Internal Control Homework

Chapter 2 questions for James Hall, Information Technology Auditing and Assurance

Disclaimer: The data processing section on page 36 strikes me as somewhat out of date. There are few data entry operators left out there and data center operations have changed/diminished a lot since Hall wrote this section.

Score:    3/6 for writing    24 /24 for content. =   27/30.

You should learn to better focus on exactly what was asked. Saying more is ok. But be sure you answer the heart of the question.

You added the key points but I was thinking students would revise their old answers to make a shiny new ones. +29/30

1. Briefly contrast end users, system professionals, and stakeholders as discussed on pages 36-37. Which of those categories include people who maintain systems? What percentage of maintenance total system lifecycle costs are maintenance costs?

System professionals design and build systems based on facts to form a new information system for end users who desire to work more efficiently and effectively. Stakeholders are relevant people in the system except for end users;

System developers (not the original programmers) include people who maintain systems;

80 or 90 percent.

“System developers” are not one of the categories, system professional are. System professionals are also not stakeholders. You are right but your answer was a bit imprecise/ not on point.

                Stakeholders have an interest in the system

1. The text suggests three separation of duties paradigms (pp 37-38) How might having developers operate a system create problems for an organization? How might having the original developers maintain a system create problems for an organization?  Note: Understanding this risk is important even if separate development and maintenance teams are not created. There are certainly downsides to separating these processes.

Having developers operate a system may result in a problem that they make unauthorized changes to the application during the execution. And the changes may be temporary and will disappear without a trace when the application terminates.

Having original developers maintain a system may create program fraud problem. The original programmer may conceal fraudulent code among the codes, if they are also in charge of maintenance work, no one would detect the fraudulent act.        Very nice.

1. Contrast the centralized and decentralized approaches described in the text:

1. Explain how each might reduce costs.

Centralized approach: operating costs are charged back to the end users Does this reduce cost or just pass it along? 

Yeah, it just passes along. Centralized approach reduces cost by generating economies of scale. Decentralized  reduces cost by having users enter their own data and by lowering the maintenance costs.

Decentralized approach: it doesn’t require large, expensive and powerful computers; while inexpensive microcomputers and minicomputers can also perform the function, and additionally, data can be edited and entered by the end user, which eliminates centralized task of data preparation. Application complexity can be reduced, which reduces systems development and maintenance costs.

1. Explain how each might lead to systems that better meet organizational needs.

Centralized approach: All data processing is performed by one or more large computers. Organization resource is shared so that end users can pick information on the basis of need.

Decentralized approach: It improves cost control responsibility and user satisfaction. And there is more backup flexibility. All computer services are distributed to end users, which eliminates central IT function from organizational structure. Does all of your answer focus on “better meet needs”? it is not clear that “eliminate central IT function has to do with meeting needs.

Centralized: support integration of tasks as shared resources are better protected.

Decentralized: more efficiency, higher satisfaction

1. For two of the computer center audit procedures on pages 47 and 48, (a) explain what risk is being addressed (include a business risk element), (b) how the control works, and (c) what evidence is collected and what it would show. You’ll have to do some translating and integration. Control = policy, procedure , or information system. The risks are explained in earlier pages.

1. Risk: Physical location and construction; Test of physical construction: obtain architectural plans; evidence: computer center is solidly built of fireproof material, adequate drainage under raised floor, facility is located in an area that minimizes its exposure to fire, civil unrest and other hazards.

2. Risk: Access;  Test of access control: the auditor should establish that routine access to the computer center is restricted to authorized employees.  Evidence: details about visitor access, such as arrival and departure times, purposes, etc. by reviewing the access log

...