Chapter 2
Auditing IT Governance Controls
Review Questions
1. What is IT governance?
Response:
IT governance is a relatively new subset of corporate governance that
focuses on the management and assessment of strategic IT resources.
2. What are the objectives of IT governance?
Response:
The key objectives of IT governance are to reduce risk and ensure that
investments in IT resources add value to the corporation.
3. What is distributed data processing?
Response:
Distributed data processing involves reorganizing the central IT
function into small IT units that are placed under the control of end users.
The IT units may be distributed according to business function, geographic
location, or both. All or any of the IT functions may be distributed. The
degree to which they are distributed will vary depending upon the philosophy
and objectives of the organization’s management.
4. What are the advantages and disadvantages of
distributed data processing?
Response:
The advantages of DDP are:
a.
cost reductions
b.
improved cost control responsibility
c.
improved user satisfaction
d.
back up flexibility
The disadvantages (risks) are:
a.
inefficient use of resources
b.
destruction of audit trails
c.
inadequate segregation of duties
d.
difficulty acquiring qualified professionals
e.
lack of standards
5. What types of tasks become redundant in a
distributed data processing system?
Response:
Autonomous systems development initiatives distributed throughout the
firm can result in each user area reinventing the wheel rather than benefiting
from the work of others. For example, application programs created by one user,
which could be used with little or no change by others, will be redesigned from
scratch rather than shared. Likewise, data common to many users may be
recreated for each, resulting in a high level of data redundancy. This
situation
has implications for data accuracy and consistency.
.
6. Explain why certain duties that are deemed
incompatible in a manual system may be combined in a CBIS computer-based
information system environment. Give an
example.
Response: The IT (CBIS) environment tends to consolidate
activities. A single application may authorize, process, and record all aspects
of a transaction. Thus, the focus of segregation control shifts from the
operational level (transaction processing tasks that computers now perform) to
higher-level organizational relationships within the computer services
function.
7. What are the three primary CBIS functions
that must be separated?
Response:
The three primary CBIS functions that must be separated are as follows:
a.
separate systems development from computer operations,
b.
separate the database administrator from other functions , and
c.
separate new systems development from maintenance.
8. What exposures do data consolidation in a
CBIS environment pose?
Response:
In a CBIS environment, data consolidation exposes the data to losses
from natural and man-made disasters. Consolidation creates a single point of failure.
The only way to back up a central computer site against disasters is to provide
a second computer facility.
9. What problems may occur as a result of
combining applications programming and
maintenance tasks into one position?
Response:
One problem that may occur is inadequate documentation. Documenting is not considered as interesting
a task as designing, testing, and implementing a new system, thus a systems
professional may move on to a new project rather than spend time documenting an
almost complete project. Job security
may be another reason a programmer may not fully document his or her work. Another problem that may occur is the
increased potential for program fraud.
If the original programmer generates fraudulent code during development,
then this programmer, through maintenance procedures, may disable the code
prior to audits. Thus, the programmer
can continue to cover his or her tracks.
10. Why is poor-quality systems documentation a
prevalent problem?
Response:
Poor-quality
systems documentation is a chronic IT problem and a significant challenge for
many organizations seeking SOX compliance. At least two explanations are
possible for this phenomenon. First, documenting systems is not as interesting
as designing, testing, and implementing them. Systems professionals much prefer
to move on to an exciting new project rather than document one just completed.
The second possible reason for poor documentation is job security. When a
system is poorly documented, it is difficult to interpret, test, and debug.
Therefore, the programmer who understands the system (the one who coded it)
maintains bargaining power and becomes relatively indispensable. When the
programmer leaves the firm, however, a new programmer inherits maintenance
responsibility for the undocumented system. Depending on its complexity, the
transition period may be long and costly.
11. What is RAID?
Response:
RAID (redundant arrays of independent disks) use
parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are
automatically reconstructed from the redundant components stored on the other
disks.
Chapter
2— Auditing IT Governance Controls
TRUE/FALSE
1. To fulfill the segregation of duties control objective, computer
processing functions (like authorization of credit and billing) are separated.
ANS: F PTS: 1
2. To
ensure sound internal control, program coding and program processing should be
separated.
ANS: T PTS: 1
3. Some
systems professionals have unrestricted access to the organization's programs
and data.
ANS: T PTS: 1
4. 44IT governance focuses
on the management and assessment of strategic IT resources
ANS: T PTS: 1
5. Distributed
data processing places the control IT recourses under end users.
ANS: T PTS: 1
6. An
advantage of distributed data processing is that redundant tasks are greatly
eliminated
ANS: F PTS: 1
7. Certain
duties that are deemed incompatible in a manual system may be combined in a
computer-based information system environment.
ANS: T PTS: 1
8. To
improve control and efficiency, the CBIS tasks of new systems development and
program maintenance should be performed by the same individual or group.
ANS: F PTS: 1
9. In
a CBIS environment, data consolidation protects corporate data from computer
fraud and losses from disaster.
ANS: F PTS: 1
10. The
database administrator should be separated from systems development.
ANS: T PTS: 1
11. A
disaster recovery plan is a comprehensive statement of all actions to be taken
after a disaster.
ANS: T PTS: 1
12.
RAID is the use of parallel disks that
contain redundant elements of data and applications.
ANS: T PTS: 1
13. Transaction cost economics (TCE) theory
suggests that firms should outsource specific non-core
IT assets
ANS: F PTS: 1
14. Commodity IT assets easily acquired in the
marketplace and should be outsourced under the core competency theory.
ANS: F PTS: 1
15. A database administrator is responsible for
the receipt, storage, retrieval, and custody of data files.
ANS: F PTS: 1
16.
A ROC usually involves two or more user
organizations that buy or lease a building and remodel it into a computer site,
but without the computer and peripheral equipment.
ANS: F PTS: 1
17. Fault tolerance is the ability of the system
to continue operation when part of the system fails due to hardware failure,
application program error, or operator error.
ANS: T PTS: 1
18. An often-cited benefit of IT outsourcing is
improved core business performance.
ANS: T PTS: 1
19. Commodity IT assets include such things are network
management.
ANS: T PTS: 1
20. Specific IT assets support an organization’s strategic objectives.
ANS: T PTS: 1
21.
A generally accepted advantage of IT
outsourcing is improved security.
ANS: F PTS: 1
22.
An advantage of distributed data
processing is that individual end user groups set specific IT standards without
concern for the broader corporate needs.
ANS: F PTS: 1
23. A mutual aid is the lowest cost disaster
recovery option, but has shown to be effective and low risk.
ANS: F PTS: 1
24.
Critical applications should be
identified and prioritized by the user departments, accountants, and auditors.
ANS: T PTS: 1
25. A widespread natural disaster is a risk
associated with a ROC.
ANS: T PTS: 1
MULTIPLE CHOICE
1. All
of the following are issues of computer security except
|
a.
|
releasing incorrect data to
authorized individuals
|
|
b.
|
permitting computer operators
unlimited access to the computer room
|
|
c.
|
permitting access to data by
unauthorized individuals
|
|
d.
|
providing correct data to
unauthorized individuals
|
ANS: B PTS: 1
2. Segregation
of duties in the computer-based information system includes
|
a.
|
separating the programmer from
the computer operator
|
|
b.
|
preventing management override
|
|
c.
|
separating the inventory
process from the billing process
|
|
d.
|
performing independent
verifications by the computer operator
|
ANS: A PTS: 1
3. In
a computer-based information system, which of the following duties needs to be
separated?
|
a.
|
program coding from program
operations
|
|
b.
|
program operations from program
maintenance
|
|
c.
|
program maintenance from
program coding
|
|
d.
|
all of the above duties should
be separated
|
ANS: D PTS: 1
4. Supervision
in a computerized environment is more complex than in a manual environment for
all of the following reasons except
|
a.
|
rapid turnover of systems
professionals complicates management's task of assessing the competence and
honesty of prospective employees
|
|
b.
|
many systems professionals have
direct and unrestricted access to the organization's programs and data
|
|
c.
|
rapid changes in technology
make staffing the systems environment challenging
|
|
d.
|
systems professionals and their
supervisors work at the same physical location
|
ANS: D PTS: 1
5. Adequate
backups will protect against all of the following except
|
a.
|
natural disasters such as fires
|
|
b.
|
unauthorized access
|
|
c.
|
data corruption caused by
program errors
|
|
d.
|
system crashes
|
ANS: B PTS: 1
6. Which
is the most critical segregation of duties in the centralized computer services
function?
|
a.
|
systems development from data
processing
|
|
b.
|
data operations from data
librarian
|
|
c.
|
data preparation from data
control
|
|
d.
|
data control from data
librarian
|
ANS: A PTS: 1
7. Systems
development is separated from data processing activities because failure to do
so
|
a.
|
weakens database access
security
|
|
b.
|
allows programmers access to
make unauthorized changes to applications during execution
|
|
c.
|
results in inadequate
documentation
|
|
d.
|
results in master files being
inadvertently erased
|
ANS: B PTS: 1
8. Which
organizational structure is most likely to result in good documentation
procedures?
|
a.
|
separate systems development
from systems maintenance
|
|
b.
|
separate systems analysis from
application programming
|
|
c.
|
separate systems development
from data processing
|
|
d.
|
separate database administrator
from data processing
|
ANS: A PTS: 1
9. All
of the following are control risks associated with the distributed data
processing structure except
|
a.
|
lack of separation of duties
|
|
b.
|
system incompatibilities
|
|
c.
|
system interdependency
|
|
d.
|
lack of documentation standards
|
ANS: C PTS: 1
10. Which
of the following is not an essential feature of a disaster recovery plan?
|
a.
|
off-site storage of backups
|
|
b.
|
computer services function
|
|
c.
|
second site backup
|
|
d.
|
critical applications
identified
|
ANS: B PTS: 1
11. A cold
site backup approach is also known as
|
a.
|
internally provided backup
|
|
b.
|
recovery operations center
|
|
c.
|
empty shell
|
|
d.
|
mutual aid pact
|
ANS: C PTS: 1
12. The
major disadvantage of an empty shell solution as a second site backup is
|
a.
|
the host site may be unwilling
to disrupt its processing needs to process the critical applications of the
disaster stricken company
|
|
b.
|
intense competition for shell
resources during a widespread disaster
|
|
c.
|
maintenance of excess hardware
capacity
|
|
d.
|
the control of the shell site
is an administrative drain on the company
|
ANS: B PTS: 1
13. An
advantage of a recovery operations center is that
|
a.
|
this is an inexpensive solution
|
|
b.
|
the initial recovery period is
very quick
|
|
c.
|
the company has sole control
over the administration of the center
|
|
d.
|
none of the above are
advantages of the recovery operations center
|
ANS: B PTS: 1
14. For
most companies, which of the following is the least critical application for
disaster recovery purposes?
|
a.
|
month-end adjustments
|
|
b.
|
accounts receivable
|
|
c.
|
accounts payable
|
|
d.
|
order entry/billing
|
ANS: A PTS: 1
15. The
least important item to store off-site in case of an emergency is
|
a.
|
backups of systems software
|
|
b.
|
backups of application software
|
|
c.
|
documentation and blank forms
|
|
d.
|
results of the latest test of
the disaster recovery program
|
ANS: D PTS: 1
16. Some
companies separate systems analysis from programming/program maintenance. All
of the following are control weaknesses that may occur with this organizational
structure except
|
a.
|
systems documentation is
inadequate because of pressures to begin coding a new program before
documenting the current program
|
|
b.
|
illegal lines of code are
hidden among legitimate code and a fraud is covered up for a long period of
time
|
|
c.
|
a new systems analyst has difficulty
in understanding the logic of the program
|
|
d.
|
inadequate systems
documentation is prepared because this provides a sense of job security to
the programmer
|
ANS: C PTS: 1
17. All
of the following are recommended features of a fire protection system for a
computer center except
|
a.
|
clearly marked exits
|
|
b.
|
an elaborate water sprinkler
system
|
|
c.
|
manual fire extinguishers in
strategic locations
|
|
d.
|
automatic and manual alarms in
strategic locations
|
ANS: B PTS: 1
18. All
of the following tests of controls will provide evidence about the physical
security of the computer center except
|
a.
|
review of fire marshal records
|
|
b.
|
review of the test of the
backup power supply
|
|
c.
|
verification of the second site
backup location
|
|
d.
|
observation of procedures
surrounding visitor access to the computer center
|
ANS: C PTS: 1
19. All
of the following tests of controls will provide evidence about the adequacy of
the disaster recovery plan except
|
a.
|
inspection of the second site
backup
|
|
b.
|
analysis of the fire detection
system at the primary site
|
|
c.
|
review of the critical
applications list
|
|
d.
|
composition of the disaster
recovery team
|
ANS: B PTS: 1
20. The following are examples of commodity
assets except
|
a.
|
network management
|
|
b.
|
systems operations
|
|
c.
|
systems development
|
|
d.
|
server maintenance
|
ANS: C PTS: 1
21. The following are examples of specific assets
except
a. application maintenance
b. data warehousing
c. highly skilled employees
d. server maintenance
ANS: D PTS: 1
22. Which of the following is true?
a. Core competency theory argues that an
organization should outsource specific core assets.
b. Core competency theory argues that an
organization should focus exclusively on its core business competencies
c. Core competency theory argues that an
organization should not outsource specific commodity assets.
d.
Core competency theory argues that an
organization should retain certain specific non-core assets in-house.
ANS: B PTS: 1
23. Which of the following is not true?
a.
Large-scale
IT outsourcing involves transferring specific assets to a vendor
b.
Specific
assets, while valuable to the client, are of little value to the vendor
c.
Once
an organization outsources its specific assets, it may not be able to return to
its pre-outsource state.
d.
Specific
assets are of value to vendors because, once acquired, vendors can achieve
economies of scale by employing them with other clients
ANS: D PTS: 1
24. Which of the following is not true?
a.
When
management outsources their organization’s IT functions, they also outsource
responsibility for internal control.
b.
Once
a client firm has outsourced specific IT assets, its performance becomes linked
to the vendor’s performance.
c.
IT
outsourcing may affect incongruence between a firm’s IT strategic planning and
its business planning functions.
d.
The
financial justification for IT outsourcing depends upon the vendor achieving
economies of scale.
ANS: A PTS: 1
25. Which of the following is not true?
a.
Management
may outsource their organizations’ IT functions, but they cannot outsource
their management responsibilities for internal control.
b.
section
404 requires the explicit testing of outsourced controls.
c.
The
SAS 70 report, which is prepared by the outsourcer’s auditor, attests to the
adequacy of the vendor’s internal controls.
d.
Auditors
issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II
report.
ANS: C PTS: 1
No comments:
Post a Comment