Harvard University

AUDIT 111

Chapter 2-Auditing IT Governance Controls

TRUE/FALSE

1)To fulfill the segregation of duties control objective, computer processing functions (like authorization of credit and billing) are separated.

2. To ensure sound internal control, program coding and program processing should be separated.

3. Some systems professionals have unrestricted access to the organization's programs and data.

4. 44IT governance focuses on the management and assessment of strategic IT resources                                                     
5. Distributed data processing places the control IT recourses under end users.                    
6. An advantage of distributed data processing is that redundant tasks are greatly eliminated  
7. Certain duties that are deemed incompatible in a manual system may be combined in a computer-based information system environment.

8. To improve control and efficiency, the CBIS tasks of new systems development and program maintenance should be performed by the same individual or group.

9. In a CBIS environment, data consolidation protects corporate data from computer fraud and losses from disaster.

10. The database administrator should be separated from systems development.

11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a

disaster.

12. RAID is the use of parallel disks that contain redundant elements of data and applications.

13. Transaction cost economics (TCE) theory suggests that firms should outsource specific noncore IT assets

14. Commodity IT assets easily acquired in the marketplace and should be outsourced under the core competency theory.

15. A database administrator is responsible for the receipt, storage, retrieval, and custody of data files.

16. A ROC usually involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without the computer and peripheral equipment.

17. Fault tolerance is the ability of the system to continue operation when part of the system fails due to hardware failure, application program error, or operator error.

18. An often-cited benefit of IT outsourcing is improved core business performance.            
19. Commodity IT assets include such things are network management.

20. Specific IT assets support an organization’s strategic objectives.

21. A generally accepted advantage of IT outsourcing is improved security.

22. An advantage of distributed data processing is that individual end user groups set specific IT standards without concern for the broader corporate needs.

23. A mutual aid is the lowest cost disaster recovery option, but has shown to be effective and low risk.

24. Critical applications should be identified and prioritized by the user departments, accountants, and auditors.

25. A widespread natural disaster is a risk associated with a ROC.     

MULTIPLE CHOICE

1. All of the following are issues of computer security except

2. Segregation of duties in the computer-based information system includes

3. In a computer-based information system, which of the following duties needs to be separated?

4. Supervision in a computerized environment is more complex than in a manual environment for all of the following reasons except

5. Adequate backups will protect against all of the following except

6. Which is the most critical segregation of duties in the centralized computer services function?

7. Systems development is separated from data processing activities because failure to do

so

8. Which organizational structure is most likely to result in good documentation procedures?

9. All of the following are control risks associated with the distributed data processing structure except

10. Which of the following is not an essential feature of a disaster recovery plan?

11. A cold site backup approach is also known as

12. The major disadvantage of an empty shell solution as a second site backup is

13. An advantage of a recovery operations center is that

14. For most companies, which of the following is the least critical application for disaster recovery purposes?

15. The least important item to store off-site in case of an emergency is

16. Some companies separate systems analysis from programming/program maintenance. All of the following are control weaknesses that may occur with this organizational structure except

17. All of the following are recommended features of a fire protection system for a computer center except

18. All of the following tests of controls will provide evidence about the physical security of the computer center except

19. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan except

20. The following are examples of commodity assets except

21. The following are examples of specific assets except

1. application maintenance
2. data warehousing
3. highly skilled employees
4. server maintenance

22. Which of the following is true?
    1. 1. Core competency theory argues that an organization should outsource specific core assets.
       2. Core competency theory argues that an organization should focus exclusively on its core business competencies
       3. Core competency theory argues that an organization should not outsource specific commodity assets.
       4. Core competency theory argues that an organization should retain certain specific noncore assets in-house.

23. Which of the following is not true?

1. Large-scale IT outsourcing involves transferring specific assets to a vendor
2. Specific assets, while valuable to the client, are of little value to the vendor
3. Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state.
4. Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale by employing them with other clients

24. Which of the following is not true?

1. When management outsources their organization’s IT functions, they also outsource responsibility for internal control.
2. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance.
3. IT outsourcing may affect incongruence between a firm’s IT strategic planning and its business planning functions.
4. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale.

25. Which of the following is not true?
    1. 1. Management may outsource their organizations’ IT functions, but they cannot outsource their management responsibilities for internal control.
       2. section 404 requires the explicit testing of outsourced controls.
       3. The SAS 70 report, which is prepared by the outsourcer’s auditor, attests to the adequacy of the vendor’s internal controls.
       4. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report.                
26. Segregation of duties in the computer-based information system includes

27. A disadvantage of distributed data processing is
    1. 1. the increased time between job request and job completion.
       2. the potential for hardware and software incompatibility among users.

27. 1. 3. the disruption caused when the mainframe goes down.
       4. that users are not likely to be involved.
28. Which of the following is NOT a control implication of distributed data processing?
    1. 1. redundancy
       2. user satisfaction
       3. incompatibility
       4. lack of standards

29. Which of the following disaster recovery techniques may be least optimal in the case of a disaster?
    1. 1. empty shell
       2. mutual aid pact
       3. internally provided backup
       4. they are all equally beneficial     
30. Which of the following is a feature of fault tolerance control?
    1. 1. interruptible power supplies
       2. RAID
       3. DDP
       4. MDP

31. Which of the following disaster recovery techniques is has the least risk associated with it?
    1. 1. empty shell
       2. ROC
       3. internally provided backup
       4. they are all equally risky               

32. Which of the following is NOT a potential threat to computer hardware and peripherals?
    1. 1. low humidity
       2. high humidity
       3. carbon dioxide fire extinguishers
       4. water sprinkler fire extinguishers            

33. Which of the following would strengthen organizational control over a large- scale data processing center?

1. Requiring the user departments to specify the general control standards necessary for process- ing transactions.
2. Requiring that requests and instructions for data processing services be submitted directly to the computer operator in the data center.
3. Having the database administrator report to the manager of computer operations.
4. Assigning maintenance responsibility to the original system designer who best knows its logic.

34. Which of the following is true?

1. Core competency theory argues that an organization should outsource specific core assets.
2. Core competency theory argues that an organization should focus exclusively on its core business competencies
3. Core competency theory argues that an organization should not outsource specific commodity assets.
4. Core competency theory argues that an organization should retain certain specific non-core assets in-house.

SHORT ANSWER

1. Explain why certain duties that are deemed incompatible in a manual system may be combined in a CBIS computer based information system environment. Give an example.

2. What are the three primary CBIS functions that must be separated?
3. What exposures do data consolidation in a CBIS environment pose?

4. What problems may occur as a result of combining applications programming and maintenance tasks into one position?

5..           Why is poor-quality systems documentation a prevalent problem?

6. What is RAID?

7. What primary IT functions must be separated in a centralized firm?

8. List three pairs of system functions that should be separated in the centralized computer services organization. Describe a risk exposure if the functions are not separated.

9. For disaster recovery purposes, what criteria are used to identify an application or data as critical?

10. Describe the components of a disaster recovery plan.

11. What is a mirrored data center?

12. What is a recovery operations center? What is its purpose?

13. Why is inadequate documentation a chronic problem?

14. The distributed data processing approach carries some control implications of which accountants should be aware. Discuss two.

15. Describe two tests that an auditor would perform to ensure that the disaster recovery plan is adequate.

16. What is an auditor looking for when testing computer center controls?

17. What is IT Governance?

18. Why should the tasks of systems development and maintenance be segregated from operations?

19. Why should new systems development activities be segregated from the program change (maintenance) function.

20. Briefly explain the core-competency theory.

21. What are commodity IT assets?

22. Briefly outline transaction cost economics as it relates to IT outsourcing.

23. Briefly explain how a SAS 70 report is used in assessing internal controls of outsourced facilities.

24. What are the often cited benefits of IT outsourcing?

25. Define specific asset.

26. List five risks associated with IT outsourcing.
27. What are the objectives of IT Governance?

ESSAY

1. 1. Describe how a Corporate Computer Services Function can overcome some of the problems associated with distributed data processing.

1. 2. Discuss the advantages and disadvantages of the second site backup options.

1. 3. Auditors examine the physical environment of the computer center as part of their audit. Many characteristics of computer centers are of interest to auditors. What are they? Discuss.

1. 4. Explain why certain duties that are deemed incompatible in a manual system may be combined in an automated  environment? Give an example.

1. 5. Compare and contrast the following disaster recovery options: empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as most costly to least costly.

1. 6. What is a disaster recovery plan? What are the key features?

1. 7. Explain the outsourcing risk of failure to perform.

1. 8. Explain vendor exploitation.

1. 9. Explain why reduced security is an outsourcing risk.

.

1. 10. Explain how IT outsourcing can lead to loss of strategic advantage.

1. 11. Explain the role of a SAS 70 report in reviewing internal controls.