Romney C13: Processing Integrity & Availability Controls

Question 1

Processing integrity

Answer 1

a reliable system

produces information that is accurate, complete, timely, and valid

Question 2

Input controls

Answer 2

only authorized personnel acting within their authority should prepare source documents.

forms design, cancellation and storage of source documents and automated data entry controls are needed to verify the validity of input data

Question 3

Forms design

Answer 3

source documents should be designed to minimize the chances for errors and omissions.

important controls:

1. should be sequentially prenumbered
2. using turnaround documents (data preprinted in machine-readable format)

Question 4

Cancellation and storage of source documents

Answer 4

source documents that have been entered into the system should be canceled so they cannot be inadvertently or fraudulently reentered into the system

cancellation does not mean disposal

canceled documents should be retained for as long as it needed to satisfy legal & regulatory requirements

Question 5

Data entry controls

Answer 5

source documents should be scanned for reasonableness and propriety before being entered into the system.

manual control must be supported by automated data entry controls

Question 6

types data entry controls

Answer 6

1. field check - whether the characters in a field are of the proper type (numeric data in numeric field)
2. sign check - verifies the data in a field have the appropriate arithmetic sign (quantity ordered field should never be negative)
3. limit check - tests a numerical amount against a fixed value
4. range check - tests numerical amount against lower and upper limits
5. size check - ensures that input data will fit into assigned field
6. completeness check - all required data have been entered
7. validity check - correctness of the logical relationship between two data items
8. check digit - ID number such as inventory item number can contain a check digit computed from the other digits
9. check digit verification - recalculating a check digit to verify that a data entry error has not been made

Question 7

Additional Data Entry Controls:

Answer 7

• Batch processing
• Prompting
• Closed-loop verification

Question 8

batch processing

Answer 8

works efficiently if transactions are sorted that the accounts are affected are in the same sequence as records are stored in master file.

sequence check - test whether a transaction file is in the proper numerical/alphabetical sequence

Question 9

Batch totals

Answer 9

calculate numeric values for a batch of input records.

3 common used batch totals:

1. financial total: sums field contains monetary value (total dollar amount of all sales for a batch of sales transactions)
2. Hash total: sums a nonfinancial numeric field (total quantity ordered.) No inherent meaning, only to serve as input control
3. record count: number of records in a batch

Question 10

Prompting

Answer 10

system request each input data item and waits for an acceptable response, ensures all necessary data are entered (online completeness check)

Question 11

Closed loop verification

Answer 11

checks the accuracy of input data by using it to retrieve and display other related info.

if clerks enters account number, system could retrieve and display data

Question 12

Processing controls

Answer 12

to ensure data is processed correctly

1. data matching
2. file labels
3. recalculation of batch totals
4. cross-footing and zero-balance test
5. write-protection mechanisms
6. concurrent update controls

Question 13

data matching

Answer 13

two or more items must be matched before an action can take place

ex: before paying a vendor, system should verify info on invoices on both the purchase order and receiving report

Question 14

File labels

Answer 14

to ensure that the correct and most current files are being updated

ex: both external labels are readable by humans and written in internal label machine-readable form should be used.

Question 15

internal label

Answer 15

1. header record: located at the beginning of each file and contains its name etc
2. trailer record: located at the end of the file (contains batch totals calculated during input)

Question 16

recalculation of batch totals

Answer 16

batch totals should be recomputed as each transaction record is processed.

any discrepancies indicate a processing error.

if a financial discrepancy is evenly divisible by 9, transposition error. two adjacent digits were inadvertently reversed

Question 17

cross-footing and zero balance test

Answer 17

a processing control that verifies accuracy by comparing two alternative ways of calculating the same total

Question 18

zero balances test

Answer 18

verifies the balance of a control account equals zero after all entries to it have been made.

Question 19

write protection mechanisms

Answer 19

protect against overwriting/erasing of data files stored on magnetic media.

Question 20

concurrent update control

Answer 20

controls that lock out users to protect individual records from errors that could occur if multiple users attempted to update the same record simultaneously

Question 21

Output Control

Answer 21

Provides additional control over processing integrity

1. user review of output
2. reconciliation procedure
3. external data reconciliation
4. data transmission controls

Question 22

user review of output

Answer 22

carefully examine system output to verify that it is reasonable, and complete

Question 23

reconciliation procedures

Answer 23

all transactions and other system updates should be reconciled to control reports, file statues/update reports, or other control mechanisms

Question 24

External data reconciliation

Answer 24

database totals should periodically be reconciled with data maintained outside the system

ex: physical inventory count

Question 25

Data transmission control:

Answer 25

minimize the risk of data transmission errors:

1. checksums - uses a hash of a file to verify accuracy
2. parity bits - an extra bit added to every character, used to check transmission accuracy
3. parity checking - receiving device recalculates the parity bit to verify accuracy of transmitted data

Question 26

Availability

Answer 26

Business processes due to the unavailability of systems or information can cause financial losses

Question 27

Primary objective

Answer 27

• to minimize the risk of system downtime

- enable quick resumption of normal operations

Question 28

Key controls to minimize risk of system downtime

Answer 28

1. preventive maintenance
2. fault tolerance
3. data center location and design
4. training
5. patch management and antivirus software

Question 29

preventive maintenance:

Answer 29

ex: cleaning disk drives and properly storing the magnetic and optical media to reduce the risk of hardware & software failure

fault tolerance - ability of a system to continue functioning in the event that a particular component fails.

many use redundant arrays of independent drives (RAID) instead of just one disk drive

with RAID - data written to multiple disk drives simultaneously if one disk fails, data can be readily accessed from another

Question 30

data center and design

Answer 30

to minimize risk risk associated with natural and human-caused disasters:

`1. raised floors provide protection from damage caused by flooding

2. fire detection and suppression devices reduce of fire damage
3. adequate air conditioning systems - reduce damage to computer equipment due to accidental unplugging
4. surge protection devices provide protection against temporary power fluctuations that otherwise might cause computers and network equipment to crash
5. an uninterruptible supply (UPS) system provides protection in the event of prolonged power outrage, using batter power to enable the system to operate long enough to back up data
6. physical access controls reduce the risk of theft and damage

Question 31

training

Answer 31

reduce the risk of system downtime

well trained operators are less likely to make mistakes and will know how recover with minimal damage

COBIT 2019 DSS01 - importance of defining and documenting operational procedures and ensuring that IT staff understand their responsibilities

Question 32

patch management and antivirus software

Answer 32

important to install, run and keep current antivirus and anti spyware programs.

should be automatically invoked not only to scan email but also any removeable computer media (cds, dvds, usb drives etc)

patch management system provides additional protection by ensuring vulnerabilities that can be exploited by malware are fixed in a timely manner

Question 33

Recovery & resumption of normal operations

Answer 33

2 fundamentals questions

• how much data are we willing to recreate from source documents/ potentially lose (Recovery Point Objective RPO)
• how long can we function w/o information system (Recovery Time Objective RTO)

Question 34

Recovery point objective

Answer 34

the amount of data the organization is willing to reenter or potentially lose

RPO inversely related to the frequency of backups: the smaller the desired RPO, the more frequently backups need to be made

Question 35

Recovery Time Objective

Answer 35

The maximum tolerable time to restore an organization’s information system following a disaster, representing the length of time that the organization is willing to attempt to function w/o its info system

Question 36

Data Backup Procedures

Answer 36

designed to deal with situations where info is not accessible because the relevant files/databases have become corrupted as a result of hardware failure, software problems, or human error but the information system itself is still functioning.

Question 37

Back up procedures

Answer 37

1. Full backup
2. incremental backup
3. differential backup

Question 38

full backup

Answer 38

exact copy of the entire database

time consuming

Question 39

daily partial backup: incremental backup

Answer 39

copying only the data items that have changed since the last partial backuo

produces a set of incremental backup files, each containing the results of one day’s transactions

restoration involved first loading the last full backup and then install each subsequent incremental backup in proper sequence

Question 40

daily partial backup: differential backup

Answer 40

copies all changes made since the last full backup.

each new differential backup file contains the cumulative effects of all activity since the last full backup.

restoration is simpler however because last backup needs to be supplemented with only the most recent differential backup instead of a set of daily incremental backup files

Question 41

Deduplication

Answer 41

a process that uses hashing to identify and backup only those portions of a file/database that have been updated since the last backuo

Question 42

Disaster Recovery and Business Continuity Planning

Answer 42

Backups are designed to mitigate problems when one or more files become corrupted

disaster recovery and business continuity plans are designed to mitigate more serious problems

Question 43

Disaster Recovery Plan (DRP)

Answer 43

A plan to restore an organization’s IT capability in the event its data center is destroyed.

3 basic options for replacing IT infrastructures, not just computers but also network components such as routers and switches:

• contract for use a cold site
• contract for use a hot site
• real time mirroring

Question 44

cold site

Answer 44

• a facility not only prewired necessary telephone and internet access
• a cold site does not contain any computing equipment

Question 45

hot site

Answer 45

facility not only prewired for telephone and internet access but also contains all computing and office equipment the organization needs to perform its essential business activities

Question 46

real time mirroring

Answer 46

involves maintaining two copies of the database at two separate data centers at all times and updating both databases in real time as each transaction occurs

Question 47

Business Continuity Plan (BCP)

Answer 47

specifies how to resume all business processes, including relocating to new offices and hiring temporary replacements, in the event of major calamity.