IT Governance and Management Flashcards

Question

**Cloud Based Systems and Storage:**

Answer 1

**_Cloud Based Systems and Storage:_** It's a virtual data pool often managed by a 3rd party vendor. ## Footnote **_Categories and Examples:_** 1. **Infraestructure as a Service (IaaS):** Use of cloud to access to virtual hardware, such as computers and storage (E.g. Amazon Services and Carbonite). 2. **Platform as a Service (PaaS):** Creating cloud-based software and programs like Salesforce.com 3. **Software as a Service (SaaS):** Remote access to software like productivity programs. **_Benefits of Clouds:_** * Universal Access * Cost Reductions * Scalability-grow with organization * Outsourcing and Economies of Scale - outsource to provider w lower costs * Enterprise-wide integration **_Risks:_** * Data loss (all eggs in one basket increases risk of data loss) * Increased system penetration risk

Answer 2

**B. Increased responsiveness and flexibility while aiding in the decision-making process.** Improving responsiveness and flexibility, and aiding the decision-making processes in an organization, are important goals of an ERP system. Hence, this is the best answer.

Answer 3

**A. IaaS**

Answer 4

**_Business Continuity Plan:_** The process of planning for disasters and embedding this plan in an organization's culture. ## Footnote **_6-Step Model:_** 1. **_Create a BCM policy and program_** -- Create a framework and structure around which the BCM is created. *This includes defining the scope of the BCM plan, identifying roles in this plan, and assigning roles to individuals.* 2. **_Understand and evaluate organizational risks_** -- Identifying the importance of activities and processes is critical to determining needed costs to prevent interruption, and, ensure their restoration in the event of interruption. A business impact analysis (BIA) will identify the maximum tolerable interruption periods by function and organizational activity. 3. **_Determine business continuity strategies_** -- Having defined the critical activities and tolerable interruption periods, define alternative methods to ensure sustainable delivery of products and services. Key decisions related to the strategy include desired recovery times, distance to recovery facilities, required personnel, supporting technologies, and impact on stakeholders. 4. **_Develop and implement a BCM response_** -- Document and formalize the BCM plan. Define protocols for defining and handling crisis incidents. Create, assign roles to, and train the incident response team(s). 5. **_Exercise, maintain, and review the plan_** -- Exercising the plan involves testing the required technology, and implementing all aspects of the recovery process. Maintenance and review require updating the plan as business processes and risks evolve. 6. **_Embed the BCM in the organization's culture_** -- Design and deliver education, training and awareness materials that enable effective responses to identified risks. Manage change processes to ensure that the BCM becomes a part of the organization's culture.

Answer 5

**_Disaster Discovery Plans:_** DRPs enable organizations to recover from disasters and to enable continuing operations. **They are integral to an organization's system of internal control.** DRP processes include maintaining program and data files, and, enabling transaction processing facilities. ## Footnote In addition to backup data files, **DRPs must identify mission-critical tasks and ensure that processing for these tasks can continue with virtually no interruptions, at an affordable cost**. **_Goals:_** 1. T**he recovery point objective (RPO)** defines the acceptable amount of data lost in an incident. 2. **The recovery time objective (RTO)** defines the acceptable downtime for a system, or, less commonly, of an organization. It specifies the longest acceptable time for a system to be inoperable. **_Disaster recovery plans are frequently classified by the types of backup facilities maintained and the time required to resume processing:_** 1. **Cold site ("empty shell")** -- An off-site location that has all the electrical connections and other physical requirements for data processing, **but does not have the actual equipment or files**. A cold site is the least expensive type of alternative processing facility available to the organization. If on a mobile unit (e.g., a truck bed), called a mobile cold site. 2. **Warm site** -- A location where the business can relocate to after the disaster that is already stocked with computer hardware similar to that of the original site, but does not contain backed-up copies of data and information. If on a mobile unit, called a mobile warm site. 3. **Hot site --** An off-site location completely equipped to quickly resume data processing. All equipment plus backup copies of essential data files and programs are often at the site. Enables resumed operations with minimal disruption, typically within a few hours. More expensive than warm and cold sites. 4. **Reciprocal agreements** -- These are shared use facilities governed by inter-organizational agreements that house IT facilities. May be cold, warm, or hot. 5. **Mirrored site** -- Fully redundant, fully staffed, and fully equipped site with real-time data replication of mission critical systems. Expensive and used for mission critical systems (e.g., credit card processing at VISA and MasterCard).

Answer 6

**B. Cold site.** In a cold site approach to disaster recovery, hardware and records are delivered after the occurrence of a disaster. This approach is less expensive, but more risky than a hot site approach.

Answer 7

**B. Maintain redundant systems for instant availability to assure the flow of transactions.** This is the best answer since system **redundancy is essential to ensuring business continuit**

Answer 8

D. Prepare a statement of responsibilities for the tasks included in a disaster recovery plan.

Answer 9

C. Mission critical. Mission critical tasks are given first priority in DRP.

Answer 10

**D. Task critical.** Task critical tasks are given the lowest priority in DRP.

Answer 11

**Organizational Structure of the Information Technology (IT) Department:** **_There are three main functional areas within many IT Departments:_** * _A. Applications Development;_ * _B. Systems Administration and Programming; and_ * _C. Computer Operations._

Answer 12

**_Applications Development_** -- This department is responsible for creating new end-user computer applications and for maintaining existing applications. * **_Systems analysts_** -- Are responsible for analyzing and designing computer systems; systems analysts generally lead a team of programmers who complete the actual coding for the system; they also work with end users to define the problem and identify the appropriate solution. * **Application programmers** -- Work under the direction of the systems analyst to write the actual programs that process data and produce reports. * New program development, and maintenance of existing programs, is completed in a "test" or "sandbox"environment using copies of live data and existing programs rather than in the "live" system.

Answer 13

**_Systems Administration and Programming_** -- This department maintains the computer hardware and computing infrastructure and grants access to system resources. * **_System administrators_** -- ***The database administrator, network administrator, and web administrators*** are responsible for management activities associated with the system they control. For example, they grant access to their system resources, usually with user-names and passwords. System administrators, by virtue of the influence they wield, must not be permitted to participate directly in these systems' operations. * **_System programmers_** -- Maintain the various operating systems and related hardware. For example, they are responsible for updating the system for new software releases and installing new hardware. Because their jobs require that they be in direct contact with the production programs and data, it is imperative that they are not permitted to have access to information about application programs or data files.

Answer 14

**_Computer Operations_** -- This department is responsible for the day-to-day operations of the computer system, including receipt of batch input to the system, conversion of the data to electronic media, scheduling computer activities, running programs, etc. * **_Data control_** -- This position controls the flow of all documents into and out of Computer Operations; for batch processing, schedules batches through data entry and editing, monitors processing, and ensures that batch totals are reconciled; data control should not access the data, equipment, or programs. **This position is called "quality assurance" in some organizations.** * **_Data entry clerk (data conversion operator)_ --** For systems still using manual data entry (which is rare), this function keys (enters) handwritten or printed records to convert them into electronic media; the data entry clerk should not be responsible for reconciling batch totals, should not run programs, access system output, or have any involvement in application development and programming. * **_Computer operators_** -- Responsible for operating the computer: loading program and data files, running the programs, and producing output. Computer operators should not enter data into the system or reconcile control totals for the data they process. (That job belongs to Data Control.) * **_File librarian_** -- Files and data not online are usually stored in a secure environment called the File Library; the file librarian is responsible for maintaining control over the files, checking them in and out only as necessary to support scheduled jobs. The file librarian should not have access to any of the operating equipment or data (unless it has been checked into the library)

Answer 15

F**unctions in these three areas should be strictly segregated.** In particular: * **Computer operators and data entry personnel** -- Should never be allowed to act as programmers. * **Systems programmers** -- Should never have access to application program documentation. * **Data administrators** -- Should never have access to computer operations ("live" data). * **Application programmers and systems analysts** -- Should not have access to computer operations ("live" data). * **Application programmers and systems analysts** -- Should not control access to data, programs, or computer resources.

Answer 16

C. Data entry and application programming. The separation of the data entry function from the application programming function is critical to the segregation of duties within an IT department. **This is because if one both enters data and changes the programs into which those data are entered, one can perpetrate consequential financial frauds. This is why data entry occurs within the operations unit of an IT department and application development occurs within the development function of an IT department.** These functions must be kept separate and their duties segregated. Therefore, this is the best answer to the question.

Answer 17

**A. Managing remote access.** System administrators -- The database administrator, network administrator, and web administrators are responsible for management activities associated with the system they control. For example, they grant access to their system resources, usually with user-names and passwords.

Answer 18

**C. Code approved changes to a payroll program.** Application programmers -- Work under the direction of the systems analyst to write the actual programs that process data and produce reports. **Application programmers and systems analysts -- Should not have access to computer operations ("live" data)**

Answer 19

B. Designing systems, prepares specifications for programmers, and serves as intermediary between users and programmers. **Systems analysts** -- Are responsible for analyzing and designing computer systems; systems analysts generally lead a team of programmers who complete the actual coding for the system; they also work with end users to define the problem and identify the appropriate solution.

Answer 20

D. Anyone in the organization who has a role in creating or using the documents and data stored on the computers or networks. **The "stakeholders" in an IT environment include both the IT personnel responsible for developing and maintaining the system as well as the personnel from all areas of the organization, who are the end users of the systems.** In extranet environments, these end users may also include customers and suppliers who access data relevant to their activities with the organization online.

Answer 21

**D. General, Preventive** Most IT people controls are general and preventive. For example, the segregation of duties prevents employees from making unauthorized changes to program and data files.

Answer 22

**_Developing a Business Applications:_** The importance, and potential negative consequences, of systems development is evident in the many large-scale systems failures that have cost organizations millions of dollars, e.g., the Denver airport baggage system, ERP at Hershey's, the Bank of America Trust Department. ## Footnote Developing a functioning computer system, on time, and on budget, requires communication and coordination among multiple groups of people with very different points of view and priorities. Without a clear plan for defining, developing, testing, and implementing the system, it is perilously easy to end up with a system that fails to meet its objectives and must be scrapped. The systems development life cycle is designed to provide this plan.

Answer 23

**_Purpose of the Systems Development Life Cycle (SDLC) Method:_** The systems development life cycle provides a structured approach to the systems development process by: ## Footnote * A. identifying the key roles in the development process and defining their responsibilities; * B. establishing a set of critical activities to measure progress towards the desired result; and * C. requiring project review and approval at critical points throughout the development process.

Answer 24

**_Roles in the SDLC Method:_** ## Footnote * **_IT steering committee_** -- Members of the committee are selected from functional areas across the organization, including the IT Department; ***the committee's principal duty is to approve and prioritize systems proposals for development.*** * **_Lead systems analyst_** -- The manager of the programming team: * Usually responsible for all direct contact with the end-user. * **Often responsible for developing the _overall programming logic and functionality._** * **_Application programmers_** -- The team of programmers who, under direction of the lead analyst, are ***responsible for writing and testing the program.*** * **_End users_** -- The employees who will use the program to accomplish their tasks: * **Responsible for identifying the _problem to be addressed and approving the proposed solution to the problem_.**

Answer 25

**_Stages in, and Risks to, the SDLC Method:_** ## Footnote 1. **_Stage 1 - Planning and Feasibility Study_** -- When an application proposal is submitted for consideration, the proposal is evaluated in terms of three aspects: * ***Technical feasibility*** -- Is it possible to implement a successful solution given the limits currently faced by the IT Department? * ***Economic feasibility*** -- Even if the application can be developed, should it be developed? Are the potential benefits greater than the anticipated cost? * ***Operational feasibility*** -- Given the status of other systems and people within the organization, how well will the proposed system work? * _After establishing feasibility_, a project plan is developed; the project plan establishes: * *Critical success factors* -- The things that the project must complete in order to succeed. * *Project scope* -- A high-level view of what the project will accomplish. * *Project milestones and responsibilities* -- The major steps in the process, the timing of those steps, and identification of the individuals responsible for each step. 2. **_Stage 2 - Analysis_** -- During this phase the systems analysts work with end users to understand the business process and document the requirements of the system; the collaboration of IT personnel and end users to define the system is known as joint application development (JAD). * ***Requirements definition*** -- The requirements definition formally identifies the things that the system must accomplish; this definition serves as the framework for system design and development. * All parties sign off on the requirements definition to signify their agreement with the project's goals and processes. 3. S**_tage 3 - Design_** -- During the design phase, the technical specifications of the system are established; the design specification has two primary components: * ***Technical architecture specification*** -- Identifies the hardware, systems software, and networking technology on which the system will run. * ***Systems model*** -- Uses graphical models (flowcharts, etc.) to describe the interaction of systems processes and components; defines the interface between the user and the system by creating menu and screen formats for the entire system. 4. **_Stage 4 - Development -_**- During this phase, programmers use the systems design specifications to develop the program and data files: * *The hardware and IT infrastructure identified during the design phase are purchased during the development phase*. * The development process must be carefully monitored to ensure compatibility among all systems components as correcting of errors becomes much more costly after this phase. 5. **_Stage 5 - Testing_** -- The system is evaluated to determine whether it meets the specifications identified in the requirements definition. * Testing procedures must project expected results and compare actual results with expectations: * Test items should confirm correct handling of correct data and data that includes errors. * Testing most be performed at multiple levels to ensure correct intra- and inter-system operation: * Individual processing unit -- Provides assurance that each piece of the system works properly. * System testing -- Provides assurance that all of the system modules work together. * Inter-system testing -- Provides assurance that the system interfaces correctly with related systems; * User acceptance testing -- Provides assurance that the system can accomplish its stated objectives with the business environment. 6. **_Stage 6 - Implementation_** -- Before the new system is moved into production, ***existing data must be often be converted to the new system format, and users must be trained on the new system;*** implementation of the new system may occur in one of four ways: * ***Parallel implementation*** -- The new system and the old system are run concurrently until it is clear that the new system is working properly. * ***"Cold turkey" or "plunge" or "big bang"*** implementation -- The old system is dropped and the new system put in place all at once * ***Phased implementation*** -- Instead of implementing the complete system across the entire organization, *the system is divided into modules that are brought on line one or two at a time.* * ***Pilot implementation** --* Similar to phased implementation except, rather than dividing the system into modules, **the users are divided into smaller groups and are trained on the new system one group at a time:** 7. **_Stage 7 - Maintenance_** -- Monitoring the system to ensure that it is working properly and updating the programs and/or procedures to reflect changing needs: * User support groups and help desks -- Provide forums for maintaining the system at high performance levels and for identifying problems and the need for changes. * All updates and additions to the system should be subject to the same structured development process as the original program.

Answer 26

**_Program Library, Documentation, and Record Mgt:_** Source code programs are normally maintained in a library under secure storage (the Source Program Library, or SPL) that is maintained by a file librarian. The library, or an archive of the library, should be off-site and built to withstand fires, floods, and other natural disasters. It (obviously) must also include the same logical and physical controls as are built into the organization's other data processing and storage sites. When new programs are developed or old programs modified, the **SPLMS manages the migration from the Application Development Test Environment to the active Production Library.** The SPLMS ensures that only valid changes are made to the system by checking for all necessary authorizations and, for program modifications, by comparing the new source code to the old source code. Only after verification does the program migrate to the SPL. Authorized versions of major programs should be maintained in a secure, off-site location. (The external auditor frequently maintains these files.)

Answer 27

**D. Change control.** The practice of authorizing changes, approving tests results, and copying developmental programs to a production library is program change control.

Answer 28

D. Production. After changes and verification to those changes, source programs move into production. Approved changes go to the Production Library.

Answer 29

**A. Change control.** \*Internal Control Deficiency\* The management of changes to applications is part of the Source Program Library Management System (SPLMS)

Answer 30

**C. Systems documentation.** Systems documentation provides an overview of the program and data files, processing logic, and interactions with each of the other programs and systems and is appropriate for the auditor to use as a means of gaining familiarity with the system. **There are 4 Levels of Documentation:** 1. **Systems documentation** -- Overviews the program and data files, processing logic and interactions with each other's programs and systems; often includes narrative descriptions, flowcharts, and data flow diagrams; used primarily by systems developers; can be useful to auditors. 2. **Program documentation** -- A detailed analysis of the input data, the program logic, and the data output; consists of program flowcharts, source code listings, record layouts, etc.; used primarily by programmers; program documentation is an important resource if the original programmer is unavailable. 3. **Operator documentation (also called the "run manual")** -- In large computer systems, operator documentation provides information necessary to execute the program such as the required equipment, data files and computer supplies, execution commands, error messages, verification procedures, and expected output; used exclusively by the computer operators. 4. **User documentation** -- Describes the system from the point of view of the end user; provides instructions on how and when to submit data and request reports, procedures for verifying the accuracy of the data and correcting errors.

Answer 31

B. Run manual. **Operator documentation (also called the "run manual")** -- In large computer systems, operator documentation provides information necessary to execute the program such as the required equipment, data files and computer supplies, execution commands, error messages, verification procedures, and expected output; used exclusively by the computer operators.

Answer 32

D. User documentation. **User documentation** -- Describes the system from the point of view of the end user; provides instructions on how and when to submit data and request reports, procedures for verifying the accuracy of the data and correcting errors.

Answer 33

* *Input Controls and Origination Controls:** * *(Also known as programmed controls, edit checks, or automated controls)** are controls over data entry and data origination process. They ensure that the transactions entered into the system meet the following control objectives: ## Footnote * **Valid** -- All transactions are appropriately **authorized**; no fictitious transactions are present; no duplicate transactions are included. * **Complete** -- All transactions have been captured; there are no missing transactions. * **Accurate** -- All data has been correctly transcribed, all account codes are valid; all data fields are present; all data values are appropriate.

Answer 34

A. Closed loop verification. Closed loop verification is an input control associated with online real-time systems. **_Batch Control Totals:_** -- Manually calculated totals of various fields of the documents in a batch. Batch totals are compared to computer-calculated totals and are used to ensure the accuracy and completeness of data entry. Batch control totals are available, of course, only for batch processing systems or applications. * **Financial totals** -- Totals of a currency field that result in meaningful totals, such as the dollar amounts of checks. a. (Note that the total of the hourly rates of pay for all employees, for example, is not a financial total because the summation has no accounting-system meaning.) * **Hash totals** -- Totals of a field, usually an account code field, for which the total has no logical meaning, such as a total of customer account numbers in a batch of invoices. * **Record counts** -- Count of the number of documents in a batch or the number of lines on the documents in a batch.

Answer 35

B. Edit check.

Answer 36

B. Reasonableness check. **_Reasonableness checks_** look at the values in two related fields to ensure that they make sense as a unit; for example, Mark's $1,800 rate is reasonable and his assignment as an hourly employee could be reasonable, but the combination of the two fields ($1,800 hourly rate) is unreasonable.

Answer 37

D. Validity check. **_A validity check_** compares the value entered in a field to a list of valid data values. An error message is displayed if the value is not found on the list.

Answer 38

A. Source code comparison program. **_A source code comparison program_** is used to compare an archived version of the program to the program actually in use.

Answer 39

D. Reasonableness. April has only 30 days. The reasonableness test will catch this error.

Answer 40

* *_Processing and file controls_** -- Controls over processing and files, including the master file update process. * *_Output controls_** -- Control over the production of reports.

Answer 41

**_Processing Controls:_** Controls designed to ensure that master file updates are completed accurately and completely. Controls also serve to detect unauthorized transactions entered into the system and maintain processing integrity. ## Footnote * **Run-to-run controls** -- Use comparisons to monitor the batch as it moves from one programmed procedure (run) to another; totals of processed transactions are reconciled to batch totals - any difference indicates an error. Also called "control totals." * **Internal labels ("header" and "trailer" records)** -- Used primarily in batch processing, electronic file identification allows the update program to determine that the correct file is being used for the update process. * **Audit trail controls** -- Each transaction is written to a transaction log as the transaction is processed; the transaction logs become an electronic audit trail allowing the transaction to be traced through each stage of processing; electronic transaction logs constitute the principal audit trail for online, real-time systems.

Answer 42

**_File Controls:_** ## Footnote * **Parity check (parity bit)** -- A zero or one included in a byte of information that makes the sum of bits either odd or even.A parity check is designed to detect errors in data transmission. * **Read after write check** -- Verifies that data was written correctly to disk by reading what was just written and comparing it to the source. * **Echo check** -- Verifies that transmission between devices is accurate by "echoing back" the received transmission from the receiving device to the sending unit. * **Error reporting and resolution** -- Controls to ensure that generated errors are reported and resolved by individuals who are independent of the initiation of transactions (segregation of duties). * **Boundary protection** -- Sort of a computer traffic cop. When multiple programs and/or users are running simultaneously and sharing the same resource (usually the primary memory of a CPU), boundary protection prevents program instructions and data from one program from overwriting the program instructions or data from another program. * **Internal labels ("header" and "trailer" records)** -- Used primarily in batch processing, electronic file identification allows the update program to determine that the correct file is being used for the update process. Read by the system. Very important for removable storage. * **External labels** -- Labels on removable storage that are read by humans. * **Version control** -- Procedures and software to ensure that the correct file version is used in processing (e.g., for transaction files). * **File access and updating controls** -- These controls ensure that only authorized, valid users can access and update files.

Answer 43

**_Output Controls:_** Ensure that computer reports are accurate and are distributed only as authorized. ## Footnote * **Spooling (print queue) controls** -- Jobs sent to a printer that cannot be printed immediately are spooled - stored temporarily on disk - while waiting to be printed; access to this temporary storage must be controlled to prevent unauthorized access to the files. * **Disposal of aborted print jobs** -- Reports are sometimes damaged during the printing or bursting (separation of continuous feed paper along perforation lines) process; since the damaged reports may contain sensitive data, they should be disposed of using secure disposal techniques. * **Distribution of reports** -- Data control is responsible for ensuring that reports are maintained in a secure environment before distribution and that only authorized recipients receive the reports; a Distribution Log is generally maintained to record transfer of the reports to the recipients. * **End user controls** -- For particularly critical control totals, or where end-users have created systems, perform checks of processing totals and reconciling report totals to separately maintained records. This is also sometimes called one-to-one checking. * **Logging and archiving of forms, data and programs** -- Should be in a secure, off-site location. * **Record retention and disposal** -- This is discussed in the separate lesson on "Program Library, Documentation, and Record Management" related to this topic.

Answer 44

**B. To ensure that storage media are subject to authorization prior to access, change, or destruction.** Ensuring that accessing, changing, or destroying storage media is subject to authorization is, in fact, a primary objective of data security controls.

Answer 45

**B. Processing.** Processing Control: Audit trail controls -- Each transaction is written to a transaction log as the transaction is processed; the transaction logs become an electronic audit trail allowing the transaction to be traced through each stage of processing; electronic transaction logs constitute the principal audit trail for online, real-time systems.

Answer 46

**D. Parity check.** A parity check is designed to detect errors in data transmission.

Answer 47

**B. Boundary protection.** This answer is correct because the **primary purpose of boundary protection is to prevent the mixing of data on a magnetic memory disc and a core storage unit.**

Answer 48

**D. A computer log.** This answer is correct because the use of a computer log will allow a review of an individual’s access to the system.

Answer 49

**C. Output.**

IT Governance and Management Flashcards

(76 cards)