Chapter 2— Auditing IT Governance Controls

TRUE/FALSE

1. To fulfill the segregation of duties control objective, computer processing functions (like authorization of credit
and billing) are separated.

ANS: F PTS: 1

2. To ensure sound internal control, program coding and program processing should be separated.

ANS: T PTS: 1

3. Some systems professionals have unrestricted access to the organization's programs and data.

ANS: T PTS: 1

4. 44IT governance focuses on the management and assessment of strategic IT resources

ANS: T PTS: 1

5. Distributed data processing places the control IT recourses under end users.

ANS: T PTS: 1

6. An advantage of distributed data processing is that redundant tasks are greatly eliminated

ANS: F PTS: 1

7. Certain duties that are deemed incompatible in a manual system may be combined in a computer-based
information system environment.

ANS: T PTS: 1

8. To improve control and efficiency, the CBIS tasks of new systems development and program maintenance
should be performed by the same individual or group.

ANS: F PTS: 1

9. In a CBIS environment, data consolidation protects corporate data from computer fraud and losses from
disaster.

ANS: F PTS: 1

10. The database administrator should be separated from systems development.

ANS: T PTS: 1

11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster.

ANS: T PTS: 1

12. RAID is the use of parallel disks that contain redundant elements of data and applications.

ANS: T PTS: 1

13. Transaction cost economics (TCE) theory suggests that firms should outsource specific noncore IT assets
 ANS: F PTS: 1

14. Commodity IT assets easily acquired in the marketplace and should be outsourced under the core competency
theory.

ANS: F PTS: 1

15. A database administrator is responsible for the receipt, storage, retrieval, and custody of data files.

ANS: F PTS: 1

16. A ROC usually involves two or more user organizations that buy or lease a building and remodel it into a
computer site, but without the computer and peripheral equipment.

ANS: F PTS: 1

17. Fault tolerance is the ability of the system to continue operation when part of the system fails due to hardware
failure, application program error, or operator error.

ANS: T PTS: 1

18. An often-cited benefit of IT outsourcing is improved core business performance.

ANS: T PTS: 1

19. Commodity IT assets include such things are network management.

ANS: T PTS: 1

20. Specific IT assets support an organization’s strategic objectives.

ANS: T PTS: 1

21. A generally accepted advantage of IT outsourcing is improved security.

ANS: F PTS: 1

22. An advantage of distributed data processing is that individual end user groups set specific IT standards without
concern for the broader corporate needs.

ANS: F PTS: 1

23. A mutual aid is the lowest cost disaster recovery option, but has shown to be effective and low risk.

ANS: F PTS: 1

24. Critical applications should be identified and prioritized by the user departments, accountants, and auditors.

ANS: T PTS: 1

25. A widespread natural disaster is a risk associated with a ROC.

ANS: T PTS: 1
MULTIPLE CHOICE

1. All of the following are issues of computer security except

a. releasing incorrect data to authorized individuals
b. permitting computer operators unlimited access to the computer room
c. permitting access to data by unauthorized individuals
d. providing correct data to unauthorized individuals

ANS: B PTS: 1

2. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator

ANS: A PTS: 1

3. In a computer-based information system, which of the following duties needs to be separated?

a. program coding from program operations
b. program operations from program maintenance
c. program maintenance from program coding
d. all of the above duties should be separated

ANS: D PTS: 1

4. Supervision in a computerized environment is more complex than in a manual environment for all of the
following reasons except
a. rapid turnover of systems professionals complicates management's task of assessing the
competence and honesty of prospective employees
b. many systems professionals have direct and unrestricted access to the organization's programs
and data
c. rapid changes in technology make staffing the systems environment challenging
d. systems professionals and their supervisors work at the same physical location

ANS: D PTS: 1

5. Adequate backups will protect against all of the following except

a. natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes

ANS: B PTS: 1

6. Which is the most critical segregation of duties in the centralized computer services function?
a. systems development from data processing
b. data operations from data librarian
c. data preparation from data control
 d. data control from data librarian

ANS: A PTS: 1

7. Systems development is separated from data processing activities because failure to do so

a. weakens database access security
b. allows programmers access to make unauthorized changes to applications during execution
c. results in inadequate documentation
d. results in master files being inadvertently erased

ANS: B PTS: 1

8. Which organizational structure is most likely to result in good documentation procedures?

a. separate systems development from systems maintenance
b. separate systems analysis from application programming
c. separate systems development from data processing
d. separate database administrator from data processing

ANS: A PTS: 1

9. All of the following are control risks associated with the distributed data processing structure except
a. lack of separation of duties
b. system incompatibilities
c. system interdependency
d. lack of documentation standards

ANS: C PTS: 1

10. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified

ANS: B PTS: 1

11. A cold site backup approach is also known as

a. internally provided backup
b. recovery operations center
c. empty shell
d. mutual aid pact

ANS: C PTS: 1

12. The major disadvantage of an empty shell solution as a second site backup is
a. the host site may be unwilling to disrupt its processing needs to process the critical applications
of the disaster stricken company
b. intense competition for shell resources during a widespread disaster
 c. maintenance of excess hardware capacity
d. the control of the shell site is an administrative drain on the company

ANS: B PTS: 1

13. An advantage of a recovery operations center is that

a. this is an inexpensive solution
b. the initial recovery period is very quick
c. the company has sole control over the administration of the center
d. none of the above are advantages of the recovery operations center

ANS: B PTS: 1

14. For most companies, which of the following is the least critical application for disaster recovery purposes?
a. month-end adjustments
b. accounts receivable
c. accounts payable
d. order entry/billing

ANS: A PTS: 1

15. The least important item to store off-site in case of an emergency is

a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program

ANS: D PTS: 1

16. Some companies separate systems analysis from programming/program maintenance. All of the
following are control weaknesses that may occur with this organizational structure except
a. systems documentation is inadequate because of pressures to begin coding a new program
before documenting the current program
b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long
period of time
c. a new systems analyst has difficulty in understanding the logic of the program
d. inadequate systems documentation is prepared because this provides a sense of job security
to the programmer

ANS: C PTS: 1

17. All of the following are recommended features of a fire protection system for a computer center except
a. clearly marked exits
b. an elaborate water sprinkler system
c. manual fire extinguishers in strategic locations
d. automatic and manual alarms in strategic locations

ANS: B PTS: 1
 18. All of the following tests of controls will provide evidence about the physical security of the computer center
except
a. review of fire marshal records
b. review of the test of the backup power supply
c. verification of the second site backup location
d. observation of procedures surrounding visitor access to the computer center

ANS: C PTS: 1

19. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan
except
a. inspection of the second site backup
b. analysis of the fire detection system at the primary site
c. review of the critical applications list
d. composition of the disaster recovery team

ANS: B PTS: 1

20. The following are examples of commodity assets except

a. network management
b. systems operations
c. systems development
d. server maintenance

ANS: C PTS: 1

21. The following are examples of specific assets except

a. application maintenance
b. data warehousing
c. highly skilled employees
d. server maintenance

ANS: D PTS: 1

22. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core business
competencies
c. Core competency theory argues that an organization should not outsource specific commodity assets.
d. Core competency theory argues that an organization should retain certain specific noncore assets in-house.

ANS: B PTS: 1

23. Which of the following is not true?

⁃ a. Large-scale IT outsourcing involves transferring specific assets to a vendor
⁃ b. Specific assets, while valuable to the client, are of little value to the vendor
⁃ c. Once an organization outsources its specific assets, it may not be able to return to its pre-
outsource state.
⁃ d. Specific assets are of value to vendors because, once acquired, vendors can achieve
economies of scale by employing them with other clients

ANS: D PTS: 1

24. Which of the following is not true?

 ⁃ a. When management outsources their organization’s IT functions, they also outsource
responsibility for internal control.
⁃ b. Once a client firm has outsourced specific IT assets, its performance becomes linked to
the vendor’s performance.
⁃ c. IT outsourcing may affect incongruence between a firm’s IT strategic planning and its
business planning functions.
⁃ d. The financial justification for IT outsourcing depends upon the vendor achieving
economies of scale.

ANS: A PTS: 1

25. Which of the following is not true?

⁃ a. Management may outsource their organizations’ IT functions, but
they cannot outsource their management responsibilities for internal control.
⁃ b. section 404 requires the explicit testing of outsourced controls.
⁃ c. The SAS 70 report, which is prepared by the outsourcer’s auditor, attests to the adequacy
of the vendor’s internal controls.
⁃ d. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report.

ANS: C PTS: 1

26. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator

ANS: A PTS: 1

27. A disadvantage of distributed data processing is

a. the increased time between job request and job completion.
b. the potential for hardware and software incompatibility among users.
c. the disruption caused when the mainframe goes down.
d. that users are not likely to be involved.

ANS: B PTS: 1

28. Which of the following is NOT a control implication of distributed data processing?
a. redundancy
b. user satisfaction
c. incompatibility
d. lack of standards

ANS: B PTS: 1

29. Which of the following disaster recovery techniques may be least optimal in the case of a disaster?
a. empty shell
b. mutual aid pact
c. internally provided backup
d. they are all equally beneficial

ANS: B PTS: 1

30. Which of the following is a feature of fault tolerance control?

a. interruptible power supplies
b. RAID
c. DDP
d. MDP
 ANS: B PTS: 1

31. Which of the following disaster recovery techniques is has the least risk associated with it?
a. empty shell
b. ROC
c. internally provided backup
d. they are all equally risky

ANS: C PTS: 1

32. Which of the following is NOT a potential threat to computer hardware and peripherals?
a. low humidity
b. high humidity
c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers

ANS: C PTS: 1

33. Which of the following would strengthen organizational control over a large-scale data processing center?
a. Requiring the user departments to specify the general control standards necessary for processing
transactions.
b. Requiring that requests and instructions for data processing services be submitted directly to the
computer operator in the data center.
c. Having the database administrator report to the manager of computer operations.
d. Assigning maintenance responsibility to the original system designer who best knows its logic.

ANS: A PTS: 1

34. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core business
competencies
c. Core competency theory argues that an organization should not outsource specific commodity assets.
d. Core competency theory argues that an organization should retain certain specific non-core assets in-house.

ANS: B PTS: 1

CHAPTER 4

1. The database approach to data management is sometimes called the flat file approach.
ANS: F PTS: 1

2. The database management system provides a controlled environment for accessing the database.
ANS: T PTS: 1

3.To the user, data processing procedures for routine transactions, such as entering sales orders, appear
to be identical in the database environment and in the traditional environment.
ANS: T PTS: 1

4.An important feature associated with the traditional approach to data management is the ability to
produce ad hoc reports.
ANS: F PTS: 1
5. The data definition language is used to insert special database commands into application programs.
ANS: F PTS: 1

6. There is more than one conceptual view of the database.

ANS: F PTS: 1

7.In the database method of data management, access authority is maintained by systems
programming.
ANS: F PTS: 1

8. The physical database is an abstract representation of the database.

ANS: F PTS: 1

9. A customer name and an unpaid balance is an example of a one-to-many relationship.

ANS: F PTS: 1

10. In the relational model, a data element is called a relation.

ANS: F PTS: 1

11. Subschemas are used to authorize user access privileges to specific data elements.
ANS: F PTS: 1

12. A recovery module suspends all data processing while the system reconciles its journal files against the
database.
ANS: F PTS: 1

13. A major difference between the database and flat-file models is the pooling of data into a common
shared database.
ANS: T PTS: 1

14. Examining programmer authority tables for information about who has access to Data Definition
Language commands will provide evidence about who is responsible for creating subschemas.
ANS: T PTS: 1

15. Data normalization groups data attributes into tables in accordance with specific design objectives.
ANS: T PTS: 1

16. Under the database approach, data is viewed as proprietary or owned by users.
ANS: F PTS: 1

17. The data dictionary describes all of the data elements in the database.
ANS: T PTS: 1

18. When information system needs arise, users send formal requests for computer applications to the
database administrator of the organization.
ANS: F PTS: 1

19. A deadlock is a phenomenon that prevents the processing of transactions.

ANS: T PTS: 1
20. Time stamping is a control that is used to ensure database partitioning.
ANS: F PTS: 1

21. A lockout is a software control that prevents multiple users from simultaneous access to data.
ANS: T PTS: 1

22. An entity is any physical thing about which the organization wishes to capture data.
ANS: F PTS: 1

23. Data access methods allow records to be located, stored and retrieved. .
ANS: F PTS: 1

24. The term occurrence is used to describe the number of attributes or fields pertaining to a specific entity.
ANS: F PTS: 1

25. The earliest DBAs were based on the hierarchical data model.
ANS: T PTS: 1

MULTIPLE CHOICE
1. All of the following are basic data management tasks except

a. data deletion

b. data storage

c. data attribution

d. data retrieval

ANS: C PTS: 1

2. The task of searching the database to locate a stored record for processing is called

a. data deletion

b. data storage

c. data attribution

d. data retrieval

ANS: D PTS: 1

3. Which of the following is not a problem usually associated with the flat-file approach to data
management?

a. data redundancy

b. restricting access to data to the primary user

c. data storage
 d. currency of information

ANS: B PTS: 1

4. Which characteristic is associated with the database approach to data management?

a. data sharing

b. multiple storage procedures

c. data redundancy

d. excessive storage costs

ANS: A PTS: 1

5. Which characteristic is not associated with the database approach to data management?

a. the ability to process data without the help of a programmer

b. the ability to control access to the data

c. constant production of backups

d. the inability to determine what data is available

ANS: D PTS: 1

6. The textbook refers to four interrelated components of the database concept. Which of the following is
not one of the components?

a. the database management system

b. the database administrator

c. the physical database

d. the conceptual database

ANS: D PTS:

7. Which of the following is not a responsibility of the database management system?

a. provide an interface between the users and the physical database

b. provide security against a natural disaster

c. ensure that the internal schema and external schema are consistent

d. authorize access to portions of the database

ANS: C PTS: 1

8. A description of the physical arrangement of records in the database is

a. the internal view
 b. the conceptual view

c. the subschema

d. the external view

ANS: A PTS: 1

9. Which of the following may provide many distinct views of the database?

a. the schema

b. the internal view

c. the user view

d. the conceptual view

ANS: C PTS: 1

10. Users access the database

a. by direct query

b. by developing operating software

c. by constantly interacting with systems programmers

d. all of the above

ANS: A PTS: 1

11. The data definition language

a. identifies, for the database management system, the names and relationships of all data elements, records, and fi

b. inserts database commands into application programs to enable standard programs to interact with and manipul

c. permits users to process data in the database without the need for conventional programs

d. describes every data element in the database

ANS: A PTS: 1

12. The data manipulation language

a. defines the database to the database management system

b. transfers data to the buffer area for manipulation

c. enables application programs to interact with and manipulate the database

d. describes every data element in the database

ANS: C PTS: 1

13. Which statement is not correct? A query language like SQL

 a. is written in a fourth-generation language

b. requires user familiarity with COBOL

c. allows users to retrieve and modify data

d. reduces reliance on programmers

ANS: B PTS: 1

14. Which duty is not the responsibility of the database administrator?

a. to develop and maintain the data dictionary

b. to implement security controls

c. to design application programs

d. to design the subschema

ANS: C PTS: 1

15. In a hierarchical model

a. links between related records are implicit

b. the way to access data is by following a predefined data path

c. an owner (parent) record may own just one member (child) record

d. a member (child) record may have more than one owner (parent)

ANS: B PTS: 1

16. Which term is not associated with the relational database model?

a. tuple

b. attribute

c. collision

d. relation

ANS: C PTS: 1

17. In the relational database model

a. relationships are explicit

b. the user perceives that files are linked using pointers

c. data is represented on two-dimensional tables

d. data is represented as a tree structure

ANS: C PTS: 1
18. In the relational database model all of the following are true except

a. data is presented to users as tables

b. data can be extracted from specified rows from specified tables

c. a new table can be built by joining two tables

d. only one-to-many relationships can be supported

ANS: D PTS: 1

19. In a relational database

a. the user’s view of the physical database is the same as the physical database

b. users perceive that they are manipulating a single table

c. a virtual table exists in the form of rows and columns of a table stored on the disk

d. a programming language (COBOL) is used to create a user’s view of the database

ANS: B PTS: 1

20. Which of the following is not a common form of conceptual database model?

a. hierarchical

b. network

c. sequential

d. relational

ANS: C PTS: 1

21. Which statement is false?

a. The DBMS is special software that is programmed to know which data elements each user is authorized to access.

b. User programs send requests for data to the DBMS.

c. During processing, the DBMS periodically makes backup copies of the physical database.

d. The DBMS does not control access to the database.

ANS: D PTS: 1

22. All of the following are elements of the DBMS which facilitate user access to the database except

a. query language

b. data access language

c. data manipulation language

d. data definition language

ANS: B PTS: 1
23. Which of the following is a level of the database that is defined by the data definition language?

a. user view

b. schema

c. internal view

d. all are levels or views of the database

ANS: D PTS: 1

24. An example of a distributed database is

a. partitioned database

b. centralized database

c. networked database

d. all are examples of distributed databases

ANS: A PTS: 1

25. Data currency is preserved in a centralized database by

a. partitioning the database

b. using a lockout procedure

c. replicating the database

d. implementing concurrency controls

ANS: B PTS: 1

26. Which procedure will prevent two end users from accessing the same data element at the same time?

a. data redundancy

b. data replication

c. data lockout

d. none of the above

ANS: C PTS: 1

27. The advantages of a partitioned database include all of the following except

a. user control is enhanced

b. data transmission volume is increased

c. response time is improved

d. risk of destruction of entire database is reduced

ANS: B PTS: 1
28. A replicated database is appropriate when

a. there is minimal data sharing among information processing units

b. there exists a high degree of data sharing and no primary user

c. there is no risk of the deadlock phenomenon

d. most data sharing consists of read-write transactions

ANS: B PTS: 1

29. What control maintains complete, current, and consistent data at all information processing units?

a. deadlock control

b. replication control

c. concurrency control

d. gateway control

ANS: C PTS: 1

30. Data concurrency

a. is a security issue in partitioned databases

b. is implemented using time stamping

c. may result in data lockout

d. occurs when a deadlock is triggered

ANS: B PTS: 1

31. All of the following are advantages of a partitioned database except

a. increased user control by having the data stored locally

b. deadlocks are eliminated

c. transaction processing response time is improved

d. partitioning can reduce losses in case of disaster

ANS: B PTS: 1

32. Which backup technique is most appropriate for sequential batch systems?

a. grandparent-parent-child approach

b. staggered backup approach

c. direct backup

d. remote site, intermittent backup

ANS: A PTS: 1
33. When creating and controlling backups for a sequential batch system,

a. the number of backup versions retained depends on the amount of data in the file

b. off-site backups are not required

c. backup files can never be used for scratch files

d. the more significant the data, the greater the number of backup versions

ANS: D PTS: 1

34. In a direct access file system

a. backups are created using the grandfather-father-son approach

b. processing a transaction file against a maser file creates a backup file

c. files are backed up immediately before an update run

d. if the master file is destroyed, it cannot be reconstructed

ANS: C PTS: 1

35. Which of the following is not an access control in a database system?

a. antivirus software

b. database authorization table

c. passwords

d. voice prints

ANS: A PTS: 1

36. Which of the following is not a basic database backup and recovery feature?

a. checkpoint

b. backup database

c. transaction log

d. database authority table

ANS: D PTS: 1

37. Audit objectives for the database management system include all of the following except

a. verifying that the security group monitors and reports on fault tolerance violations

b. confirming that backup procedures are adequate

c. ensuring that authorized users access only those files they need to perform their duties

d. verifying that unauthorized users cannot access data files

ANS: A PTS: 1
38. All of the following tests of controls will provide evidence that access to the data files is limited except

a. inspecting biometric controls

b. reconciling program version numbers

c. comparing job descriptions with access privileges stored in the authority table

d. attempting to retrieve unauthorized data via inference queries

ANS: B PTS: 1

39. Which of the following is not a test of access controls?

a. biometric controls

b. encryption controls

c. backup controls

d. inference controls

ANS: C PTS: 1

40. To preserve the confidentiality and integrity of the database requires:

a. biometric devices

b. user-defined procedures.

c. backup controls

d. inference controls

ANS: D PTS: 1