IT Auditing

Question 1

What does a program taking longer than usual to load or execute indicates? What’s the remedy? What can cause the problem to be worse?

Answer 1

It is a symptom of a virus.

Best remedy is stop and run the antivirus program to identify and eliminate or quarantine the virus.

(Think: Stop, Drop what you are doing, and Roll the Antivirus program)

Testing the system by running a different application program; rebooting the system; and even backing up hard disk files to floppies can cause the virus to spread.

Question 2

Risk analysis in IT (disaster management)

Answer 2

Process to determine what the organization defines as a disaster and evaluates the effects of that potential disaster. High-level analysis.

Foundation for contingency planning strategies (the how-to-handle plans)

Question 3

In disaster management, what do system back up analysis, vendor supply agreement analysis, and contingent facility contract analysis represent?

Answer 3

They represent contingency planning strategies to react to a disaster. They are the result of Risk Analysis.

Question 4

Batch Processing from accounting standpoint

Answer 4

Updating master files periodically to capture all transactions that occurred during a period of time.

Transactions are grouped in batches and processed as a batch.

Question 5

Sequence test

Answer 5

Input control that works as an edit test by determining whether a batch of input data is following the proper numerical or alphabetical sequence

Question 6

Validity test

Answer 6

Input control that works as an edit test by comparing identification numbers or transactions codes to a table of valid identification numbers or codes maintained in the system

EX - In CostPoint, we had to enter G/L account code that mataches one of the account codes in the systems or the J/E did not go through

Question 7

Completeness Test

Answer 7

Input control that works as an edit test where the computer checks to see if all the data needed for a specific transaction has been entered by the user.

If there is still information missing, e.g. no matching debit or credit amount or description, the system will prompt the user to re-check and enter the info needed to complete the entry.

Question 8

Limit test

Answer 8

Input control that works as an edit test to ensure that a numerical amount of a record does not go over the predetermined amount (limit)

Question 9

Advantages and Disadvantages of Encryption

Answer 9

Advantage - more secured even though it is not absolute secrecy

Disadvantage - slows down the system; increases the system’s overhead

Remember - there is no such thing as absolute security in encryption. Absolutes only exists in theoretical math.

Question 10

Batch and hash totals

Answer 10

Input controls to detect errors

hash totals add up to nonsense number to use as a control number, e.g. adding up all the last 4 digits of everyone’s SSN

Question 11

Records recount of each run

Answer 11

Input control that detects errors

Question 12

Examples of preventative controls

Answer 12

Proper segregation of duties,
passwords,
and user codes

Question 13

Examples of recovery methods

Answer 13

Back up copies of activity and master files

Question 14

What does a compiler do?

Answer 14

Translates program code (human language) into machine language that the CPU can understand and execute

Question 15

Distributed data processing network

Answer 15

Network of computers that are connected, but each computer can process its own data.

It is a hybrid of centralization and decentralization.

Question 16

What is COBIT?

Answer 16

Stands for:

Control Objectives for Information and Related Technology

Developed by Information Systems Audit and Control Association (ISACA)

Framework of generally applicable IT security and control practices

Question 17

What does COBIT provide more specifically?

Answer 17

1) Help companies find a Balance between risk and controls in their information systems
2) Find practices that give Assurance that security and IT controls are adequate
3) Guidance to Auditors on forming opinion and how to advise management on internal control

Question 18

How does COBIT framework look at controls? Sum up how COBIT looks at these controls?

Answer 18

Looks at controls in three different ways:

1) Business requirements
2) IT resources
3) IT processes

COBIT’s approach is that every control activity in a company’s information system satisfies a Business Requirement by using its IT Resources and applying them to an IT Process to meet that business requirement.

Each control activity utilizes IT resources, applies to a process, and satisfies a business requirement.

Question 19

What are the usual risks with clients who use a LAN and PC’s as its information system?

Answer 19

This is an example of End-User Computing.

Typical risks are:

• lack of documentation of the procedures to ensure complete capture of data. End users are notorious for not documenting. They tend to go off on their own.
• poor security controls over sensitive data sitting on the PC’s. Remember the LAN does not store the data, all it does is connect the PC’s, so they can “talk” to each other.
• Incomplete data communications, meaning the LAN could go off-line without any warning before you have any chance to back up the data

Question 20

What is End-User Computing (EUC)? What is an example? What’s the downside?

Answer 20

The end users create, control, and implement their own information systems. They don’t use a mainframe or anything central to backup the data they are using.

An example is using a PC.

The downside is the end users are left to their own devices and they can simply choose to not document any procedures that they developed. They don’t bother to think that someone else might have to take over their work. They don’t plan ahead.

Also, what the end-users are doing might not be compatible with the organization’s overall system. Like using a sales report that is only a Word document and the company-wide system must have the data in Excel format. It can cause a problem.

Question 21

What is so great about a mainframe?

Answer 21

It can store the data in one central place unlike end-user computing (LAN plus a bunch of PC’s).

Question 22

What is risky about PC’s compared to a mainframe?

Answer 22

1) Easy to hack into a PC since it is usually linked to a network. Leaves the network more exposed.
2) Easy to steak a PC (physical access is harder to control)
3) Difficult to segregate duties in a PC and network area because one person could be in charge of both developing and operating the the IT system through a PC
4) End users can do whatever they want and can be lazy with documentation. They are left to their own devices and could come up with their own IT system that isn’t compatible with the company-wide’s system.

Question 23

Characteristics of Real-Time System

Answer 23

Online files, prompt input from users,
extensive communication network,
random access,
immediate update