchasing of a new system
design a new information system

constant contact with users and programming staff
to ensure user’s actual and ongoing needs are met

create a systems flowchart - defines the systems requirements

Question 25

Systems Programmer/Systems Engineer duties

Answer 25

implement, modify, debug
software to make the hardware work

create designs used by programmers

Question 26

Applications Programmer

Answer 26

writing, testing, debugging
the applications program
from the specifications
provided by the systems analyst

Use program flowchart - defines the program logic

Question 27

Database administrator

Answer 27

maintain database

restrict access to authorized personnel

Question 28

Data preparation

Answer 28

data prepared by user departments

input by key to storage devices

Question 29

Operations - The Operator

Answer 29

daily computer operations
of hardware and software

supervises operations
on the operator’s console

accepts input
distributes output

maintains a run manual to document running of the program

SHOULD NOT HAVE DETAILED PROGRAM INFORMATION!!!

Question 30

Operator restrictions

Answer 30

CANNOT HAVE DETAILED PROGRAM INFORMATION

Question 31

Data librarian

Answer 31

Custody of removable media

Maintain program and system documentation

Question 32

Data Controller

Answer 32

control group

acts as a liaison
between users and processing center

records input data in a control log
follows the progress
distributes output
ensures compliance with control totals

Question 33

Electronic commerce web related positions

Answer 33

Web administrator/ manager
Web master 
Web designer - visual content
Web coordinator - daily operations
Internet developer
Intranet/Extranet developer

Question 34

Web master

Answer 34

website development
expertise, leadership
design, analysis, security
maintenance, content development

Question 35

Internet developer

Answer 35

writing programs for commercial use

Question 36

Intranet/Extranet developer

Answer 36

writing programs for company use

Question 37

Web administrator/ manager

Answer 37

overseeing
development, planning and implementation
of the website

Question 38

2 Risk Assessment

5 components of internal control

Answer 38

assess the risk of improper financial reporting

Question 39

5 components of internal control

3 Information and communication

Answer 39

involves the decision of which system to use

small computers - use off the shelf software

complex mainframe system - internally developed software

Question 40

Controls needed for small computer systems

Answer 40

use off the shelf software

controls are already well-known prior to testing
analysis of exception reports
generated during processing is needed

Question 41

Controls needed for mainframe systems

Answer 41

software is internally developed (significant portion)

controls are unknown to the auditor
prior to testing

analysis of exception reports is important

more thorough testing needed
in the generation of exception reports

Question 42

4 Monitoring

5 Components of Internal Control

Answer 42

adequate computer skills required for proper monitoring

review system access log
to monitor inappropriate access

constant evaluation of data and transactions
highlight inconsistent items

capture samples of items for audit review

Question 43

5 Control Activities

5 Components of Internal Control

Answer 43

General control activities
Computer application control activities
Programmed application control activities
Manual follow up of computer exception reports
User control activities

Question 44

Control activities flowchart

Answer 44

Computer general control activities
Programmed control activities -
1. Computer exception reports
-Manual follow up of exception reports

  2.  Output reporting computer  processed
        transactions 
          - User control activities to test the 
            completeness and accuracy of 
            computer processed transactions

Question 45

4 types of general controls

Answer 45

Developing new programs and systems
Changing existing programs and systems
Controlling access to programs and data
Controlling computer operations

Question 46

#1 type of General Control
Developing new programs and systems process

Answer 46

SEGREGATION OF CONTROLS

User dept participates in the systems design

Users and IT personnel both test the new system

Management, users, IT personnel approve new system before placed into operation

Control all master and transaction file conversions to prevent changes and to verify the accuracy of results

Document all programs and systems

Question 47

Computer hardware controls during development of new programs

Answer 47

parity check
echo check
diagnostic routines
boundary protection
periodic maintenance

Question 48

Parity check

Answer 48

a special bit is added to each character

to detect if hardware loses a bit during internal movement of character

Question 49

Echo check

Answer 49

used in telecommunications transmission

During the sending and receiving process
the receiver repeats back to the sender what it received and sender resends back to the receiver anby character incorrectly received

Question 50

Diagnostic routines

Answer 50

hardware or software
supplied by the manufacturer
to check the internal operations and devices
within the computer system

Question 51

Boundary protection

Answer 51

ensure that simultaneous jobs being processed do not destroy or change the memory of another job

Question 52

Periodic maintenance

Answer 52

system should be examined periodically by a qualified service technician

Question 53

Documentation of developed systems and programs

Answer 53

Detailed system specification documents showing

performance levels
reliability 
security
privacy constraints and limitations
functional capabilities
data structure and elements

Question 54

2 Type of General Control

Changing existing programs and systems

Answer 54

Use change request log when making suggestions for changes

Modified program sb tested

All changes documented

Use code comparison program

Question 55

Code comparison program

Answer 55

compare source and object codes
of a controlled copy of a program
with the program currently being used to process data

• to identify unauthorized changes

Question 56

3 General control activities

Controlling access to programs and data while developing the programs and systems

Answer 56

Program documentation access - limit only to those who need it in the performance of their duties

Files and programs access - only to individuals authorized to process data

Computer hardware access - only to authorized individuals like computer operators and supervisors

Physical access to computer facility use visitor entry logs

Hardware and software controls -

use unique passwords
call back method
encryption

Question 57

3 General control activities

Controlling computer operations

Answer 57

Operators should have access only to operations manual that contains instructions for

processing programs
solving routine operational program issues

BUT NOT DETAILED PROGRAM DOCUMENTATION!

Control group monitors the operator’s activities and jobs sb scheduled

Other controls:

backup and recovery
contingency processing
internal and external labels

Question 58

Contingency processing

Answer 58

detailed contingency processing plans

detail responsibilities of individuals
alternate processing sites sb utilized
use backup facility with a vendor

Question 59

Internal labels

Answer 59

identifies the file thru the use of machine readable identification in the first record of a file

Question 60

External labels

Answer 60

gummed paper labels attached to storage media in order to identify the file

Question 61

FIVE COMPONENTS OF INTERNAL CONTROL - CRIM C

Control environment
Risk assessment
Information and Communication
Monitoring
Control Activities
General control activities
Developing new programs and systems
Changing existing programs and systems
Controlling access to programs and data
Controlling computer operations

Computer application control activities 
Programmed application control activities
          Input Controls
               Overall controls
               Input validation (edit) controls
               Processing controls

Manual follow up of computer exception reports
User control activities
Disaster Recovery and Business Continuity

Answer 61

Overall controls

inputs properly authorized and approved

verify all significant data fields
used to record information

control the conversion of data into machine readable form and verified for accuracy

Question 62

FIVE COMPONENTS OF INTERNAL CONTROL - CRIM C

Control environment
Risk assessment
Information and Communication
Monitoring
Control Activities
General control activities
Developing new programs and systems
Changing existing programs and systems
Controlling access to programs and data
Controlling computer operations

Computer application control activities 
Programmed application control activities
          Input Controls
               Overall controls
               Input validation (edit) controls
               Processing controls

Manual follow up of computer exception reports
User control activities
Disaster Recovery and Business Continuity

Answer 62

Input validation controls

preprinted form
check digit
control, batch, and proof total
hash total
record count
limit (reasonableness) test
menu driven input
field check
validity check
missing data check
field size check
logic check
redundant data check
closed loop verification