Deck 2: Auditing IT Governance Controls

A) weakens database access security
B) allows programmers access to make unauthorized changes to applications during execution
C) results in inadequate documentation
D) results in master files being inadvertently erased

A) rapid turnover of systems professionals complicates management's task of assessing the competence and honesty of prospective employees
B) many systems professionals have direct and unrestricted access to the organization's programs and data
C) rapid changes in technology make staffing the systems environment challenging
D) systems professionals and their supervisors work at the same physical location

A) program coding from program operations
B) program operations from program maintenance
C) program maintenance from program coding
D) all of the above duties should be separated

A) separate systems development from systems maintenance
B) separate systems analysis from application programming
C) separate systems development from data processing
D) separate database administrator from data processing

A) off-site storage of backups
B) computer services function
C) second site backup
D) critical applications identified

A) systems development from data processing
B) data operations from data librarian
C) data preparation from data control
D) data control from data librarian

A) systems documentation is inadequate because of pressures to begin coding a new program before documenting the current program
B) illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time
C) a new systems analyst has difficulty in understanding the logic of the program
D) inadequate systems documentation is prepared because this provides a sense of job security to the programmer

A) natural disasters such as fires
B) unauthorized access
C) data corruption caused by program errors
D) system crashes

A) releasing incorrect data to authorized individuals
B) permitting computer operators unlimited access to the computer room
C) permitting access to data by unauthorized individuals
D) providing correct data to unauthorized individuals

A) internally provided backup
B) recovery operations center
C) empty shell
D) mutual aid pact

A) this is an inexpensive solution
B) the initial recovery period is very quick
C) the company has sole control over the administration of the center
D) none of the above are advantages of the recovery operations center

A) month-end adjustments
B) accounts receivable
C) accounts payable
D) order entry/billing

A) lack of separation of duties
B) system incompatibilities
C) system interdependency
D) lack of documentation standards

A) the host site may be unwilling to disrupt its processing needs to process the critical applications of the disaster stricken company
B) intense competition for shell resources during a widespread disaster
C) maintenance of excess hardware capacity
D) the control of the shell site is an administrative drain on the company

A) separating the programmer from the computer operator
B) preventing management override
C) separating the inventory process from the billing process
D) performing independent verifications by the computer operator

A) backups of systems software
B) backups of application software
C) documentation and blank forms
D) results of the latest test of the disaster recovery program

A)the increased time between job request and job completion.
B)the potential for hardware and software incompatibility among users.
C)the disruption caused when the mainframe goes down.
D)that users are not likely to be involved.

A)empty shell
B)mutual aid pact
C)internally provided backup
D)they are all equally beneficial

A)application maintenance
B)data warehousing
C)highly skilled employees
D)server maintenance

A)Core competency theory argues that an organization should outsource specific core assets.
B)Core competency theory argues that an organization should focus exclusively on its core business competencies
C)Core competency theory argues that an organization should not outsource specific commodity assets.
D) Core competency theory argues that an organization should retain certain specific non-core assets in-house.

A)interruptible power supplies
B)RAID
C)DDP
D)MDP

A) Management may outsource their organizations' IT functions, but they cannot outsource their management responsibilities for internal control.
B) section 404 requires the explicit testing of outsourced controls.
C) The SAS 70 report, which is prepared by the outsourcer's auditor, attests to the adequacy of the vendor's internal controls.
D) Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report.

A) separating the programmer from the computer operator
B) preventing management override
C) separating the inventory process from the billing process
D) performing independent verifications by the computer operator

A) Core competency theory argues that an organization should outsource specific core assets.
B) Core competency theory argues that an organization should focus exclusively on its core business competencies
C) Core competency theory argues that an organization should not outsource specific commodity assets.
D) Core competency theory argues that an organization should retain certain specific non-core assets in-house.

A)low humidity
B)high humidity
C)carbon dioxide fire extinguishers
D)water sprinkler fire extinguishers

A)Requiring the user departments to specify the general control standards necessary for processing transactions.
B)Requiring that requests and instructions for data processing services be submitted directly to the computer operator in the data center.
C)Having the database administrator report to the manager of computer operations.
D)Assigning maintenance responsibility to the original system designer who best knows its logic.

A) review of fire marshal records
B) review of the test of the backup power supply
C) verification of the second site backup location
D) observation of procedures surrounding visitor access to the computer center

A) inspection of the second site backup
B) analysis of the fire detection system at the primary site
C) review of the critical applications list
D) composition of the disaster recovery team

A) Large-scale IT outsourcing involves transferring specific assets to a vendor
B) Specific assets, while valuable to the client, are of little value to the vendor
C) Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state.
D) Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale by employing them with other clients

A)empty shell
B)ROC
C)internally provided backup
D)they are all equally risky

A)redundancy
B)user satisfaction
C)incompatibility
D)lack of standards

A) clearly marked exits
B) an elaborate water sprinkler system
C) manual fire extinguishers in strategic locations
D) automatic and manual alarms in strategic locations

A) When management outsources their organization's IT functions, they also outsource responsibility for internal control.
B) Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor's performance.
C) IT outsourcing may affect incongruence between a firm's IT strategic planning and its business planning functions.
D) The financial justification for IT outsourcing depends upon the vendor achieving economies of scale.

A) network management
B) systems operations
C) systems development
D) server maintenance