Chapter 2

Question 1

1. What is data conversion in an IT environment?

Answer 1

The data conversion function transcribes transaction data from hard-copy source documents into computer input. For example, data conversion could involve keystroking sales orders into a sale order application in modern systems, or transcribing data into magnetic media (tape or disk) suitable for computer processing in legacy type systems.

Question 2

2. Why does the temperature in a computer room need to be controlled?

Answer 2

Computers function best in an airconditioned environment, and providing adequate air conditioning is often a requirement of the vendor’s warranty. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors can occur in computer hardware when temperatures depart significantly from this optimal range. Also, the risk of circuit damage from static electricity is increased when humidity drops. In contrast, high humidity can cause molds to grow and paper products (such as source documents) to swell and jam equipment.

Question 3

3-5 Primary IT services/ functions of a centralized data processing structure

Answer 3

1. Database administration
2. Data processing
3. Systems development and maintenance

Question 4

6. The area of the IT department which provides safe storage of offline data files, original copies of commercial software and their licenses.

Answer 4

Data Library

Question 5

7-9 Technically, who are considered system professionals?

Answer 5

analysts, database designers, and programmers who design and build the system

Question 6

10 - 11 What are some problems encountered when a client utilizes systems programmers to perform program maintenance functions?

Answer 6

1. Inadequate documentation
2. Potential for program fraud

Question 7

12. Why is it difficult to hire qualified IT professionals in a DDP?

Answer 7

If the organizational unit into which a new employee is entering is small, the opportunity for personal growth, continuing education, and promotion may be limited.

Question 8

13 - 15 Give three (3) potential problems arising from implementing DDP.

Answer 8

1. Inefficient use of resources
2. Destruction of audit trails
3. Inadequate segregation of duties
4. Difficulty in hiring qualified professionals
5. Lack of standards

Question 9

16 - 17 What does IT governance intend to achieve or what are its objectives?

Answer 9

1. To reduce risk
2. To ensure that investments in IT resources add value to the corporation

Question 10

18. What is a compensating control

Answer 10

in small organizations or in
functional areas that lack sufficient personnel, management must compensate for the absence of segregation controls with close supervision.

Question 11

19-22 What are the services / functions of a corporate IT group formed for the purpose of controlling a DDP environment?

Answer 11

1. Central Testing of Commercial Software and Hardware
2. User Services
3. Standard-setting Body
4. Personnel Review

Question 12

23 - 25 Give three (3) audit procedures to verify that the structure of the IT department provides for the segregation of incompatible functions in a CDP.

Answer 12

1. Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions.
2. Review systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are not also the original design programmers.
3. Verify that computer operators do not have access to the operational details of a system’s internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, should not be part of the operation’s docu-
   mentation set.
4. Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures.

Question 13

26 - 28 What IT functions should be segregated? (Give at least 2 incompatible functions in each number)

Answer 13

1. Separating Systems Development from Computer Operations
2. Separating Database Administration from Other Functions
3. Separating New Systems Development from Maintenance

Question 14

29 - 30 Give some advantages of adapting DDP.

Answer 14

1. Cost reductions
2. Improved Cost Control Responsibility
3. Improved User Satisfaction
4. Backup flexibility

Question 15

31. Give the meaning of RAID.

Answer 15

Redundant arrays of independent disks

Question 16

32 - 35 Give one audit procedure to test the compliance of our client to standards on the computer center on: (what documents to check (reasons why) what items to look for) #s

Question 17

32. physical construction

Question 18

33. RAID

Question 19

34. Access control

Question 20

35. Insurance coverage

Question 21

What do accountants examine during their annual audit of the computer center?

Answer 21

Accountants routinely examine the physical environment of the computer center as part of their annual audit.

Question 22

What is the objective of assessing the computer center?

Answer 22

The objective is to present computer center risks and the controls that help to mitigate risk and create a secure environment.

Question 23

What factors should be considered regarding the physical location of a computer center?

Answer 23

The computer center should be away from human-made and natural hazards, such as processing plants, water mains, airports, high-crime areas, flood plains, and geological faults.

Question 24

What is the ideal construction for a computer center?

Answer 24

A computer center should ideally be located in a single-story building of solid construction with controlled access.

Question 25

What type of access control should be implemented for a computer center?

Answer 25

Access should be limited to operators and employees, using physical controls like locked doors, keypads, or swipe cards.

Question 26

What is the optimal temperature and humidity range for computer operation?

Answer 26

Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent.

Question 27

What is the most serious threat to a firm's computer equipment?

Answer 27

Fire is the most serious threat to a firm's computer equipment.

Question 28

What are key features of an effective fire suppression system?

Answer 28

Key features include automatic and manual alarms, an automatic fire extinguishing system, manual fire extinguishers, sound construction to withstand water damage, and clearly marked fire exits.

Question 29

Areas of potential exposure that can impact the quality of information, accounting records, transaction processing, and the effectiveness of other more conventional internal controls.

Answer 29

1. Physical Location 2. Construction 3. Access 4. Air conditioning 5. Fire Suppression 6. Fault Tolerance

Question 32

What is fault tolerance?

Answer 32

The ability of the system to continue operation when part of the system fails due to hardware failure, application program error, or operator error.

Question 33

What is the purpose of implementing fault tolerance control?

Answer 33

To ensure that no single point of potential system failure exists.

Question 34

What can cause total failure in a system with fault tolerance?

Answer 34

Total failure can occur only if multiple components fail.

Question 35

What does RAID stand for?

Answer 35

Redundant arrays of independent disks.

Question 36

How does RAID work?

Answer 36

It involves using parallel disks that contain redundant elements of data and applications, allowing lost data to be reconstructed if one disk fails.

Question 37

True or False: Halon is a fire-fighting gas that is still allowed by federal law.

Answer 37

False.

Question 38

What problems can commercially provided electrical power present?

Answer 38

* Total power failures * Brownouts * Power fluctuations * Frequency variations

Question 39

What devices are used to control power problems in a computer center?

Answer 39

* Voltage regulators * Surge protectors * Generators * Backup batteries

Question 40

What is the auditor's objective regarding computer center security?

Answer 40

To evaluate the controls governing computer center security.

Question 41

What should the auditor verify about the controls in place?

Answer 41

* Adequate protection from physical exposures * Compensation for destruction or damage to the computer center

Question 42

What should the auditor obtain to assess the physical construction of the computer center?

Answer 42

Architectural plans.

Question 43

What is important for the drainage system under a raised floor in a computer center?

Answer 43

It should allow water to flow away in the event of water damage.

Question 44

What should fire detection systems in a computer center be capable of detecting?

Answer 44

* Smoke * Heat * Combustible fumes

Question 45

What access control measures should be in place for the computer center?

Answer 45

Routine access should be restricted to authorized employees.

Question 46

How can the auditor verify visitor access to the computer center?

Answer 46

By reviewing access logs detailing arrival and departure times, purpose, and frequency.

Question 47

What should the auditor do if the organization is not employing RAID?

Answer 47

Review alternative procedures for recovering from a disk failure.

Question 48

What periodic tests should be conducted on the uninterruptible power supply?

Answer 48

Tests to ensure sufficient capacity to run the computer and air conditioning.

Question 49

What should the auditor review annually regarding insurance?

Answer 49

The organization's insurance coverage on its computer hardware, software, and physical facility.

Question 50

Fill in the blank: The insurance policy should reflect management's needs in terms of _______.

Answer 50

[extent of coverage]

Question 51

What are the two types of insurance coverage a firm may seek?

Answer 51

* Partial self-insurance with minimum coverage * Complete replacement-cost coverage

Question 52

What are the tests of physical security controls?

Answer 52

1. Tests of Physical Construction 2. Tests of the Fire Detection System 3. Tests of Access Control 4. Tests of Raid 5. Tests of Uninterruptible Power Supply 6. Tests for Insurance Coverage

Question 53

What should an insurance policy reflect in terms of management's needs?

Answer 53

The extent of coverage, which may include partial self-insurance or complete replacement-cost coverage. ## Footnote Insurance policies should align with the organization's risk management strategy.

Question 54

What are the three categories of disasters that can impact an organization's IT resources?

Answer 54

* Natural disasters * Human-made disasters * System failures ## Footnote These categories encompass a range of events from environmental to human errors.

Question 55

Which type of disaster is considered the most potentially devastating from a societal perspective?

Answer 55

Natural disasters, such as hurricanes, widespread flooding, and earthquakes. ## Footnote These disasters can affect many organizations simultaneously.

Question 56

What is the impact of human-made disasters on organizations?

Answer 56

They can be destructive but tend to be limited in their scope of impact compared to natural disasters. ## Footnote Examples include sabotage and human errors.

Question 57

What are system failures often less severe than but more likely to occur?

Answer 57

Natural and human-made disasters. ## Footnote Examples of system failures include power outages and hard-drive failures.

Question 58

What can disasters deprive an organization of?

Answer 58

Data processing facilities and the ability to deliver products or services. ## Footnote This can halt business functions reliant on technology.

Question 59

How can the impact of a disaster be mitigated?

Answer 59

Through careful contingency planning and a disaster recovery plan (DRP). ## Footnote A well-prepared organization can absorb the disaster's impact.

Question 60

What is a disaster recovery plan (DRP)?

Answer 60

A comprehensive statement of all actions to be taken before, during, and after any type of disaster. ## Footnote It focuses on recovery and maintaining business continuity.

Question 61

What are the four common features of all workable disaster recovery plans?

Answer 61

* Identify critical applications * Create a disaster recovery team * Provide site backup * Specify backup and off-site storage procedures ## Footnote These features ensure an organized response to disasters.

Question 62

What is the first essential element of a DRP?

Answer 62

Identify the firm's critical applications and associated data files. ## Footnote Recovery efforts should focus on short-term survival.

Question 63

What should a DRP focus on immediately following a disaster?

Answer 63

Short-term survival and restoration of functions that generate cash flows. ## Footnote This includes critical business operations that satisfy short-term obligations.

Question 64

List some functions that affect the cash flow position of a firm.

Answer 64

* Customer sales and service * Fulfillment of legal obligations * Accounts receivable maintenance and collection * Production and distribution decisions * Purchasing functions * Cash disbursements (trade accounts and payroll) ## Footnote These functions are vital for maintaining business continuity.

Question 65

Audit Procedures in verifying that management’s DRP is a realistic solution for dealing with a catastrophe:

Answer 65

1. Critical Application List 2. Software Backup 3. Data Backup 4. Backup Supplies, Documents, and Documentation 5. Disaster Recovery Team

Question 66

Risks Inherent to IT Outsourcing

Answer 66

1. Failure to Perform 2. Vendor Exploitation 3. Outsourcing Costs Exceed Benefits 4. Reduced Security 5. Loss of Strategic Advantage

Question 67

IT outsourcing includes:

Answer 67

1. improved core business performance, 2. improved IT performance (because of the vendor’s expertise), 3. and reduced IT costs