Solutions Manual Information Technology Auditing 4th Edition
Hall
Information Technology Auditing 4th Edition SOLUTIONS
MANUAL by James A. Hall. All chapter instant download:
https://testbankreal.com/download/information-technology-auditing-
4th-edition-solutions-manual-hall/
CHAPTER 2
AUDITING IT GOVERNANCE CONTROLS
REVIEW QUESTIONS
1. What is IT governance?
Response: IT governance is a relatively new subset of corporate governance that focuses
on the management and assessment of strategic IT resources.
2. What are the objectives of IT governance?
Response: The key objectives of IT governance are to reduce risk and ensure that
investments in IT resources add value to the corporation.
3. What is distributed data processing?
Response: Distributed data processing involves reorganizing the central IT function into
small IT units that are placed under the control of end users. The IT units may be
distributed according to business function, geographic location, or both. All or any of the
IT functions may be distributed. The degree to which they are distributed will vary
depending upon the philosophy and objectives of the organization’s management.
4. What are the advantages and disadvantages of distributed data processing?
Response: The advantages of DDP are:
a. cost reductions
b. improved cost control responsibility
c. improved user satisfaction
d. back up flexibility
The disadvantages (risks) are:
a. inefficient use of resources
b. destruction of audit trails
c. inadequate segregation of duties
d. difficulty acquiring qualified professionals
e. lack of standards
5. What types of tasks become redundant in a distributed data processing system?
Response: Autonomous systems development initiatives distributed throughout the firm
can result in each user area reinventing the wheel rather than benefiting from the work of
others. For example, application programs created by one user, which could be used with
little or no change by others, will be redesigned from scratch rather than shared.
Likewise, data common to many users may be recreated for each, resulting in a high level
of data redundancy. This situation
has implications for data accuracy and consistency.
,.
6. Explain why certain duties that are deemed incompatible in a manual system may
be combined in a CBIS computer-based information system environment. Give an
example.
Response: The IT (CBIS) environment tends to consolidate activities. A single
application may authorize, process, and record all aspects of a transaction. Thus, the
focus of segregation control shifts from the operational level (transaction processing tasks
that computers now perform) to higher-level organizational relationships within the
computer services function.
7. What are the three primary CBIS functions that must be separated?
Response: The three primary CBIS functions that must be separated are as follows:
a. separate systems development from computer operations,
b. separate the database administrator from other functions , and
c. separate new systems development from maintenance.
8. What exposures do data consolidation in a CBIS environment pose?
Response: In a CBIS environment, data consolidation exposes the data to losses from
natural and man-made disasters. Consolidation creates a single point of failure. The only
way to back up a central computer site against disasters is to provide a second computer
facility.
9. What problems may occur as a result of combining applications programming and
maintenance tasks into one position?
Response: One problem that may occur is inadequate documentation. Documenting is
not considered as interesting a task as designing, testing, and implementing a new system,
thus a systems professional may move on to a new project rather than spend time
documenting an almost complete project. Job security may be another reason a
programmer may not fully document his or her work. Another problem that may occur is
the increased potential for program fraud. If the original programmer generates
fraudulent code during development, then this programmer, through maintenance
procedures, may disable the code prior to audits. Thus, the programmer can continue to
cover his or her tracks.
10. Why is poor-quality systems documentation a prevalent problem?
Response:
Poor-quality systems documentation is a chronic IT problem and a significant challenge
for many organizations seeking SOX compliance. At least two explanations are possible
for this phenomenon. First, documenting systems is not as interesting as designing,
testing, and implementing them. Systems professionals much prefer to move on to an
exciting new project rather than document one just completed. The second possible
reason for poor documentation is job security. When a system is poorly documented, it is
difficult to interpret, test, and debug. Therefore, the programmer who understands the
system (the one who coded it) maintains bargaining power and becomes relatively
indispensable. When the programmer leaves the firm, however, a new programmer
inherits maintenance responsibility for the undocumented system. Depending on its
complexity, the transition period may be long and costly.
11. What is RAID?
, Response: RAID (redundant arrays of independent disks) use parallel disks that contain
redundant elements of data and applications. If one disk fails, the lost data are
automatically reconstructed from the redundant components stored on the other disks.
12. What is the role of a data librarian?
Response: A data librarian, who is responsible for the receipt, storage, retrieval, and
custody of data files, controls access to the data library. The librarian issues data files to
computer operators in accordance with program requests and takes custody of files when
processing or backup procedures are completed. The trend in recent years toward real-
time processing and the increased use of direct-access files has reduced or even
eliminated the role of the data librarian in many organizations.
13. What is the role of a corporate computer services department? How does this
differ from other configurations?
Response: The role of a corporate computer services department (IT function) differs in
that it is not a completely centralized model; rather, the group plays the role of provider
of technical advice and expertise to distributed computer services. Thurs, it provides
much more support than would be received in a completely distributed model. A
corporate computer services department provides a means for central testing of
commercial hardware and software in an efficient manner. Further, the corporate group
can provide users with services such as installation of new software and troubleshooting
hardware and software problems. The corporate group can establish systems
development, programming, and documentation standards. The corporate group can aid
the user groups in evaluating the technical credentials of prospective systems
professionals.
14. What are the five risks associated with distributed data processing?
Response: The five risks associated with distributed data processing are as follows:
a. inefficient use of resources,
b. destruction of audit trails,
c. inadequate segregation of duties,
d. potential inability to hire qualified professionals, and
e. lack of standards.
15. List the control features that directly contribute to the security of the computer
center environment.
Response:
a. physical location controls
b. construction controls
c. access controls
d. air conditioning
e. fire suppression
f. fault tolerance
16. What is data conversion?
Response: The data conversion function transcribes transaction data from paper source
documents into computer input. For example, data conversion could be keying sales
orders into a sales order application in modern systems or transcribing data into magnetic
media (tape or disk) suitable for computer processing in legacy-type systems.
17. What may be contained in the data library?
Hall
Information Technology Auditing 4th Edition SOLUTIONS
MANUAL by James A. Hall. All chapter instant download:
https://testbankreal.com/download/information-technology-auditing-
4th-edition-solutions-manual-hall/
CHAPTER 2
AUDITING IT GOVERNANCE CONTROLS
REVIEW QUESTIONS
1. What is IT governance?
Response: IT governance is a relatively new subset of corporate governance that focuses
on the management and assessment of strategic IT resources.
2. What are the objectives of IT governance?
Response: The key objectives of IT governance are to reduce risk and ensure that
investments in IT resources add value to the corporation.
3. What is distributed data processing?
Response: Distributed data processing involves reorganizing the central IT function into
small IT units that are placed under the control of end users. The IT units may be
distributed according to business function, geographic location, or both. All or any of the
IT functions may be distributed. The degree to which they are distributed will vary
depending upon the philosophy and objectives of the organization’s management.
4. What are the advantages and disadvantages of distributed data processing?
Response: The advantages of DDP are:
a. cost reductions
b. improved cost control responsibility
c. improved user satisfaction
d. back up flexibility
The disadvantages (risks) are:
a. inefficient use of resources
b. destruction of audit trails
c. inadequate segregation of duties
d. difficulty acquiring qualified professionals
e. lack of standards
5. What types of tasks become redundant in a distributed data processing system?
Response: Autonomous systems development initiatives distributed throughout the firm
can result in each user area reinventing the wheel rather than benefiting from the work of
others. For example, application programs created by one user, which could be used with
little or no change by others, will be redesigned from scratch rather than shared.
Likewise, data common to many users may be recreated for each, resulting in a high level
of data redundancy. This situation
has implications for data accuracy and consistency.
,.
6. Explain why certain duties that are deemed incompatible in a manual system may
be combined in a CBIS computer-based information system environment. Give an
example.
Response: The IT (CBIS) environment tends to consolidate activities. A single
application may authorize, process, and record all aspects of a transaction. Thus, the
focus of segregation control shifts from the operational level (transaction processing tasks
that computers now perform) to higher-level organizational relationships within the
computer services function.
7. What are the three primary CBIS functions that must be separated?
Response: The three primary CBIS functions that must be separated are as follows:
a. separate systems development from computer operations,
b. separate the database administrator from other functions , and
c. separate new systems development from maintenance.
8. What exposures do data consolidation in a CBIS environment pose?
Response: In a CBIS environment, data consolidation exposes the data to losses from
natural and man-made disasters. Consolidation creates a single point of failure. The only
way to back up a central computer site against disasters is to provide a second computer
facility.
9. What problems may occur as a result of combining applications programming and
maintenance tasks into one position?
Response: One problem that may occur is inadequate documentation. Documenting is
not considered as interesting a task as designing, testing, and implementing a new system,
thus a systems professional may move on to a new project rather than spend time
documenting an almost complete project. Job security may be another reason a
programmer may not fully document his or her work. Another problem that may occur is
the increased potential for program fraud. If the original programmer generates
fraudulent code during development, then this programmer, through maintenance
procedures, may disable the code prior to audits. Thus, the programmer can continue to
cover his or her tracks.
10. Why is poor-quality systems documentation a prevalent problem?
Response:
Poor-quality systems documentation is a chronic IT problem and a significant challenge
for many organizations seeking SOX compliance. At least two explanations are possible
for this phenomenon. First, documenting systems is not as interesting as designing,
testing, and implementing them. Systems professionals much prefer to move on to an
exciting new project rather than document one just completed. The second possible
reason for poor documentation is job security. When a system is poorly documented, it is
difficult to interpret, test, and debug. Therefore, the programmer who understands the
system (the one who coded it) maintains bargaining power and becomes relatively
indispensable. When the programmer leaves the firm, however, a new programmer
inherits maintenance responsibility for the undocumented system. Depending on its
complexity, the transition period may be long and costly.
11. What is RAID?
, Response: RAID (redundant arrays of independent disks) use parallel disks that contain
redundant elements of data and applications. If one disk fails, the lost data are
automatically reconstructed from the redundant components stored on the other disks.
12. What is the role of a data librarian?
Response: A data librarian, who is responsible for the receipt, storage, retrieval, and
custody of data files, controls access to the data library. The librarian issues data files to
computer operators in accordance with program requests and takes custody of files when
processing or backup procedures are completed. The trend in recent years toward real-
time processing and the increased use of direct-access files has reduced or even
eliminated the role of the data librarian in many organizations.
13. What is the role of a corporate computer services department? How does this
differ from other configurations?
Response: The role of a corporate computer services department (IT function) differs in
that it is not a completely centralized model; rather, the group plays the role of provider
of technical advice and expertise to distributed computer services. Thurs, it provides
much more support than would be received in a completely distributed model. A
corporate computer services department provides a means for central testing of
commercial hardware and software in an efficient manner. Further, the corporate group
can provide users with services such as installation of new software and troubleshooting
hardware and software problems. The corporate group can establish systems
development, programming, and documentation standards. The corporate group can aid
the user groups in evaluating the technical credentials of prospective systems
professionals.
14. What are the five risks associated with distributed data processing?
Response: The five risks associated with distributed data processing are as follows:
a. inefficient use of resources,
b. destruction of audit trails,
c. inadequate segregation of duties,
d. potential inability to hire qualified professionals, and
e. lack of standards.
15. List the control features that directly contribute to the security of the computer
center environment.
Response:
a. physical location controls
b. construction controls
c. access controls
d. air conditioning
e. fire suppression
f. fault tolerance
16. What is data conversion?
Response: The data conversion function transcribes transaction data from paper source
documents into computer input. For example, data conversion could be keying sales
orders into a sales order application in modern systems or transcribing data into magnetic
media (tape or disk) suitable for computer processing in legacy-type systems.
17. What may be contained in the data library?
