Chapter 2 Auditing IT Governance Controls

TRUE/FALSE

1. To fulfill the segregation of duties control objective, computer processing functions (like
authorization of credit and billing) are separated.

ANS: F PTS: 1

2. To ensure sound internal control, program coding and program processing should be separated.

ANS: T PTS: 1

3. Some systems professionals have unrestricted access to the organization's programs and data.

ANS: T PTS: 1

4. IT governance focuses on the management and assessment of strategic IT resources

44

ANS: T PTS: 1

5. Distributed data processing places the control IT recourses under end users.

ANS: T PTS: 1

6. An advantage of distributed data processing is that redundant tasks are greatly eliminated

ANS: F PTS: 1

7. Certain duties that are deemed incompatible in a manual system may be combined in a
computer-based information system environment.

ANS: T PTS: 1

8. To improve control and efficiency, the CBIS tasks of new systems development and program
maintenance should be performed by the same individual or group.

ANS: F PTS: 1

9. In a CBIS environment, data consolidation protects corporate data from computer fraud and
losses from disaster.

ANS: F PTS: 1

10. The database administrator should be separated from systems development.

ANS: T PTS: 1

11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster.
 ANS: T PTS: 1

12. RAID is the use of parallel disks that contain redundant elements of data and applications.

ANS: T PTS: 1

13. Transaction cost economics (TCE) theory suggests that firms should outsource specific
noncore IT assets

ANS: F PTS: 1

14. Commodity IT assets easily acquired in the marketplace and should be outsourced under the
core competency theory.

ANS: F PTS: 1

15. A database administrator is responsible for the receipt, storage, retrieval, and custody of data
files.

ANS: F PTS: 1

16. A ROC usually involves two or more user organizations that buy or lease a building and
remodel it into a computer site, but without the computer and peripheral equipment.

ANS: F PTS: 1

17. Fault tolerance is the ability of the system to continue operation when part of the system fails
due to hardware failure, application program error, or operator error.

ANS: T PTS: 1

18. An often-cited benefit of IT outsourcing is improved core business performance.

ANS: T PTS: 1

19. Commodity IT assets include such things are network management.

ANS: T PTS: 1

20. Specific IT assets support an organizations strategic objectives.

ANS: T PTS: 1

21. A generally accepted advantage of IT outsourcing is improved security.

ANS: F PTS: 1

22. An advantage of distributed data processing is that individual end user groups set specific IT
standards without concern for the broader corporate needs.

ANS: F PTS: 1

23. A mutual aid is the lowest cost disaster recovery option, but has shown to be effective and low
risk.
 ANS: F PTS: 1

24. Critical applications should be identified and prioritized by the user departments, accountants,
and auditors.

ANS: T PTS: 1

25. A widespread natural disaster is a risk associated with a ROC.

ANS: T PTS: 1

MULTIPLE CHOICE

1. All of the following are issues of computer security except

a. releasing incorrect data to authorized individuals
b. permitting computer operators unlimited access to the computer room
c. permitting access to data by unauthorized individuals
d. providing correct data to unauthorized individuals
ANS: B PTS: 1

2. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator
ANS: A PTS: 1

3. In a computer-based information system, which of the following duties needs to be separated?

a. program coding from program operations
b. program operations from program maintenance
c. program maintenance from program coding
d. all of the above duties should be separated
ANS: D PTS: 1

4. Supervision in a computerized environment is more complex than in a manual

environment for all of the following reasons except
a. rapid turnover of systems professionals complicates management's task of assessing the
competence and honesty of prospective employees
b. many systems professionals have direct and unrestricted access to the organization's
programs and data
c. rapid changes in technology make staffing the systems environment challenging
d. systems professionals and their supervisors work at the same physical location
ANS: D PTS: 1

5. Adequate backups will protect against all of the following except

a. natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes
 ANS: B PTS: 1

6. Which is the most critical segregation of duties in the centralized computer services function?
a. systems development from data processing
b. data operations from data librarian
c. data preparation from data control
d. data control from data librarian
ANS: A PTS: 1

7. Systems development is separated from data processing activities because failure to do so

a. weakens database access security
b. allows programmers access to make unauthorized changes to applications during
execution
c. results in inadequate documentation
d. results in master files being inadvertently erased
ANS: B PTS: 1

8. Which organizational structure is most likely to result in good documentation procedures?

a. separate systems development from systems maintenance
b. separate systems analysis from application programming
c. separate systems development from data processing
d. separate database administrator from data processing
ANS: A PTS: 1

9. All of the following are control risks associated with the distributed data processing structure
except
a. lack of separation of duties
b. system incompatibilities
c. system interdependency
d. lack of documentation standards
ANS: C PTS: 1

10. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified
ANS: B PTS: 1

11. A cold site backup approach is also known as

a. internally provided backup
b. recovery operations center
c. empty shell
d. mutual aid pact
ANS: C PTS: 1

12. The major disadvantage of an empty shell solution as a second site backup is
a. the host site may be unwilling to disrupt its processing needs to process the critical
applications of the disaster stricken company
b. intense competition for shell resources during a widespread disaster
 c. maintenance of excess hardware capacity
d. the control of the shell site is an administrative drain on the company
ANS: B PTS: 1

13. An advantage of a recovery operations center is that

a. this is an inexpensive solution
b. the initial recovery period is very quick
c. the company has sole control over the administration of the center
d. none of the above are advantages of the recovery operations center
ANS: B PTS: 1

14. For most companies, which of the following is the least critical application for disaster recovery
purposes?
a. month-end adjustments
b. accounts receivable
c. accounts payable
d. order entry/billing
ANS: A PTS: 1

15. The least important item to store off-site in case of an emergency is

a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program
ANS: D PTS: 1
16. Some companies separate systems analysis from programming/program maintenance. All of the
following are control weaknesses that may occur with this organizational structure except
a. systems documentation is inadequate because of pressures to begin coding a new program
before documenting the current program
b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long
period of time
c. a new systems analyst has difficulty in understanding the logic of the program
d. inadequate systems documentation is prepared because this provides a sense of job
security to the programmer
ANS: C PTS: 1

17. All of the following are recommended features of a fire protection system for a computer center
except
a. clearly marked exits
b. an elaborate water sprinkler system
c. manual fire extinguishers in strategic locations
d. automatic and manual alarms in strategic locations
ANS: B PTS: 1

18. All of the following tests of controls will provide evidence about the physical security of the
computer center except
a. review of fire marshal records
b. review of the test of the backup power supply
c. verification of the second site backup location
d. observation of procedures surrounding visitor access to the computer center
ANS: C PTS: 1

19. All of the following tests of controls will provide evidence about the adequacy of the disaster
recovery plan except
a. inspection of the second site backup
b. analysis of the fire detection system at the primary site
c. review of the critical applications list
d. composition of the disaster recovery team
ANS: B PTS: 1

20. The following are examples of commodity assets except

a. network management
b. systems operations
c. systems development
d. server maintenance

ANS: C PTS: 1
 21. The following are examples of specific assets except
a. application maintenance
b. data warehousing
c. highly skilled employees
d. server maintenance

ANS: D PTS: 1

22. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core
business competencies
c. Core competency theory argues that an organization should not outsource specific
commodity assets.
d. Core competency theory argues that an organization should retain certain specific noncore
assets in-house.

ANS: B PTS: 1

23. Which of the following is not true?

a. Large-scale IT outsourcing involves transferring specific assets to a vendor
b. Specific assets, while valuable to the client, are of little value to the vendor
c. Once an organization outsources its specific assets, it may not be able to return to its pre-
outsource state.
d. Specific assets are of value to vendors because, once acquired, vendors can achieve
economies of scale by employing them with other clients

ANS: D PTS: 1

24. Which of the following is not true?

a. When management outsources their organizations IT functions, they also outsource
responsibility for internal control.
b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the
vendors performance.
c. IT outsourcing may affect incongruence between a firms IT strategic planning and its
business planning functions.
d. The financial justification for IT outsourcing depends upon the vendor achieving economies
of scale.

ANS: A PTS: 1

25. Which of the following is not true?

a. Management may outsource their organizations IT functions, but they cannot outsource
their management responsibilities for internal control.
b. section 404 requires the explicit testing of outsourced controls.
c. The SAS 70 report, which is prepared by the outsourcers auditor, attests to the adequacy of
the vendors internal controls.
d. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report.

ANS: C PTS: 1

26. Segregation of duties in the computer-based information system includes

separating the programmer from the computer operator
preventing management override
separating the inventory process from the billing process
 performing independent verifications by the computer operator

ANS: A PTS: 1

27. A disadvantage of distributed data processing is

a. the increased time between job request and job completion.
b. the potential for hardware and software incompatibility among users.
c. the disruption caused when the mainframe goes down.
d. that users are not likely to be involved.

ANS: B PTS: 1

28. Which of the following is NOT a control implication of distributed data processing?
a. redundancy
b. user satisfaction
c. incompatibility
d. lack of standards

ANS: B PTS: 1

29. Which of the following disaster recovery techniques may be least optimal in the case of a
disaster?
a. empty shell
b. mutual aid pact
c. internally provided backup
d. they are all equally beneficial

ANS: B PTS: 1

30. Which of the following is a feature of fault tolerance control?

a. interruptible power supplies
b. RAID
c. DDP
d. MDP

ANS: B PTS: 1

31. Which of the following disaster recovery techniques is has the least risk associated with it?
a. empty shell
b. ROC
c. internally provided backup
d. they are all equally risky

ANS: C PTS: 1
32. Which of the following is NOT a potential threat to computer hardware and peripherals?
a. low humidity
b. high humidity
c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers

ANS: C PTS: 1

33. Which of the following would strengthen organizational control over a large-scale data
processing center?
a. Requiring the user departments to specify the general control standards necessary for
processing transactions.
b. Requiring that requests and instructions for data processing services be submitted
directly to the computer operator in the data center.
c. Having the database administrator report to the manager of computer operations.
d. Assigning maintenance responsibility to the original system designer who best knows its
logic.

ANS: A PTS: 1

34. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core
business competencies
c. Core competency theory argues that an organization should not outsource specific commodity
assets.
d. Core competency theory argues that an organization should retain certain specific non-core
assets in-house.

ANS: B PTS: 1