Strayer University

AUDITING A 403

CHAPTER 2

AUDITING IT GOVERNANCE CONTROLS REVIEW QUESTIONS

1)What is IT governance?

2. What are the objectives of IT governance?

3. What is distributed data processing?

4. What are the advantages and disadvantages of distributed data processing?

5. What types of tasks become redundant in a distributed data processing system?

.

6. Explain why certain duties that are deemed incompatible in a manual system may be combined in a CBIS computer-based information system environment. Give an example.

7. What are the three primary CBIS functions that must be separated?

8. What exposures do data consolidation in a CBIS environment pose?

9. What problems may occur as a result of combining applications programming and maintenance tasks into one position?

10. Why is poor-quality systems documentation a prevalent problem?

11. What is RAID?

12. What is the role of a data librarian?

13.          What is the role of a corporate computer services department? How does this differ from other configurations?

14. What are the five risks associated with distributed data processing?

15. List the control features that directly contribute to the security of the computer center environment.

16. What is data conversion?

17. What may be contained in the data library?

18. What is an ROC?

19. What is a cold site?

20. What is fault tolerance?

21. What are the often-cited benefits of IT outsourcing?

22. Define commodity IT asset.

23. Define specific asset.

24. List five risks associated with IT outsourcing.

25. What is virtualization?

26. What is network virtualization?

27. What are the three classes of cloud computing services?

28. What is Software as a Service (SaaS)?

29. Give two advantages of Infrastructure as a Service (IaaS).

DISCUSSION QUESTIONS

1. How is pre-SOX IT governance different from post-SOX IT governance?

2. Although IT governance is a broad area, only three aspects of IT governance are discussed in the chapter. Name them and explain why these topics were chosen.

3. What types of incompatible activities are prone to becoming consolidated in a distributed data processing system? How can this be prevented?

4. Why would an operational manager be willing to take on more work in the form of supervising an information system?

5. How can data be centralized in a distributed data processing system?

6. Should standards be centralized in a distributed data processing environment? Explain.

7. How can human behavior be considered one of the biggest potential threats to operating system integrity?

8. A bank in California has thirteen branches spread throughout northern California, each with its own minicomputer where its data are stored. Another bank has 10 branches spread throughout California, with its data stored on a mainframe in San Francisco. Which system do you think is more vulnerable to unauthorized access? Excessive losses from disaster?

9. End-user computing has become extremely popular in distributed data processing organizations. The end users like it because they feel they can more readily design and implement their own applications. Does this type of environment always foster more efficient development of applications? Explain your answer.

10. Compare and contrast the following disaster recovery options: mutual aid pact, empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as from most costly to least costly.

11. Who should determine and prioritize the critical applications? How is this done? How frequently is it done?

12. Why is it easier for programmers to perpetrate a fraud than operators?

13. Why should an organization centralize the acquisition, testing, and implementation of software and hardware within the corporate IT function?

14. Organizations sometimes locate their computer centers in the basement of their buildings to avoid normal traffic flows. Comment on this practice.

15. The 2003 blackout that affected the U.S. northeast caused numerous computer failures. What can an organization do to protect itself from such uncontrollable power failures?

16. Discuss a potential problem with ROCs.

17. Discuss two potential problems associated with a cold site.

18. Discuss three techniques used to achieve fault tolerance.

19. Explain the outsourcing risk of failure to perform.

20. Explain vendor exploitation.

21. Explain why reduced security is an outsourcing risk.

22. Explain how IT outsourcing can lead to loss of strategic advantage.

23. Explain the role of Statement on Standards for Attestation Engagements No. 16 (SSAE 16) report in the review of internal controls

24. How do SSAE 16 Type 1 and Type 2 differ?

25. How are the Carve-out and Inclusive methods of reporting on subservice organizations different?

26. Give two differences between ASP and SaaS.

27. Why is cloud computing not the best option for all companies?

PROBLEMS

1. Disaster Recovery Planning Controversy

The relevance of a disaster recovery plan (DRP) to a financial statement audit is a matter of debate. Some argue that the existence of a DPR is irrelevant to the audit. Others argue that it is an important control that needs to be considered in the assessment of internal control.

Required:

Argue both side of this debate.

1. 1. Provide a logical argument why a DRP should not be considered in the audit.
   2. Argue why a DRP is an important control and should be reviewed within the conduct of a financial audit.

2. Internal Control

During its preliminary review of the financial statements of Barton, Inc., Simon and Associates, CPA discovered a lack of proper segregation of duties between the programming and operating functions in Barton’s data center. They discovered that some new systems development programmers also filled in as operators on occasion. Simon and Associates extended the internal control review and test of controls and concluded in its final report that sufficient compensating general controls provided reasonable

assurance that the internal control objectives were being met.

Required:

What compensating controls are most likely in place?

3. Physical Security

Big Apple Financials, Inc., is a financial services firm located in New York City. The company keeps client investment and account information on a server at its Brooklyn data center. This information includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities. The company has recently upgraded its Web site to allow clients to access their investment information.

The company’s data center is in the basement of a rented building. Company management believes that the location is secure enough to protect their data from physical threats. The servers are housed in a room that has smoke detectors and associated sprinklers. It is enclosed, with no windows, and has temperature-controlled air conditioning. The company’s auditors, however, have expressed concern that some of the measures at the current location are inadequate and that newer alternatives should be explored. Management has expressed counter concerns about the high cost of purchasing new equipment and relocating its data center.

Required:

1. Why are Big Apple’s auditors stressing the need to have a better physical environment for the server?
2. Describe six control features that contribute to the physical security of the computer center.
3. Big Apple management is concerned about the cost of relocating the data center. Discuss some options open to them that could reduce their operating costs and provide the security the auditor’s seek.

3. Disaster Recovery Plans

The headquarters of Hill Crest Corporation, a private company with $15.5 million in annual sales, is located in California. Hill Crest provides for its 150 clients an online legal software service that includes data storage and administrative activities for law offices.

The company has grown rapidly since its inception 3 years ago, and its data processing department has expanded to accommodate this growth. Because Hill Crest’s president and sales personnel spend a great deal of time out of the office developing new clients, the planning of the IT facilities has been left to the data processing professionals.

Hill Crest recently moved its headquarters into a remodeled warehouse on the outskirts of the city. While remodeling the warehouse, the architects retained much of the original structure, including the wooden-shingled exterior and exposed wooden beams throughout

the interior. The distributive processing computers and servers are situated in a large open area with high ceilings and skylights. The openness makes the data center accessible to the rest of the staff and promotes a team approach to problem solving. Before occupying the new facility, city inspectors declared the building safe; that is, it had adequate fire extinguishers, sufficient exits, and so on.

In an effort to provide further protection for its large database of client information, Hill Crest instituted a tape backup procedure that automatically backs up the database every Sunday evening, avoiding interruption in the daily operations and procedures. All tapes are then labeled and carefully stored on shelves reserved for this purpose in the data processing department. The departmental operator’s manual has instructions on how to use these tapes to restore the database, should the need arise. A list of home phone numbers of the individuals in the data processing department is available in case of an emergency. Hill Crest has recently increased its liability insurance for data loss from

$50,000 to $100,000.

This past Saturday, the Hill Crest headquarters building was completely ruined by fire, and the company must now inform its clients that all of their information has been destroyed.

Required:

1. 1. Describe the computer security weaknesses present at Hill Crest Corporation that made it possible for a disastrous data loss.
   2. List the components that should have been included in the disaster recovery plan at Hill Crest Corporation to ensure computer recovery within 72 hours.
   3. What factors, other than those included in the plan itself

4. Segregation of Duties

Arcadia Plastics follows the philosophy of transferring people from job to job within the organization. Management believes that job rotation deters employees from feeling that they are stagnating in their jobs and promotes a better understanding of the company. A computer services employee typically works for six months as a data librarian, one year as a systems developer, six months as a database administrator, and one year in systems maintenance. At that point, he or she is assigned to a permanent position.

Required:

Discuss the importance of separation of duties within the information systems department.

How can Arcadia Plastics have both job rotation and well-separated duties?

5. DDP Risks

Write an essay discussing the primary risks associated with the distributed processing environment.

6. Cloud Based Recovery Service Provider

Visit SunGard’s Web site, http://www.sungard.com, and research its Recovery2Cloud services offered. Write a report of your findings.

7. Internal Control Responsibility for Outsourced IT

Explain why managers who outsource their IT function may or may not also outsource responsibility for IT controls. What options are open to auditors regarding expressing an opinion on the adequacy of internal controls?

8. Competing Schools of Thought Regarding Outsourcing

Explain the core competency argument for outsourcing and compare/ contrast it with TCE theory. Why does one theory tend to prevail over the other in making outsourcing decisions?