CON ARTIST
Which of the following would not be appropriate an appropriate CONtrol in the physical design of a data center?
A. Evaluation of potential risks from railroad lines and highways.
B. Use of biometric access systems.
C. Design of authorization tables for operating system access.
D. Inclusion of an uninterruptible power supply system and surge protection.
C. Design of authorization tables for operating system access.
Rationale: Authorization tables for operating system access address logical controls, not physical controls.
The best evidence that contingency planning is effective is to have
A. No processing interruptions during the past year.
B. Comprehensive documentation of the plan.
C. Signoff on the plan by the internal audit activity.
D. Successful testing of the plan.
D. Successful testing of the plan.
Rationale: The only way to know whether contingency planning has been effective is to test the plan, by simulating an interruption or by conducting a paper test with a walk-through of recovery procedures.
COBIT is
A. A set of guidelines to assist in implementing adequate controls over IT processes.
B. A set of risks and responses to technology challenges.
C. The update of the previous Systems Auditability and Control reports.
D. Published by the Committee of Sponsoring Organizations.
A. A set of guidelines to assist in implementing adequate controls over IT processes.
What type of computer processing system is characterized by data that are assembled from more than one location and records that are updated immediately?
A. Personal computer systems.
B. Data compression systems.
C. Batch processing systems.
D. Online, real-time systems.
D. Online, real-time systems.
In an inventory system on a database management system (DBMS), one stored record contains part number, part name,
part color, and part weight. These individual items are called
A. Fields.
B. Stored files.
C. Bytes.
D. Occurrences.
A. Fields.
List a CONtrol activity to address the risk that failed back-up or scheduled jobs may go unnoticed or unremediated.
- Log of scheduled jobs recording success and/or failure of their completion
- Notification to relevant stakeholders in the event of a job failure
- Established service level agreements (by severity levels) to remediate failed jobs by key stakeholders
- Periodic report (of failed jobs, notifications, and remedial actions taken) submitted to IT management for future planning
If a corporation’s disaster recovery plan requires fast recovery with little or no downtime, which of the following backup sites should it choose?
A. Hot site.
B. Warm site.
C. Cold site.
D. Quick site.
A. Hot site.
A company uses a hot site backup when fast recovery is critical. The hot site includes all software, hardware, and other equipment necessary for a company to carry out operations. Hot sites are expensive to maintain and may be shared with other organizations with similar needs.
Computer program libraries should be kept secure by
A. Installing a logging system for program access.
B. Monitoring physical access to program library media.
C. Restricting physical and logical access.
D. Denying remote access via terminals.
C. Restricting physical and logical access.
Rationale: An important operating control is to establish a library to preclude misplacement, misuse, or theft of data files, programs and documentation. A librarian should perform this custodianship function and be appropriately accountable. Restricting physical and logical access secures programs from unauthorized use, whether in person or remotely via terminals.
In a large organization, the biggest risk in not having an adequately staffed information center help desk is
A. Increased difficulty in performing application audits.
B. Inadequate documentation for application systems.
C. Increased likelihood of use of unauthorized program code.
D. Persistent errors in user interaction with systems.
D. Persistent errors in user interaction with systems.
An inventory clerk, using a computer terminal, views the following on screen: part number, part description, quantity on-hand, quantity on-order, order quantity and reorder point for a particular inventory item. Collectively, these data make up a:
A. Field.
B. File.
C. Database.
D. Record.
A. Records.
Draft a CONtrol objective to address the risk of key stakeholders not being aware of what to do and how to react in the event of a disaster impacting the organization's processes and systems.
To evaluate whether all internal and external parties to the recovery process are fully aware of their responsibilities and commitments.
Which of the following procedures would an entity most likely include in its disaster recovery plan?
A. Convert all data from EDI format to an internal company format.
B. Maintain a Trojan horse program to prevent illicit activity.
C. Develop an auxiliary power supply to provide uninterrupted electricity.
D. Store duplicate copies of files in a location away from the computer center.
D. Store duplicate copies of files in a location away from the computer center.
Rationale: Off-site storage of duplicate copies of critical files protects them from a fire or other disaster at the computing facility. The procedure is part of an overall disaster recovery plan.
Which of the following is an important senior management responsibility with regard to information systems security?
A. Assessing exposures.
B. Assigning access privileges.
C. Identifying ownership of data.
D. Training employees in security matters.
Assessing exposures.
Rationale: Senior management is responsible for risk assessment, including identification of risks and consideration of their significance, the likelihood of their occurrence, and how they should be managed. Senior management is also responsible for establishing organizational policies regarding computer security and implementing a compliance structure. Thus, senior management should assess the risks to the integrity, confidentiality, and availability of information systems data and resources."?
The system requiring the most extensive backup and recovery procedures is
A. A batch system for payroll processing.
B. A database system for online order entry.
C. A file-oriented system for billing clients.
D. An indexed sequential access method file system for fixed asset accounting.
B. A database system for online order entry.
Rationale: Database systems require a more elaborate backup procedure than other systems. A database system for online entry would require almost continuous backup if data loss is to be minimized as transactions are processed on a continuous basis, and without tangible source documentation. Backup procedures that could be employed for online order entry include dual logging and rollback and recovery.
Auditors making database queries often need to combine several tables to get the information they want. One approach to combining tables is known as:
A. Extraction.
B. Joining.
C. Sorting.
D. Summarization.
B. Joining.
Identify the underlying risk and impact addressed by the CONtrol objective of restricting access to add/modify/delete backups and scheduled jobs
Unauthorized modification of the backups and/or scheduled jobs resulting in compromising the integrity of underlying data and/or behavior of systems
Management’s enthusiasm for computer security seems to vary with changes in the environment, particularly the occurrence of other computer disasters. Which of the following concepts should be addressed when making a comprehensive recommendation regarding the costs and benefits of computer security?
I. Potential loss if security is not implemented
II. Probability of occurrences
III. Cost and effectiveness of the implementation and operation of computer security
I, II, and III
In the organization of the information systems function, the most important separation of duties is
A. Not allowing the data librarian to assist in data processing operations.
B. Assuring that those responsible for programming the system do not have access to data processing operations.
C. Having a separate information officer at the top level of the organization outside of the accounting function.
D. Using different programming personnel to maintain utility programs from those who maintain the application programs.
B. Assuring that those responsible for programming the system do not have access to data processing operations.
Each day, after all processing is finished, a bank performs a backup of its online deposit files and retains it for 7 days. Copies of each day’s transaction files are not retained. This approach is
A. Valid, in that having a week’s worth of backups permits recovery even if one backup is unreadable.
B. Risky, in that restoring from the most recent backup file would omit subsequent transactions.
C. Valid, in that it minimizes the complexity of backup/recovery procedures if the online file has to be restored.
D. Risky, in that no checkpoint/restart information is kept with the backup files.
B. Risky, in that restoring from the most recent backup file would omit subsequent transactions.
Rationale: At appropriate intervals, the disk files should be copied on magnetic tape so that restart procedures can begin at those points if data are lost or destroyed. However, not retaining each day’s transaction files is risky because information processed since the last backup file was created will be lost.
A financial institution overstated revenue by charging too much of each loan payment to interest income and too little to repayment of principal.
Performing an analytical review by comparing interest income this period as a percentage of the loan portfolio with the interest income percentage for the prior period is the best procedure for detecting this error.
Agree / Disagree with rationale.
Disagree.
Analytical review is the least effective procedure. It provides only a comparison with the prior period when the same error may have been made. Moreover, it is a global test that does not isolate the cause of a suspected misstatement.
The best procedure to detect this error would be using generalized audit software to select a random sample of loan payments made during the period, calculating the correct posting amounts, and tracing the postings that were made to the various accounts.
Draft a CONtrol objective around data management and disposal in an organization
The objective of this audit is to evaluate the sufficiency, effectiveness, and completion of data retention, archival, and destruction processes.
Prioritize the order of bringing the following systems back online after an organization is impacted by a disaster:
A. Timekeeping system
B. Enterprise Resource Planning system
C. Web Ordering Portal for the customers
D. Online Order Tracking system for vendors
E. System and access administration module
E >> C >> B >> D >> A
In general, mainframe computer production programs and data are adequately protected against unauthorized access. Certain utility software may, however, have privileged access to software and data. To compensate for the risk of unauthorized use of privileged software, information systems (IS) management can
A. Prevent privileged software from being installed on the mainframe.
B. Restrict privileged access to test versions of applications.
C. Limit the use of privileged software.
D. Keep sensitive programs and data on an isolated machine.
C. Limit the use of privileged software.
Rationale: Since certain utility software may have privileged access to software and data stored on the mainframe, management must control the use of this utility software. Management should limit the use of this software to only those individuals with appropriate authority.
Batch processing
A. Is not used by most businesses because it reduces the audit trail.
B. Allows users to inquire about groups of information contained in the system.
C. Accumulates transaction records into groups for processing against the master file on a delayed basis.
D. Can only be performed on a centralized basis.
C. Accumulates transaction records into groups for processing against the master file on a delayed basis.
Rationale: Batch processing is the accumulation and grouping of transactions for processing on a delayed basis. The batch approach is suitable for applications that can be processed against the master file at intervals and involve large volumes of similar items, such as payroll, sales, inventory, and billing.
A production manager for a moderate-sized manufacturer began ordering excessive raw materials and had them delivered to a wholesale business that the manager was running on the side. The manager falsified receiving documents and approved the invoices for payment.
Performing analytical tests to compare production, materials purchased, and raw materials inventory levels as well as investigating differences will most likely detect this fraud.
Agree / Disagree with rationale.
Agree.
The application of analytical procedures is based on the premise that, in the absence of known conditions to the contrary, relationships among information may reasonably be expected to exist and continue. Examples of contrary conditions include unusual or nonrecurring transactions or events; accounting, organizational, operational, environmental, and technological changes; inefficiencies; ineffectiveness; errors; irregularities; or illegal acts. Hence, the analytical procedures should identify an unexplained increase in materials used.