Information Systems Controls For Systems Reliability: Suggested Answers To Discussion Questions 8.1

To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.
com
Accounting Information Systems
CHAPTER 8
INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
8.1 For the consumer, opt-out represents many disadvantages because the consumer is
responsible for explicitly notifying every company that might be collecting the
consumer’s personal information and tell them to stop collecting their personal data.
Consumers are less likely to take the time to opt-out of these programs and even if they
do decide to opt-out, they may not know of all of the companies that are capturing their
personal information. For the organization collecting the data, opt-out is an advantage for
the same reasons it is a disadvantage to the consumer, the organization is free to collect
all the information they want until explicitly told to stop.
8.2 a. The cost here is tangible, consisting of the salaries of additional employees, if any,
who must be hired in order to accomplish segregation of duties. The benefit is much
less tangible, comprising primarily the reduction in the risk of loss from both fraud
and unintentional errors. One approach might be to estimate an "expected benefit" as
a product of the possible loss from fraud and the reduction in probability of fraud.
b. The costs here are also relatively tangible, including the costs of maintaining a tape
library and of performing special procedures such as file labeling, concurrent update
controls, encryption, virus protection, maintaining backup files, and so forth. The
benefit is again intangible, consisting of the reduction in risk of loss of vital business
data. Once again an "expected benefit" might be estimated as the reduction of the
product of the cost of data reconstruction and the probability of data loss.
c. The cost here consists of the extra programming and processing time required to
prepare and execute the input validation routines. As in the other cases, the benefits
are intangible and difficult to measure in dollars. The primary benefit is the increase
in accuracy of files and output. In this case, the decision must be primarily subjective,
since a reliable dollar value is unlikely to be available.
8.3 The disadvantage of full backups is time. Organizations do not normally make full
backups of their data on a frequent (daily) basis simply due to the time a full backup
takes. Most organizations do full backups on a weekly basis. The advantage of frequent
full backups is that the full system can be restored from a single backup. An advantage of
incremental or partial daily backups is time. Since only files that have been altered since
the last incremental backup or full backup are included in the backup, the backup can be
done much more quickly. Of course, the downside of incremental backups is that it is
likely that more than one backup will be needed to fully restore the system in the event of
a system failure. Management decides what the recovery point objective (RPO) should
8-1
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.com
Ch. 8: Computer-Based Information Systems Control
be for their company; i.e., how much they are willing to lose in the event of a catastrophic
event. Naturally, the recovery time objective (RTO) would always be “as soon as
possible”, but this decision hinges on how long management thinks the company can
operate without their data. The advantage of real-time mirroring is that a full and
complete backup is always available at a moments notice. The mirror site can instantly
step into the shoes of the primary site since it is a real-time replica of the primary site.
The disadvantage of real-time mirroring is the cost of creating and maintaining identical
databases at two different site locations; however, depending on the needs of the
business, real-time mirroring may be a legitimate and necessary business expense since
the cost of losing data and then recreating that data from a full or partial backup would be
prohibitive. In other words, for these businesses, RPO and RTO are essentially zero; i.e.,
the data must be available instantaneously.
8.4
A B B-A Divisible by 9?
Original Number Transposed Number Difference
10 01 9 Yes
11 11 0 Not a transposition
12 21 9 Yes
13 31 18 Yes
14 41 27 Yes
15 51 36 Yes
16 61 45 Yes
17 71 54 Yes
18 81 63 Yes
19 91 72 Yes
When numbers between 10 and 19 are transposed, the difference between the original
number and the transposed number is divisible by 9 except for the number 11 since the
transposition of 11 is 11 and therefore not a transposition.
8.5 Good internal control procedures dictate the objectives of internal control, but not the
techniques by which those objectives are to be achieved. Computer systems can
efficiently scan large volumes of records on a regular basis, identify transactions that need
to be initiated, and then take appropriate transaction-initiation steps such as document
preparation and file updating.
Given that computer systems will be programmed to initiate transactions, the issue is to
identify internal control techniques that will achieve the stated objective under these
circumstances. These include (1) strong controls over the development and revision of
8-2
the computer programs that initiate transactions, (2) organizational separation of the
programming and computer operations functions, (3) logical access controls to prevent
unauthorized access to computer programs, and (4) review by user department personnel
of transactions initiated by the computer.
In summary, automatic generation of transactions by computer does not necessarily

violate good internal control.
8.6 Since outsourcing is and will likely continue to be a topic of interest, this question should
generate some good discussion from students. Data security and data protection are rated
in of the top ten risks of offshore outsourcing by CIO News. Compliance with The
Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley
Act (SOX) are of particular concern to companies outsourcing work to offshore
companies. Since offshore companies are not required to comply with HIPAA,
companies that contract with offshore providers do not have any enforceable mechanisms
in place to protect and safeguard Protected Health Information; i.e., patient health
information, as required by HIPAA. They essentially lose control of that data once it is
processed by an offshore provider. Similarly, offshore companies are not governed by
SOX and therefore when the CEO and CFO attest to the accuracy of their company’s
financial statements which includes documentation of any business processes performed
by offshore entities.
One question that may facilitate discussion is to ask the students that once a company
sends some operations offshore, does the outsourcing company still have legal control
over their data or do the laws of the off shore company dictate ownership? Should the
outsourcing company be liable in this country for data that was lost or compromised by an
outsourcing offshore partner?
8.7 Since most students will encounter this question as an employee and as a future manager,
the concept of personal email use during business hours should generate significant
discussion. One question that may help facilitate discussion is to ask whether personal
emails are any different than personal phones calls during business hours. The instructor
may also want to use this opportunity to discuss security issues with email. Viruses are
frequently spread through email and although a virus could infect company computers
through a business related email, personal email will also expose the company to viruses
and therefore warrant the policy of disallowing any personal emails. In addition, there is
the risk that employees could overtly or inadvertently release confidential company
information through personal email. Once the information is written in electronic form it
is easy and convenient for the recipient to disburse that information.
8-3
8.8 Many people may view biometric authentication as invasive. That is, in order to gain
access to a work related location or data, that they must provide a very personal image of
part of their body such as their retina, finger or palm print, their voice, etc. Providing
such personal information may make some individuals fearful of identity theft in that
unlike a social security number or a bank account number, biometric identification
characteristics cannot simply be “reset”. If someone’s digitized biometric identification
such as a finger print is stolen, then how can they prevent their identity from being used
to lie, cheat, and steal? Indeed, facial scans and voice scans can be obtained and recorded
without the consent and knowledge of the person being scanned. RFID tags that are
embedded or attached to a persons clothing would allow anyone with that particular tag’s
frequency to track the exact movements of the “tagged” person. For police tracking
criminals that would be a tremendous asset, but what if criminals were tracking people
who they wanted to rob or whose property they wanted to rob when they knew the person
would not be at home. Already one elementary school tried using RFID tags on students
to track attendance, but stopped the program due to parental complaints and because the
company that donated the equipment decided to stop supplying the RFID tags to the
school.
SUGGESTED SOLUTIONS TO THE PROBLEMS
8.1 There is no single correct solution for this problem. Student responses will vary
depending on their experience with various businesses. One minimal classification
scheme could be highly confidential or top-secret, confidential or internal only, and
public. The following table lists some examples of items that could fall into each basic
category.
Highly Confidential (Top Confidential (Internal) Public

Secret)
Research Data Payroll Financial Statements
Product Development Data Cost of Capital Security and Exchange Commission
Filings
Proprietary Manufacturing Tax Marketing Information
Processes
Proprietary Business Processes Manufacturing Cost Product Specification Data
Data
Competitive Bidding Data Financial Projections Earnings Announcement Data
8.2 a. Record Count: 4 records
Hash and Financial Totals are shown in the table below.
8-4
Employee Hours
Number Pay Rate Worked Gross Pay Deductions Net Pay
121 6.50 38 $247.00 25.50 221.50
123 7.25 40 290.00 60.00 230.00
125 6.75 90 607.5 450.00 57.50
122 67.5 40 2700.00 500.00 2200.00
491 88 208 3824.50 1135.50 2679.00
Financial Financial Financial

Hash Total Hash Total Hash Total Total Total Total
b. Field Check: $247 Gross Pay for Employee 121 should not contain the $
symbol.
Sequence Check: Employee 122 is out of order. This record should appear
directly after Employee 121.
Limit Check: 90 Hours Worked for Employee 125 is probably too high.
Reasonableness Test: $450 in Deductions for Employee 125 seems too high given
a Gross Pay of $587.50..
Crossfooting Balance Test: $57.50 net pay for employee 125 does not equal
$607.50-$450. Net pay should be $157.50 if the gross pay
and deductions are correct. In addition, the deductions for
employee 125 also appear to be unreasonably high, so the
correct net pay should be much higher than $57.50.
8-5
8.3
a. Field 1 - Member number:
Range check to verify that the field contains only four digits within the range of
0001 to 1368.
Validity check on member number if a file of valid member numbers is
maintained.
Field 2 - Date of flight start:

Check that day, month, and year corresponds to the current date.
Field check to verify that the field contains six digits.
Field 3 - Plane used:
Validity check that character is one of the legal characters to describe a plane (G,
C, P, or L).
Check that only a single character is used. (field check)
Field 4 - Time of take off:
Range check that both pairs of numbers are within the acceptable range (first two
digits are within range 00 to 23, and second two digits are within the range 00 to
59).
Field check to verify that the field contains four digits.
Field 5 - Time of landing:
Range check that both pairs of numbers are within the acceptable range described
for field 4.
Reasonableness test that field 5 is greater than field 4.
b. Five of the six records contain errors as follows:

1st - Wrong date is used (Nov. 31 instead of Nov. 1).
2nd - Member number is outside range (4111 is greater than 1368).
4th - Plane code is not legal.
5th - Member number contains a character.
6th - Plane landing time is earlier than the take off time.
c. Other possible controls to prevent input errors are:

user ID numbers and passwords to limit system access to authorized personnel.
8-6
compatibility test to ensure that authorized personnel have access to the correct
data.
prompting to request each required input item.
preformatting to display an input form including all required input items.
completeness check on each input record to ensure all item have been entered.
default values such today=s date for the flight date.
closed-loop verification (member name would appear immediately after the
member number)
(SMAC Examination, adapted)
8.4 Differences between the correct batch total and the batch totals obtained after processing:
(a) (b) (c) (d)

$29,341.28 $29,341.28 $29,341.28
$29,341.28
-24,088.72 -29,431.28 -30,341.28 -27,578.66
$ 5,252.56 $ (90.00) $(1,000.00) $
1,762.62
Analysis of these differences:
a. The difference of $5,252.56 is not divisible evenly by 9, which rules out a

transposition error. The difference affects multiple columns, which rules out a single
transcription error. The difference amount is not equal to any of the entries in the first
batch total calculation, which rules out an error of omission. Dividing the difference
by 2 gives $2,626.28, which is one of the entries in the first calculation. More careful
inspection reveals that this amount has been inadvertently subtracted from the second
batch total calculation rather than added.
b. The difference of $90 is evenly divisible by 9, which suggests the possible

transposition of adjoining digits in the hundredths and tenths columns. More careful
inspection indicates that the amount $4,566.86 from the first calculation was
incorrectly transposed to $4,656.86 in the second calculation.
c. A difference of $1,000 represents a discrepancy in only one column, the thousandths

column. A possible error in transcribing one digit in that column is indicated. More
careful examination reveals that the amount $2,772.42 from the first calculation was
incorrectly recorded in the second calculation as $3,772.42.
d. The difference of $1,762.62 exists in multiple columns and is not divisible evenly by
9. However, this amount is equal to one of the entries in the first calculation.
8-7
Inspection reveals that this item was inadvertently omitted from the second
calculation.
8.5
The following edit checks might be used to detect errors during the typing of answers to the input
cues:
Validity check of operator access code and password C ensures that the operator is
authorized to access computer programs and files. Also use of expense account #
- ensures that proper expense account number is used.
Compatibility test of operator request to access payroll file C ensures that this
operator has been granted authority to access and modify payroll records.
Field check C ensures that numeric characters are entered into and accepted by the
system in fields where only numeric characters are required; e.g., numbers 0-9 in a
social security number.
Field check C ensures that letters are entered into and accepted by the system in
fields where only letters are required; e.g., letters A-Z in employee name.
Field check C ensures that only specific special characters are entered into and
accepted by the system where only these special characters are required; e.g.,
dashes in a social security number.
Sign check C ensures that positive or negative signs are entered into and accepted
by the system where only such signs are required to be entered or that the absence
8-8
of a positive or negative sign appears where such an absence is required; e.g.,

hours worked.
Validity check C ensures that only authorized data codes will be entered into and
accepted by the system where only such authorized data codes are required; e.g.,
authorized employee account numbers.
Range check C ensures that only data values within a predetermined range will be
entered into and accepted by the system; e.g., rate per hour for new employees
cannot be lower than the minimum set by law or higher than the maximum set by
management.
Size check C ensures that only data using fixed or defined field lengths will be
entered into and accepted by the system; e.g., number of dependents requires
exactly two digits.
Check digit C ensures that only specific code numbers prepared by using a
specific arithmetic operation will be entered into and accepted by the system.
This may not be needed if the more powerful validity checks are properly used.
Completeness test C ensures that no blanks will be entered into and accepted by
the system when data should be present; e.g., an "S" or "M" is entered in response
to single or married?
Overflow check C ensures that no digits are dropped if a number becomes too
large for a variable during processing; e.g., hourly rates "on size errors" are
detected.
Control-total check C ensures that no unauthorized changes are made to specified
data or data fields and all data have been entered.
Reasonableness test C ensures that unreasonable combinations of data are
rejected; e.g., overtime hours cannot be greater than zero if regular hours are less
than 40.
Limit check C ensures that inputs do not exceed a specified limit; e.g., overtime
hours cannot exceed 40.
(CPA Examination, adapted)
8-9
8.6 a. The computer security weaknesses present at Gleicken Corporation that made it
possible for a disastrous data loss to occur include:
inadequate attention by top management to EDP facilities planning and security

concerns.
housing the data processing facility in a building with exposed wooden beams and
a wood-shingled exterior, rather than in a building constructed of fire retardant
materials.
lack of a sprinkler (Halon) system, a fire suppression system under a raised floor,
and fire doors.
preparing tape backups too infrequently (weekly).
data and program tapes, especially the backup copies, should not be stored on
open shelves in the data processing area. Working copies should be stored in a
separate library area constructed of fire retardant materials, while backup copies
should be stored off-site.
lack of a written disaster recovery plan with arrangements in place to use an

alternate off-site computer center in the event of a disaster or an extended service
interruption. While a phone list of data processing personnel exists, there is no
indication that responsibilities have been assigned as to actions to be taken in the
event of a disaster.
lack of complete systems documentation kept outside the data processing area.
inadequate casualty insurance coverage.
b. The components that should have been included in the disaster recovery plan at
Gleicken Corporation in order to ensure computer recovery within 72 hours include
the following:
A written disaster recovery plan should be developed with review and approval by
senior management, data processing management, end-user management, and
internal audit.
Backup file copies should be prepared at least daily. Backup files and programs
should be stored at a secure off-site location that can be easily accessible in an
emergency.
8-10
The disaster recovery team should be organized. Select the disaster recovery
manager, identify the tasks, segregate into teams, develop an organization chart
for disaster procedures, match personnel to team skills and functions, and assign
duties and responsibilities to each member.
The duties and responsibilities of the recovery team include obtaining use of a
previously arranged alternate data processing facility; activating the backup
system and network; retrieving backup data files and programs; restoring
programs and data; processing critical applications; and reconstructing data
entered into the system subsequent to latest saved backup/restart point.
c. Factors, other than those included in the disaster recovery plan itself, that should be
considered when formulating the plan include:
arranging business interruption insurance in addition to liability insurance.
ensuring that all systems and operations documentation is kept up to date, and that
backup copies are maintained off-site, easily accessible for use in case of disaster.
performing a risk/cost analysis to determine the level of expense that may be

justified to obtain reasonable, as opposed to certain, assurance that disaster
recovery can be achieved in 72 hours. For example, is the purchase of a duplicate
hardware set-up at another location justified.
d. Other threats (besides fire) from which Gleicken should have protected itself are:
earthquake
theft/burglary
intense sunlight through the skylights
(CMA Examination, adapted)
8.7 Student solutions will vary depending on the template they select. Templates are
available in Adobe PDF or Microsoft Word format.
8-11
8-12
8.8
8-13
8.8 (Cont.)
The following represents one way to solve this problem. To check student solutions, the
instructor will have to collect electronic copies of this assignment to verify that students have
implemented the checks assigned in the problem.
Supporting Formulas:
F5 (Monthly Payment): =PMT(Rate/12,PMTs*12,-Mortgage)
F8 (Total Interest Paid): =SUM(C13:C372)
F9 (Principal Paid): =SUM(E13:E373)
G6 (Warning): =IF(F6>F5*0.5,"Warning: Extra principal payment is greater than 50% of the
total regular payment","")
G12 (Beginning Balance): =+Mortgage
A13 (Payment Number): =IF(ROWS($A$13:A13)>PMTs*12,0,ROWS($A$13:A13))
B13 (Principal balance at beginning of period): =IF(A13=0,0,IF(G12<=0,0,G12))
C13 (Interest): =IF(A13=0,0,IF(B13=0,0,IPMT(Rate/12,A13,PMTs*12,-Mortgage)))
D13 (Principal): =IF(A13=0,0,IF(B13=0,0,PPMT(Rate/12,A13,PMTs*12,-Mortgage)))
E13 (Monthly Principal + Extra Principal Payment):
=IF(A13=0,0,IF(B13=0,0,IF(H13=0,+D13+$F$6+G13,+D13+$F$6)))
F13 (Cumulative Principal): =+F12+E13
G13 (Principal balance at end of period): =IF(A13=0,0,IF(B13=0,0,Mortgage-
(SUM($D$13:D13)+$F$6*A13)))
H13 (Marker): =IF(G13>=0,1,0)
Data Input Controls:

Field check to ensure only numeric data is entered in the “Life of loan in years”:
8-14
8.8 (Cont.)
Range check to ensure that annual interest rates must be between 4% and 9% inclusive:
8-15
8.8 (Cont.)
8-16
Limit check to verify that the amount of the loan is than $300,000:
8.8 (cont.)
8-17
Reasonableness test: amount of extra principal payment cannot be greater than 50% of the initial
total monthly payment:
Cell Formula G6: =IF(F6>F5*0.5,"Warning: Extra principal payment is greater than 50% of the
total regular payment","")
Cross-footing balance checks to verify that total amount paid in principal plus extra principal
over the life of the loan equals original loan amount:
Cell Formula F9: =SUM(E13:E373)

Cell Formula E13 to end of the column:
=IF(A13=0,0,IF(B13=0,0,IF(H13=0,+D13+$F$6+G13,+D13+$F$6)))
Although this is not strictly a cross-footing balance, for an Excel based repayment schedule that
does not employ any Visual Basic programming code, this is an effective method to check for
any overpayment over the life of the loan when additional payments are included. Therefore,
students should be warned in advance that a strict cross-footing balance may not be possible and
to be flexible and to think creatively in meeting the control requirements of this problem.
8.8 (Cont.)
Conditional limit check to calculate the final extra principal payment so that it does not reduce
the outstanding balance below zero:
Cell Formula E13 to end of the column:

=IF(A13=0,0,IF(B13=0,0,IF(H13=0,+D13+$F$6+G13,+D13+$F$6)))
Cell Formula H13: =IF(G13>=0,1,0)
For an Excel based repayment schedule that does not employ any Visual Basic programming
code, this is an effective method to check for the final payment over the life of the loan when
additional payments are included. The “Marker (column H)” cell is used to track when the
balance at the end of the period goes negative; i.e., the loan has been repaid, but the last normal
payment exceeds the last remaining balance. The final payment is then equal to the normal
payment less the amount that would be overpaid if a full normal payment is made as the final
payment on the loan. The final payment is the found as the last the last non-zero amount in the
“Monthly Principal + Extra Principal Payment” column. Therefore, students should be warned in
advance to be flexible and to think creatively in meeting the control requirements of this
8-18
problem.
8.9
Type of Backup Time to Backup Size of Backup Time to Restore

A Full Daily Backup 300 Minutes (5 days * 250 GB (5 days * 50 300 Minutes (5 days
60 minutes) GB) * 60 Minutes)
Total 300 Minutes 250 Minutes 300 Minutes
B Full Weekly 60 Minutes 50 GB 60 Minutes

Backup
Daily Incremental 50 Minutes (5 days * 40 GB (5 days * 8 25 Minutes (5 days *
Backup 10 minutes) GB) 5 minutes)
Total 110 Minutes 90 Minutes 85 Minutes
C Full Weekly 60 Minutes 50 GB 60 Minutes

Backup
Daily Differential 75 Minutes (5 days * 30 – 150 GB (5 days 40 Minutes (5 days *
Backup 15 minutes) * 6-30 GB) 8 minutes)
Total 135 Minutes 80 – 180 Minutes 100 Minutes
The full weekly backup with a daily incremental backup is the best options based on time to
backup, size of backup and the time to restore.
8.10 (Note: In order to access the 76 page control framework, students must first register on
the website with ISACA.)
Trust Services Framework Principle
Cobit Control Objective Securit Confidentialit Privacy Processing Availability
y y Integrity
PO1 – Define a strategic X X X X X
IT plan
8-19
PO2 – Define the X X X X X

information architecture
PO3 – Determine X X
technological direction
PO-4 Define the IT X X X
processes, organization
and relationships
PO-5 Manage the IT
investment
PO-6 Communicate X
management aims and
direction
PO-7 Manage IT human X
resources
PO-8 Manage quality X X
PO-9 Assess and manage X X X
IT risks
PO-10 Manage Projects
AI1-Identify automated X
solutions
AI2-Acquire and maintain X X X
application software
AI3-Acquire and maintain X X
technology infrastructure
AI4-Enable operation and X X
use
AI5-Procure IT resources X
AI6-Manage changes X X
AI7-Install and accredit X X
solutions and changes
Cobit Control Objective Securit Confidentialit Privacy Processing Availability
y y Integrity
DS1-Define and manage X
service levels
8-20
DS2-Manage third-party X X X X
services
DS3-Manage performance X
and capacity
DS4-Ensure continuous X X X
service
DS5-Ensure systems X X X X
security
DS6-Indentify and allocate
costs
DS7-Educate and train X
users
DS8-Manage service desk X
and incidents
DS9-Manage the X
configuration
DS10-Manage problems X X
DS11-Manage data X X X X X
DS12-Manage the X X X X X
physical environment
DS13-Manage operations X X X X
ME1-Monitor and X X
evaluate IT performance
ME2-Monitor and X X
evaluate internal control
ME3-Ensure compliance X
with external requirements
ME4-Provide IT X X
governance
8-21
8.11
a. Reasonableness check between fields indicating salaried and hours field.
b. All files should have header labels to identify their contents, and all programs should
check these labels before processing transactions against the file.
c. A field check should be performed to check whether all characters entered in this field
are numeric. There should be a prompt correction and re-processing of erroneous
transactions.
d. A reasonableness test of quantity ordered relative to the product if 50 is an unusually

large number of monitors to be ordered at one time. Closed-loop verification to make
sure that the stock number matches the item that is ordered.
e. An uninterruptible power system should be used to provide a reserve power supply in

the event of power failure.
f. Fireproof storage and maintenance of duplicate files at an off-site location.
g. A reasonableness test of quantity on hand.
h. A completeness check to check whether all required fields were filled in.
i. Check digit verification on each customer account number and a validity check for
actual customers should have caught this error.
j. A size check would prevent 400 characters from being entered into a field that allows
for only 5 characters.
k. Concurrent update controls protect records from errors when more than one salesman
tries to update the inventory database by locking one of the users out of the database
until the first salesman’s update has been completed.
l. A limit check based on the original sales date.
m. Check digit verification on each customer account number and a validity check for
actual customers and closed loop verification.
n. Check digit verification on each customer account number and a validity check for
actual customers and closed loop verification.
o. A completeness check for all payroll checks and a hash total using employee
numbers.
8-22
p. Encrypting the email containing the bid would have prevented the competitor from
reading the email even if they could have intercepted the email.
q. Parity checks and echo checks will test for data transmission errors.
8.12 (Adapted from CMA Exam. June 1994, Part 4, Question 3)
a.
1. Systems documentation is prepared when someone has the time to do it,
consequently, documentation will likely be incomplete and not current.
2. The systems and programming staff have access to the computer room without
supervision of the operations staff. The programmers could alter the data files or
operational programs.
3. The location of the computing facility on the ground floor behind large plate glass
windows invites attention, risk exposure, and risk of damage due to flooding.
4. There does not appear to be any regularly scheduled backups.
b.
1. Off-site alternatives for continuation of service including contingency plans for
temporary operations, hot sites, vendor sites, service bureau sites, etc. MonsterMed
should maintain arrangements with computer equipment vendors to provide
availability of hardware to replace damaged hardware as soon as practical.
2. Off-site storage of program and data files, documentation, and supplies.
3. Detailed procedures for recovery including instructions for obtaining off-site storage,
planning a communications link between headquarters and the emergency site, as well
as telephone and cell phone numbers of all team members.
4. Procedures for on-going control and maintenance of a temporary cite.
5. Testing and training for plan implementation including testing each department
individually, testing the whole plan; i.e., a mock disaster, trial runs, testing backup
procedures, testing restore operations, and recording test results.
8-23
(CMA Examination, adapted)
8-24

Information Systems Controls For Systems Reliability: Suggested Answers To Discussion Questions 8.1

Uploaded by

Copyright:

Available Formats

You might also like

Information Systems Controls For Systems Reliability: Suggested Answers To Discussion Questions 8.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Systems Controls For Systems Reliability: Suggested Answers To Discussion Questions 8.1

Uploaded by

Copyright:

Available Formats

To download more slides, ebook, solutions and test bank, visit http://downloadslide.blogspot.

Accounting Information Systems