Study unit 8.5

Question 1

What is the different types of networks

Answer 1

Within one organisation - LAN and WAN

Between different organisations - VAN and internet

Question 2

What is the risks in terms of a network environment

Answer 2

Unauthorised access

Question 3

What is the controls in a network environment to ensure validity/occurrence of data communication

Answer 3

physical and logical access controls
restricting access to dial-up lines
call back facility
automatic lockout after 3 unsuccessful log-in attempts
sophisticated user authentication techniques
encryption methods
use of firewalls

Question 4

What is the definition of an EDI

Answer 4

A computer to computer exchange of business documents in a standard electronic format between business partners

Question 5

Via what does it take place

Answer 5

It takes place via a private network and a public network

Question 6

What does EDI translator mean

Answer 6

Translates data from EDI format to a readable format by an internal application. It can be an in-house software or via service provider

Question 7

What is an EDI document

Answer 7

Data being transmitted in a standard electronic format

Question 8

What is EDI envelopes

Answer 8

Message envelopes is the different purchase orders
Group envelopes is the purchase order group
Interchange envelope is the purchase order group from one sender to one receiver

Question 9

What is the advantages of using EDI’s

Answer 9

Survival - pre-requisite for doing business
Improved client services - speed of sending/receiving messages and processing of transactions
cost benefits - less human preparation and capturing time
reduced risk of errors - transaction only captured once
cost savings relating to storage documents
improve accuracy and timeliness of information for decision making

Question 10

What will the audit approach be in a computer environment

Answer 10

Combined:
*transactions are performed and accounted for electronically - lack of visible audit trail
*large number of transactions
*transactions are stored in electronic format for short period of time
*reliance have to be placed on automated controls
test of controls
*test general controls
*test automated application controls
*test controls relating to transmission of data

Question 11

What is the business continuity risks

Answer 11

dependence on technology
dependence on service provider/trading partners
increased reliance on networks and data communication

Question 12

What is the business continuity controls

Answer 12

Data interchange agreement 
*method of data interchange
*accountability for creation transmission and receipt of messages
*standard format of messages
*responsibilities and duties
*security audits
*format of acknowledgement of messages
*legal implications of unauthorised transactions
Disaster recovery plan
Back-up procedures
Contractual agreements
*format of messages
*acknowledgement of messages
*security considerations
*independent review of controls
*log of transactions

Question 13

What is the security risks

Answer 13

Unauthorised access to confidential data
Unauthorised processing of data
Unauthorised use of facilities

Question 14

What is the security controls

Answer 14

Logical access controls

Physical security

Question 15

What is the implementation risks

Answer 15

Implementation risk

Question 16

What is the implementation controls

Answer 16

Implementation consideration and risk analysis
*commercial consideration
*identification of EDI trading partners
*negotiate data interchange agreements
*EDI coordinate champion
System development controls

Question 17

What is the processing risks

Answer 17

Reliance on automated controls - loss of user controls

Lack of visible audit trail

Question 18

What is the processing controls

Answer 18

Relevant edit checks
Exception reports on these edit checks
Review of these exception reports by management
Unique and sequential numbering of transactions
Logging all transactions
Run-to-run/control totals and reconciliation thereof
Data to be written on a pending file, to be reviewed and approved by senior management

Question 19

What is the transmission/transfer risks

Answer 19

Manipulation of transactions during transmission
Loss of transactions during transmission
Delivery of transactions to wrong party

Question 20

What is the transmission/transfer controls

Answer 20

Encryption of data transmitted
Run-to-run/control totals should be maintained
Reconciliation of control totals
Automatic error identification of error that occurred during transmission
Exception report listing error which occurred during transmission
Exception report followed up by management on a regular basis
System should maintain logs of all transactions
Sequential numbering of transactions
Each transaction - internal header and tailer
Field presence test on data missing from required fields
Acknowledgement of receipt of transactions that exceed a certain value
Echo check - data transmitted is echoed back and agreed to data captured
Call back facility - incoming messages
Digital signature - outgoing messages
Standard document headers on all messages

Question 21

What is the legal risks

Answer 21

Risk of non-compliance with regulations of SARS, DTI and reserve bank

Question 22

What is the legal controls

Answer 22

Ensure compliance

Question 23

What is cloud computing

Answer 23

Delivery of computing services
Companies offering these computing services, are called cloud providers and typically charge for cloud computing services based on usage

Question 24

What is the different types of cloud services

Answer 24

Infrastructure-as-a-service - most basic category of cloud computing service from a cloud provided on a pay as you go basis
Platform-as-a-service - cloud computing that supply an on demand environment for developing, testing, delivering and managing software applications
Software-as-a-service - method for delivering software applications over the internet, on demand and typically on a subscription basis

Question 25

What is the types of cloud deployments

Answer 25

Public cloud
*public clouds are owned and operated by a third party cloud service provider, which deliver their computing resources like servers and storage over the internet. all hardware, software and other supporting infrastructure is owned and managed by the cloud provider
*publicly shared virtualized resources
*supports multiple customers
*supports internet connectivity
*suited for less confidential information
Private cloud
*private cloud refers to cloud computing resources used exclusively by a single business or organisation. private cloud can be physically located on the company’s on site data centre
*privately shared virtualized resources
*cluster of dedicated customers
*connectivity over internet, fiver and private network
*suited for secured confidential information and core systems
Hybrid cloud
*hybrid cloud combine public and private clouds, bound together by technology that allows data and applications to be shared between them

Question 26

What is the risks of cloud computing

Answer 26

Physical access - private and public cloud
Physical location of cloud server - susceptible to natural disasters
Abuse and nefarious use of cloud computing - lack of control in registration permits anonymity in the cloud
Malicious insiders at cloud service providers
Shared technology vulnerabilities - IAAS renders their services, often sharing infrastructure. Not designed to offer isolation properties for multi-tenant architectures
Loss of leakage of data
Hardware failure at service provider - prolonged outages
Legal ownership of data
Account, service and traffic hijacking
Bankruptcy of cloud provider
Internet disruption - customer’s own internet connection fails or is disrupted
Transfer of data - corrupt/lost/intercepted

Question 27

What is the controls of cloud computing

Answer 27

Good IT governance, including security policy addressing security standards
Staff to be trained regularly on IT risk management and controls
Select service provider based on security needs
Service level agreement with SP that address
*Each party’s responsibilities
*assurance needed from SP’s auditors over security controls
*security controls should include
-physical control at premises hosting the cloud
-encryption of data that is processed or stored within the cloud
-use of firewalls/SSL
-anti-virus software to prevent loss of information
-backups
-emergency disaster and recovery plans
*ownership of data
Legal access controls, including amending masterfile
Data communication controls

Question 28

What is the advantages of cloud computing

Answer 28

Disaster recovery
Accessibility
cost-effective
scalability
automated backups

Question 29

What is the disadvantages of cloud computing

Answer 29

Lack of control
Migration challenges
Internet-dependent
Privacy concerns
Fixed contracts

Question 30

What is the different cloud service models

Answer 30

SAAS - end users; users access services via a web browser or app (bought on per user basis)
PAAS - application developers; includes the tools and software that developers need to build applications on (operating systems and development tools)
IAAS - infrastructure and network architects; building blocks of computing that can be rented (physical or virtual servers, storage or networking)

Question 31

What is the controls to ensure accuracy and completeness of data communication is to install software to carry out the following tasks

Answer 31

access control
network management
data and file transmission
error detection and control
data security