AUDITING IT GOVERNAN CE CONTROLS

CHAPTER 2

AUDITING IT GOVERNAN CE CONTROLS

REVIEW QUESTIONS

• What is IT governance?

Response: IT governance is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources.

• What are the objectives of IT governance?

Response: The key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation.

• What is distributed data processing?

Response: Distributed data processing involves reorganizing the central IT function into small IT units that are placed under the control of end users. The IT units may be distributed according to business function, geographic location, or both. All or any of the IT functions may be distributed. The degree to which they are distributed will vary depending upon the philosophy and objectives of the organization’s management.

• What are the advantages and disadvantages of distributed data processing?

Response: The advantages of DDP are:

• cost reductions
• improved cost control responsibility
• improved user satisfaction
• back up flexibility

The disadvantages (risks) are:

• inefficient use of resources
• destruction of audit trails
• inadequate segregation of duties
• difficulty acquiring qualified professionals
• lack of standards

• What types of tasks become redundant in a distributed data processing system?

Response: Autonomous systems development initiatives distributed throughout the firm can result in each user area reinventing the wheel rather than benefiting from the work of others. For example, application programs created by one user, which could be used with little or no change by others, will be redesigned from scratch rather than shared.Likewise, data common to many users may be recreated for each, resulting in a high level of data redundancy. This situation has implications for data accuracy and consistency..

• Explain why certain duties that are deemed incompatible in a manual system may

be combined in a CBIS computer-based information system environment. Give an example.

Response: The IT (CBIS) environment tends to consolidate activities. A single

application may authorize, process, and record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational level (transaction processing tasks Information Technology Auditing 4th Edition Hall Solutions Manual Visit TestBankDeal.com to get complete for all chapters

that computers now perform) to higher-level organizational relationships within the computer services function.

• What are the three primary CBIS functions that must be separated?

Response: The three primary CBIS functions that must be separated are as follows:

• separate systems development from computer operations,
• separate the database administrator from other functions , and
• separate new systems development from maintenance.

• What exposures do data consolidation in a CBIS environment pose?

Response: In a CBIS environment, data consolidation exposes the data to losses from natural and man-made disasters. Consolidation creates a single point of failure. The only way to back up a central computer site against disasters is to provide a second computer facility.

• What problems may occur as a result of combining applications programming and

maintenance tasks into one position?Response: One problem that may occur is inadequate documentation. Documenting is not considered as interesting a task as designing, testing, and implementing a new system, thus a systems professional may move on to a new project rather than spend time documenting an almost complete project. Job security may be another reason a programmer may not fully document his or her work. Another problem that may occur is the increased potential for program fraud. If the original programmer generates fraudulent code during development, then this programmer, through maintenance procedures, may disable the code prior to audits. Thus, the programmer can continue to cover his or her tracks.

• Why is poor-quality systems documentation a prevalent problem?

Response:

Poor-quality systems documentation is a chronic IT problem and a significant challenge for many organizations seeking SOX compliance. At least two explanations are possible for this phenomenon. First, documenting systems is not as interesting as designing, testing, and implementing them. Systems professionals much prefer to move on to an exciting new project rather than document one just completed. The second possible reason for poor documentation is job security. When a system is poorly documented, it is difficult to interpret, test, and debug. Therefore, the programmer who understands the system (the one who coded it) maintains bargaining power and becomes relatively indispensable. When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system. Depending on its complexity, the transition period may be long and costly.

• What is RAID?

Response: RAID (redundant arrays of independent disks) use parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks.

• What is the role of a data librarian?

Response: A data librarian, who is responsible for the receipt, storage, retrieval, and custody of data files, controls access to the data library. The librarian issues data files to computer operators in accordance with program requests and takes custody of files when processing or backup procedures are completed. The trend in recent years toward real-

time processing and the increased use of direct-access files has reduced or even eliminated the role of the data librarian in many organizations.

• What is the role of a corporate computer services department? How does this

differ from other configurations?Response: The role of a corporate computer services department (IT function) differs in that it is not a completely centralized model; rather, the group plays the role of provider of technical advice and expertise to distributed computer services. Thurs, it provides much more support than would be received in a completely distributed model. A corporate computer services department provides a means for central testing of commercial hardware and software in an efficient manner. Further, the corporate group can provide users with services such as installation of new software and troubleshooting hardware and software problems. The corporate group can establish systems development, programming, and documentation standards. The corporate group can aid the user groups in evaluating the technical credentials of prospective systems professionals.

• What are the five risks associated with distributed data processing?

Response: The five risks associated with distributed data processing are as follows:

• inefficient use of resources,
• destruction of audit trails,
• inadequate segregation of duties,
• potential inability to hire qualified professionals, and
• lack of standards.

• List the control features that directly contribute to the security of the computer

center environment.

Response:

• physical location controls
• construction controls
• access controls
• air conditioning
• fire suppression
• fault tolerance

• What is data conversion?

Response: The data conversion function transcribes transaction data from paper source documents into computer input. For example, data conversion could be keying sales orders into a sales order application in modern systems or transcribing data into magnetic media (tape or disk) suitable for computer processing in legacy-type systems.

• What may be contained in the data library?

Response: The data library is a room adjacent to the computer center that provides safe storage for the off-line data files. Those files could be backups or current data files. For instance, the data library could store backups on DVDs, CD-ROMs, tapes, or other storage devices. It could also store live, current data files on magnetic tapes and removable disk packs. In addition, the data library could store the original copies of commercial software and their licenses for safekeeping.

• What is an ROC?

Response: A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications.

• What is a cold site?

Response:

The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center. In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary user requires to run its essential data processing systems.

• What is fault tolerance?

Response: Fault tolerance is the ability of the system to continue operation when part of the system fails due to hardware failure, application program error, or operator error.Implementing fault tolerance control ensures that no single point of potential system failure exists. Total failure can occur only in the event of the failure of multiple components, or system-wide failure.

• What are the often-cited benefits of IT outsourcing?

Response: Often-cited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs.

• Define commodity IT asset.

Response: Commodity IT assets are those assets that are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things are network management, systems operations, server maintenance, and help-desk functions.

• Define specific asset.

Response: Specific assets, in contrast to commodity assets, are unique to the

organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside of their current use.

• List five risks associated with IT outsourcing.

Response:

• failure to perform
• vendor exploitation
• outsourcing costs exceed benefits
• reduced security
• loss of strategic advantage

• What is virtualization?

Response:

Virtualization multiplies the effectiveness of the physical system by creating virtual (software) versions of the computer with separate operating systems that reside in the same physical equipment. In other words, virtualization is the concept of running more than one “virtual computer” on a single physical computer.