Post on 01-Nov-2018
transcript
1
Certified Internal Auditor Part III
Information Technology IICertified Internal Auditor Part III Certified Internal Auditor Part III
Information Technology IIInformation Technology II
2
Agenda:Agenda:
• Functional Areas of IT Operations
• Encryption
• Information Protection
• Investment in IT
• Enterprise-Wide Resource Planning (ERP)
• System Software
• Application Development
• Program Change Control
• End-User Computing (EUC)
3
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
Organizational Control
• Segregation of duties within the IT environment is an IT general
control that ensures the efficiency and effectiveness of IT operations.
• Typical IT organizational structure.
IT DevelopmentIT Infrastructure &
OperationIT Security
• System analyst
• Programmer
• IT Operator
• Helpdesk
• System Administrator
• Network Administrator
• Database Administrator
• Security Administrator
Chief Information Technology (CIO)
• Webmaster
• End User
4
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
Responsibilities of IT Personnel:
1. System analysts:
• Analyze and design computer information systems.
• Survey existing system.
• Analyze the organization’s information requirement.
• Design new systems to meet the requirement.
• Design specification will be used to guide the preparation of
programs.
• They are usually involved during the initial phase of the system
development life cycle (SDLC)
• System analysts should not have access to the computer operation
center, production programs, or data files.
5
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
Responsibilities of IT Personnel: (cont.)
2. Programmers:
• Design, write, test, and document programs according to
specification.
• Programmers (as well as analysts) may be able to modify programs,
data files, and controls. Thus, they should not have access to the
computer operation center, production programs, or data files.
3. IT Operators:
• Responsible for the day-to-day functioning of the computer center �
load data, mount storage devices, and operate the equipment.
• They should not be assigned programming duties or system design.
• Ideally, operator should not have programming knowledge.
6
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
Responsibilities of IT Personnel: (cont.)
4. Help Desks:
• Usually a responsibility of IT operations.
• Responsible for:
� Logging reported problems,
� Resolving minor problem,
� Forward more difficult problems to the appropriate IT resources
(e.g. technical support unit or vendor assistance).
5. System Administrator / System Programmer:
• Install, support, and maintain servers or other computer systems.
• Responsible for documenting the configuration of the system.
• Plan for and respond to service outages and other problems.
7
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
Responsibilities of IT Personnel: (cont.)
6. Network Administrator / Network Technician:
• Maintain network devices (bridges, hubs, routers, etc.).
• Responsible for maintaining the organization’s connection to other
network � e.g. Internet.
7. Database administrator (DBA):
• Responsible for developing and maintaining the database.
• Establish controls to protect its integrity.
• Only the DBA should be able to update data dictionaries.
• (In large applications) DBA uses a DBMS as a primary tool.
8
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
Responsibilities of IT Personnel: (cont.)
8. Security Administrator:
• Develop and periodically review the IT security policy
• Perform issuing and maintaining of authorized user IDs and
passwords.
• Prepare and monitor the security awareness program for all
employees.
• Monitor security violation and take corrective action.
9. Webmaster:
• Responsible for the content of the organization’s website.
• Work closely with programmers and network technicians.
• Ensure the appropriate content is displayed and the site is reliably
available to users.
10. End Users
• Need access to applications data and functions only.
9
Question:1. The practice of maintaining a test program library separate from the
production program library is an example of
A. An organizational control.
B. Physical security.
C. An input control.
D. A concurrency control.
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
10
Question:2. An organization’s computer help-desk function is usually a responsibility
of the
A. Applications development unit.
B. Systems programming unit.
C. Computer operations unit.
D. User departments.
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
11
Question:3. When a new application is being created for widespread use in a large
organization, the principal liaison between the IT function and the rest of
an organization is normally a(n)?
A. End user.
B. Application programmer.
C. Maintenance programmer.
D. System analyst.
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
12
Question:4. In the organization of the information systems function, the most
important separation of duties is
A. Not allowing the data librarian to assist in data processing operations.
B. Assuring that those responsible for programming the system do not
have access to data processing operations.
C. Having a separate information officer at the top level of the
organization outside of the accounting function.
D. Using different programming personnel to maintain utility programs
from those who maintain the application programs.
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
13
Question:5. The duties properly assigned to an information security officer could
include all of the following except
A. Developing an information security policy for the organization.
B. Maintaining and updating the list of user passwords.
C. Commenting on security controls in new applications.
D. Monitoring and investigating unsuccessful access attempts.
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
14
Question:6. Which of the following represents an internal control weakness in a
computer-based system?
A. Computer programmers write and revise programs designed by
analysts.
B. The end users are responsible for reconciling reports and other
output.
C. The computer librarian maintains custody and record keeping for
computer application programs.
D. Computer operators have access to operator instructions and the
authority to change programs.
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
15
Question:7. In a large organization, the biggest risk in not having an adequately
staffed information center help desk is?
A. Increased difficulty in performing application audits.
B. Inadequate documentation for application systems.
C. Increased likelihood of use of unauthorized program code.
D. Persistent errors in user interaction with systems.
1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:
16
2. Encryption:2. Encryption:2. Encryption:
2.1 Overview:
• Definition �Converts data into code.
�A program codes data prior to transmission.
�Another program decodes it after transmission.
• Unauthorized users may still be able to access the data, but, without
the encryption key, they will be unable to decode the information.
• Encryption technology may be either HW and SW based.
• Date encryption increase in system overhead (20%-30%).
• Encryption SW uses (1) a fixed algorithm to manipulate plaintext and
(2) an encryption key to introduce variation.
DATA 04012001
Plain text Cipher text Plain text
Key & Algorithm Key & Algorithm
DATA
17
2. Encryption:2. Encryption:2. Encryption:
2.1 Overview: (cont.)
• Basic algorithm
A = 01
B = 02
C = 03
D = 04
E = 05
F = 06
G = 07
H = 08
I = 09
J = 10
K = 11
L = 12
M = 13
N = 14
0 = 15
P = 16
Q = 17
R = 18
S = 19
T = 20
U = 21
V = 22
W = 23
X = 24
Y = 25
Z = 26
Algorithm
DATA
01200104
ATAD
04012001
Plain Text
Cipher Text
Encryption Decryption
ATAD
01200104
DATA Plain Text
04012001 Cipher Text
Encryption without key:
18
2. Encryption:2. Encryption:2. Encryption:
2.1 Overview: (cont.)
• Basic algorithm
A = 01
B = 02
C = 03
D = 04
E = 05
F = 06
G = 07
H = 08
I = 09
J = 10
K = 11
L = 12
M = 13
N = 14
0 = 15
P = 16
Q = 17
R = 18
S = 19
T = 20
U = 21
V = 22
W = 23
X = 24
Y = 25
Z = 26
Algorithm DATA
06032203
Plain Text
Cipher Text
Encryption Decryption
DATA Plain Text (Decrypted with key)
06032203 Cipher Text
Key ���� +10:
DATA
01200104
11041114
ATAD
14110411
Plain Text
Cipher Text DATA Plain Text
14110411 Cipher Text
Encryption Decryption
Key ���� +2 :
01200104
03220306
ATAD
01200104
ATAD
03220306
01200104
ATAD
11041114
FCVC Plain Text
(Decrypted without key)
19
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
• 2 major types of encryption SW �
I.
Symmetric-key
(Secret-key / Private-key)
• Data Encryption Standard (DES)
• Triple Data Encryption Standard
(3DES)
• Advanced Encryption Standard (AES)
II.
Asymmetric-key
(Public-key & Private-key)
• RSA (Rivest, Shamir, and Adelman)
20
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Symmetric-key (Secret-key)
• Refers to encryption methods in which both the sender and receiver
share the same key.
• Less secure than public-key encryption.
• Examples:
Data Encryption Standard (DES)
• Developed by the U.S. government.
• Most prevalent secret-key method.
• Based on numbers with 56 binary digits.
Triple Data Encryption Standard (3-DES)
• When it was found that a 56 bits key of DES is not
enough to guard against brute force attacks, TDES was
chosen as a simple way to enlarge the key space
without a need to switch to a new algorithm.
Advanced Encryption Standard (AES)
• Replace 3DES
• Developed to protect sensitive information.
21
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Symmetric-key (Secret-key)
• Key generation
• Send message
Sender
(A)
Receiver
(B)
Private key - A
DATA
(Plain text)
Sender Receiver
DATA
(Plain text)
04012001
(Cipher text)
04012001
(Cipher text)
Private key - A Private key - A
22
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Asymmetric-key (Public-key/Private-key)
• Public-key /private key (asymmetric) encryption requires 2 keys:
� Public key � for coding messages is widely known
� Private key � for decoding messages is kept secret by the recipient.
• Advantages:
� The message is encoded using one key and decoded using another.
� Neither party knows the other’s private key.
• These pairs of keys are issued by a certificate authority (e.g.,
VeriSign, Thawte, GoDaddy).
• Asymmetric-key is more secure than a single-key system.
• Example is RSA (Rivest, Shamir, and Adelman), the most commonly
used public-key/private key method.
23
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Asymmetric-key (Public-key/Private-key)
• Public-key /private key (asymmetric) encryption requires 2 keys:
� Public key � for coding messages is widely known
� Private key � for decoding messages is kept secret by the recipient.
• Advantages:
� The message is encoded using one key and decoded using another.
� Neither party knows the other’s private key.
• The related public key and private key pair is issued by a certificate
authority (e.g., VeriSign, Thawte, GoDaddy).
• The private key is issued only to one party.
• Key management in a public key/private key system is more secure
than in a secret-key system.
• Example is RSA (Rivest, Shamir, and Adelman), the most commonly
used public-key/private key method.
24
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Asymmetric-key (Public-key/Private-key)
• Key generation
Public key - ASender
(A)
Private key - A
Receiver
(B)
Private key - B
Public key - B
• Send message
DATA
(Plain text)
Sender (A) Receiver (B)
DATA
(Plain text)
04012001
(Cipher text)
04012001
(Cipher text)
Public key - B Private key - B
25
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Digital signature:
• A public key/private key system is used to create digital signatures �
fingerprints.
• It is means of authentication of an electronic document e.g., validity of
purchase order, acceptance of a contract, or financial information.
• One variation is to send the message in both plaintext and cyphertext. If
the decoded version matches the plaintext version, no alteration has
occurred.
• The sender uses it private key to encode all or part of the message, and
the recipient uses the sender’s public key to decode it.
Message @%$&*#$% Message
Sender - Plain text Cipher text Recipient Plain text
Sender’s Private Key Sender’s Public Key
26
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Digital Certificate:
• It is another means of authentication used in e-business to provide
assurance to customers that a website is genuine.
• The certificate authority (CA) issues a coded electronic certificate
that contains the
� Holder’s name
� A copy of its public key
� A serial number,
� An expiration date
• The certificate verifies the holder’s identity.
27
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Digital Certificate:
• The recipient of coded
message uses the certificate
authority’s public key
(available on the
Internet/web browser) to
decode the certificate
included in the message.
• The recipient then
determines that the
certificate was issued by the
certificate authority.
• Moreover, the recipient can
use the sender’s public key
and identification data to
send a coded response.
• Such methods might be used
for transactions between
sellers and buyers using
credit cards.
28
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Digital Certificate: (cont.) – HTTPS or SSL
29
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Digital Certificate: (cont.) – Certificate
30
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Digital Certificate: (cont.) – Certificate
31
2. Encryption:2. Encryption:2. Encryption:
2.2 Types of Encryption:
Public Key Infrastructure:
• The public key infrastructure (PKI) permits secure monetary and
information exchange over the Internet.
Protocol:
• Protocol commonly used is SSL (Secure Sockets Layer), TLS (Transport
Layer Security), and HTTPS (Hypertext Transfer Protocol Secure).
Digital Time Stamping Services:
• They are used to verify the time (and possibly the place) of a
transaction.
• For example, a document may be sent to a service (Time Stamping
Authority), which applies its digital stamp and then forwards the
document.
32
Question:1. A controller became aware that a competitor appeared to have access to
the company’s pricing information. The internal auditor determined that
the leak of information was occurring during the electronic transmission of
data from branch offices to the head office. Which of the following
controls would be most effective in preventing the leak of information?
A. Asynchronous transmission.
B. Encryption.
C. Use of fiber-optic transmission lines.
D. Use of passwords.
2. Encryption:2. Encryption:2. Encryption:
33
Question:2. The use of message encryption software
A. Guarantees the secrecy of data.
B. Requires manual distribution of keys.
C. Increases system overhead.
D. Reduces the need for periodic password changes.
2. Encryption:2. Encryption:2. Encryption:
34
Question:3. Which of the following is an encryption feature that can be used to
authenticate the originator of a document and ensure that the message is
intact and has not been tampered with?
A. Heuristic terminal.
B. Perimeter switch.
C. Default settings.
D. Digital signatures.
2. Encryption:2. Encryption:2. Encryption:
35
Question:4. The encryption technique that requires two keys, a public key that is
available to anyone for encrypting messages and a private key that is
known only to the recipient for decrypting messages, is
A. Rivest, Shamir, and Adelman (RSA).
B. Data encryption standard (DES).
C. Modulator-demodulator.
D. A cypher lock.
2. Encryption:2. Encryption:2. Encryption:
36
Question:5. To ensure privacy in a public key encryption system, knowledge of which
of the following keys would be required to decode the received message?
I. Private
II. Public
A. I.
B. II.
C. Both I and II.
D. Neither I nor II.
2. Encryption:2. Encryption:2. Encryption:
37
Question:6. A client communicates sensitive data across the Internet. Which of the
following controls would be most effective to prevent the use of the
information if it were intercepted by an unauthorized party?
A. A firewall.
B. An access log.
C. Passwords.
D. Encryption.
2. Encryption:2. Encryption:2. Encryption:
38
3. Information Protection:3. Information Protection:3. Information Protection:
3.1 Malicious Software (Malware) & Controls:
• Malware is a hostile, intrusive, or annoying software or program code
designed to secretly access a computer system without the owner’s
informed consent.
• Malware may exploit a known hole or weakness in application or
operating system program to evade security measures.
• Such a vulnerabilities may have been caused by a programming error.
• It also may have been intentionally (but not maliciously) created to
permit a programmer simple access (a back door) for correcting the
code.
• Having bypassed security controls, the intruder can do immediate
damage to the system or install malicious software.
39
3. Information Protection:3. Information Protection:3. Information Protection:
3.1 Malicious Software (Malware) & Controls:
• Malware includes
� Trojan horse
� Computer viruses
� Worms
� Logic bomb
� Backdoor
� Spyware
40
3. Information Protection:3. Information Protection:3. Information Protection:
3.1 Malicious Software (Malware):
• Malware includes:
1.
Trojan Horse
• A Trojan horse, or Trojan, is malware that appears to be innocent
program that perform a desirable function for the user prior to
run or install, but instead facilitates unauthorized access of the
user’s computer system.
• It is a harmful piece of software that looks legitimate. Users are
typically tricked into loading and executing it on their systems.
2.
Computer Virus
• A program code that have the reproductive ability to copy itself
from file to file.
• A true virus can spread from one computer to another (in some
form of executable code) when its host is taken to the target
computer; for instance because a user sent it over a network or
the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.
• The virus may corrupt, destroy, or modify data, files or programs
on a targeted computer.
41
3. Information Protection:3. Information Protection:3. Information Protection:
3.1 Malicious Software (Malware):
• Malware includes:
3.
Worm
• Worm is a self-replicating malware that can copy itself not from
file to file, but from computer to computer.
• It uses a computer network to send copies of itself to other
computers on the network, and it may do so without any user
intervention.
• Repeated replication overloads a system by depleting memory or
disk space (denial of service).
4.
Logic bomb
• A logic bomb is a piece of code intentionally inserted into a
software system that will set off a malicious function when
specified conditions are met.
• For example, a programmer may hide a piece of code that starts
deleting files, should they ever be terminated from the company.
• Software that is inherently malicious, such as viruses and worms,
often contain logic bombs that execute a certain code at a pre-
defined time or when some other condition is met.
42
3. Information Protection:3. Information Protection:3. Information Protection:
3.1 Malicious Software (Malware):
• Malware includes:
5.
Backdoor
• A backdoor is a malicious computer program or particular means
that provide the attacker with unauthorized remote access to a
compromised system exploiting vulnerabilities of installed
software and bypassing normal authentication.
• A backdoor in a login system might take the form of a hard coded
user and password combination which gives access to the system.
6.
Spyware
• Spyware is a type of malware that can be installed on computers,
and which collects small pieces of information about users
without their knowledge.
• The presence of spyware is typically hidden from the user, and
can be difficult to detect.
43
3. Information Protection:3. Information Protection:3. Information Protection:
3.2 Controls:
To prevent or detect infection by malware are particularly significant
for file servers in large networks. The following are broad control
objectives:
• Policies:
� Require use only of authorized software.
� Required adherence to licensing agreements.
� Create accountability for the persons authorized to maintain software.
� Require safeguards when data or programs are obtained by means of
external media.
• Antivirus software � continuously monitor, upgraded.
• Software and data for critical systems � regular reviewed.
• Investigation of unauthorized files.
• E-mail attachments and downloads should be checked.
44
3. Information Protection:3. Information Protection:3. Information Protection:
3.2 Controls: (cont.)
• Procedures:
� If another organization that has repeatedly transmitted malware-
infected material, termination of agreements or contracts may be
indicated.
� Should be documented, and employee must understand the reasons for
them.
• BCP � data and software backup.
• Information about malware should be verified and appropriate alert
given.
• Qualified personnel to distinguish hoaxes from malicious SW.
45
3. Information Protection:3. Information Protection:3. Information Protection:
3.3 Response to threats:
• Purchases should be of evaluated products from trusted suppliers.
• Purchase should be in sourced code so that it is verifiable.
• Access to and changes in code should be restricted after it is put in
use.
• The availability of security patches for bugs in programs should be
monitored constantly.
• Trusted employees should be assigned to key systems.
• Know Trojan houses can be detected by scanning.
• Reviewing data outflows � through the firewall
46
3. Information Protection:3. Information Protection:3. Information Protection:
3.5 Types of Attacks:
3.5.1 Password Attacks:
• Brute-force attack � uses password cracking SW to try large numbers of
letter and number combinations to access.
• Spoofing � is identity misrepresentation in cyberspace e.g. by using a
false website to obtain information about visitors.
• Sniffing � is use of SW to eavesdrop on information sent by a user to the
host computer of a website.
• Methods of thwarting password attacks are one-time password and
cryptographic authentication.
47
3. Information Protection:3. Information Protection:3. Information Protection:
3.5 Types of Attacks:
3.5.2 Man-in-the-middle Attack:
• Takes advantage of networking packet sniffing and routing and transport
protocols.
• Cryptography is the effective response to man-in-the-middle attacks.
• Theses attacks may be used to
• Steal data
• Obtain access to the network during a rightful user’s active session
• Analyze the traffic on the network to learn about its operations and
users
• Manipulate data being transmitted
• Deny service
48
3. Information Protection:3. Information Protection:3. Information Protection:
3.5 Type of Attacks:
3.5.3 Denial-of-service (DOS):
• Attempt to overload a system (e.g., a network or Web server) with
false messages so that it cannot function.
• A distributed DOS (DDOS) attack comes form multiple sources, for
example, the machines of innocent parties infected by Trojan horse.
• Intrusion detection systems
and penetration testing may
prevent a system from being
used to make a DOS attack.
• Internet service provider
(ISP) can establish rate limits
on transmissions to the
target’s website (best
protection).
49
3. Information Protection:3. Information Protection:3. Information Protection:
3.6 Intrusion Detection Systems (IDS):
• External connections require IDS to respond to security breaches.
• IDS is a device or software application that monitors network and/or
system activities for malicious activities or policy violations and
produces reports to a Management Station.
• IDS complements the firewalls that responds to attacks on network
infrastructure and servers.
• Type of IDS & Detection
� Network intrusion detection system (NIDS)
� Host-based intrusion detection system (HIDS)
� Knowledge-based detection
� Behavior-based detection
50
3. Information Protection:3. Information Protection:3. Information Protection:
3.6 Intrusion Detection Systems (IDS):
• Type of IDS
1.
Network-based IDS
• Using sensors to examine packets traveling on the
network.
• Each sensor monitors only the segment of the network to
which it is attached.
• A packet is examined if it matches a signature.
2.
Host-based IDS
• IDS software has to be installed on each computer.
• It monitors every call on the operating system and
application as it occurs.
• Access log files are provided to identify questionable
processes and verify the security of system files.
• Less effective method of preventing attacks is analysis of
access log files.Note:
• Combination of network-based and host-based IDS is preferable.
• Host-based IDS has greater potential for preventing a specific attack.
• Network-based IDS provides a necessary overall perspective.
51
3. Information Protection:3. Information Protection:3. Information Protection:
3.6 Intrusion Detection Systems (IDS):
• Type of Detection
3.
Knowledge-based
Detection
• It is based on information about the system’s weaknesses and
searches for intrusion.
• It depends on frequent and costly updating of information about
intrusion methods.
• It is specialized with respect to operating system methods.
• Problems are compounded when different versions of the
operating system are in place.
4.
Behavior-based
Detection
• It presumes that an attack will cause an observable anomaly.
• Actual and normal behavior are compared. A discrepancy results
in an alert.
• This approach is more complete than the knowledge-base
approach because every attack should be detected.
• Level of accuracy is lower, and false alarms may be generated.
• Advantages are that:
� Knowledge of new intrusion technique is not necessary.
� Less specific to particular operating system.
52
3. Information Protection:3. Information Protection:3. Information Protection:
3.6 Intrusion Detection Systems (IDS):
• Response to Detection of an Intrusion
1.
Automatically Acting IDS
It can responds without the presence of humans.
• Disconnecting the entire network from outside access.
• Locking access to all or part of the system.
• Slowing the system’s activity.
• Validating the external user.
• Sending console, email, pager, or phone message to
appropriate personnel.
2.
Alarmed Systems Resources
It traps for intruder using dummy file or administrator accounts
with default password.
• Access to a dummy resource results in automatic action or
notice to appropriate employees.
• The advantage of this method is that it is uncomplicated
and expensive.
• The disadvantage is that authorized persons may
inadvertently cause an alarm.
53
Question
1. Which of the following is a computer program that appears to be legitimate
but performs some illicit activity when it is run?
A. Hoax virus
B. Web crawler
C. Trojan horse
D. Killer application
3. Information Protection:3. Information Protection:3. Information Protection:
54
Question
2. The best preventive measure against a computer virus is to
A. Compare SW in use with authorized versions of the SW.
B. Execute virus exterminator programs periodically on the system.
C. Allow only authorized software from known sources to be used on
the system.
D. Prepare an test a plan for recovering from the incidence of a virus.
3. Information Protection:3. Information Protection:3. Information Protection:
55
Question
3. Which of the following is an indication that a computer virus is present?
A. Frequent power surges that harm computer equipment.
B. Unexplainable losses of or changes to data.
C. Inadequate backup, recovery, and contingency plans.
D. Numerous copyright violations due to unauthorized use of
purchased software.
3. Information Protection:3. Information Protection:3. Information Protection:
56
Question
4. Which of the following operating procedures increases an organization’s
exposure to computer viruses?
A. Encryption of data files
B. Frequent backup of files
C. Downloading public-domain SW from websites
D. Installing original copies of purchased SW on hard disk drives
3. Information Protection:3. Information Protection:3. Information Protection:
57
Question
5. An organization’s computer system should have an intrusion detection
system (IDS) if it has external connections. An IDS
A. Must monitor every call on the system as it occurs
B. May examine only packets with certain signatures
C. Uses only knowledge-based detection
D. Uses only behavior-based detection
3. Information Protection:3. Information Protection:3. Information Protection:
58
Question
6. An organization installed antivirus software on all its personal computers.
The software was designed to prevent initial infections, stop replication
attempts, detect infections after their occurrence, mark affected system
components, and remove viruses from infected components. The major risk
in relying on antivirus software is that antivirus software may
A. Not detect certain viruses.
B. Make software installation overly complex.
C. Interfere with system operations.
D. Consume too many system resources.
3. Information Protection:3. Information Protection:3. Information Protection:
59
4. Investment in IT:4. Investment in IT:4. Investment in IT:
4.1 Overview:
• Full costs of the investment, and choosing whether to own or lease
the technology should be decides.
• Hosting websites with many users should consider capacity planning
and scalability.
• Capacity planning � determine current and future HW resources
relative to its priorities are, and will continue to be, sufficient.
� Maximum volume of transactions that can be simultaneously processed.
� The effect of SW developments.
� Performance measures e.g. response time.
� Changes in capacity needs.
• Scalability � permits system capacity to be increased to meet
greater demands without a system failure.
60
4. Investment in IT:4. Investment in IT:4. Investment in IT:
4.2 Costs of Ownership of IT Assets:
• Rational economic decisions about HW and SW acquisition require an
analysis of full costs of all factors involved.
• Failing to consider total long-term costs may seriously underestimate
the economic effects of IT decisions.
• (1) Total cost of ownership model (TCO) � factors to be considered:
� Capital costs of HW � computers, terminals, storage,
� Capital costs of SW,
� Installation costs of HW and SW,
� Training costs of IT specialists and end users,
� Support costs incurred for help desks, R&D, documentation,
� Maintenance costs for HW and SW upgrades,
� Infrastructure costs � obtaining, supporting, maintaining networks,
back-up, storage,
� Costs of unproductive time (downtime) resulting from HW or SW failure.
61
4. Investment in IT:4. Investment in IT:4. Investment in IT:
4.2 Costs of Ownership of IT Assets: (cont.)
� Utility and real property costs of computer installations
� Costs of nonstandard personal computer configurations
� Costs of transferring end users � reinstallation and testing application
and access
• (2) Managed systems
� (In large entities) Centralized acquisition policies save costs � subunits
are not allowed to purchase incompatible or redundant HW and SW. �
Standardized IT resources improve operations and decrease costs of
administration.
62
4. Investment in IT:4. Investment in IT:4. Investment in IT:
Question
1. Inefficient use of excess computer equipment can be controlled by
A. Contingency planning
B. System feasibility studies
C. Capacity planning
D. Exception reporting
63
4. Investment in IT:4. Investment in IT:4. Investment in IT:
Question2. An automobile and personal property insurer has decentralized its information
processing to the extent that headquarters has less processing capacity than any of
its regional processing centers. These centers are responsible for initiating policies,
communicating with policyholders, and adjusting claims. The company uses leased
lines from a national telecommunications company. Initially, the company thought
there would be little need for interregion communication, but that has not been the
case. The company underestimated the number of customers that would move
between regions and the number of customers with claims arising from accidents
outside their regions. The company has a regional center in an earthquake-prone
area and is planning how to continue processing if that center, or any other single
center, were unable to perform its processing.
The company considered mirroring the data stored at each regional center at another
center. A disadvantage of such an arrangement is
A. Lack of awareness at headquarters of the state or processing.
B. Increased cost and complexity of network traffic.
C. Interface of the mirrored data with original source data.
D. Confusion on the part of insurance agents about where customer data are
stored.
64
4. Investment in IT:4. Investment in IT:4. Investment in IT:
Question
3. The best plan for responding to quickly changing information requirements
is to foster
A. Greater online access to information systems
B. Competitive pressures for enhanced functions in systems
C. Closer linkage between organizational strategy and information
D. More widespread use of automated controls
65
4. Investment in IT:4. Investment in IT:4. Investment in IT:
Question
4. Which of the following statements about desktop computers, servers, and
mainframe computers is true?
A. Desktop computers usually cost more than servers but less than
mainframes.
B. Because of the increased use of desktop computers, there will be little
need for mainframes in the near future.
C. Servers must be programmed directly in machine language while
mainframes use higher-level language.
D. The cost per transaction to process on each type of computer has
decreased in recent years.
66
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.1 Introduction:
• ERP intended to integrate enterprise-wide information systems by
creating one database linked to all of an organization’s applications.
• ERP connects all functional subsystems e.g. HR, Accounting,
Production, Marketing, Distribution, Purchasing, Receiving, and also
suppliers and customers.
• Disadvantage � complexity which make customization of the SW
difficult and costly.
• ERP is usually installed by the largest or mid-size enterprises because
if is costly and complex.
• Implementing ERP system may encounter with significant resistance
because employees have to learn to use new technology.
• Successful implementation requires effective change management.
• Example � SAP R/3, Oracle (PeopleSoft, J.D. Edwards
EnterpriseOne).
67
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.2 ERP & Business Process Reengineering:
• Subunits in the organization are forces to redesign and improve their
processes, and to conform to one standard.
• A reengineering project may be undertaken before choosing ERP
software.
• If the organization is not especially unique, the reengineering project
may not be needed because the software probably is already based
on industry best practices.
• Processes of each organizations may be different. Then changing
business processes is better than customizing core ERP software.
• Customizing is expensive and difficult, and may result in bugs and
awkwardness in adopting upgrades.
68
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.3 Materials requirements planning (MRP):
MRP I
• Early attempt to create an integrated
compute-based information system,
• Designed to plan and control materials
used in a production setting.
MRP II
• Continued the evolution begun with
MRP I,
• Integrates all facets of a manufacturing
business including production, sale,
inventories, schedules, budgeting and
cash flows.
69
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.4 Enterprise-wide Resource Planning (ERP):
Traditional ERP
• Subsystems share data and coordinate their activities,
• E.g. if marketing receives an order, it can quickly verify that
inventory is sufficient to notify shipping to process the order,
• The subsystems in a traditional ERP system are internal to the
organization. They are often called back-office functions.
Current ERP
• Added front-office functions,
• These connect the organization with customers, suppliers,
shareholders or other owners, creditors, and strategic allies.
70
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.4 Enterprise-wide Resource Planning (ERP): (cont.)
71
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.4 Enterprise-wide Resource Planning (ERP): (cont.)
Main Architecture of an ERP
• Current ERP system have a client-server configuration.
� Thin clients (little processing ability) or Fat clients (substantial
processing power).
� Single or multiple servers to run application and contain databases.
� May be in the form of a LAN, WAN or the Internet.
� May use almost any of the available Operating systems and DBMS.
• Central Database� Advantage of an ERP is the elimination of data redundancy through the
use of central database.
� Information about an item of data is stored once and all functions have
access to it.
72
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.4 Enterprise-wide Resource Planning (ERP): (cont.)
Main Architecture of an ERP (cont.)
• May take years and cost millions.
• Poor implementation may cause the project to fail regardless of the
quality of the software.
• More rapid and less costly implementation, if no customization done.
• Implementation step
� Strategic planning
� Project team
� ERP software choosing and consulting firm selection
� Pre-implementation � process design & data conversion & testing
� Go-live
� Training
73
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.4 Enterprise-wide Resource Planning (ERP): (cont.)
Costs of an ERP system
• Losses from an unsuccessful implementation,
• Purchasing HW, SW, and services,
• Data conversion from legacy systems to new integrated system,
• Training,
• Design of interfaces and customization,
• SW maintenance and upgrades,
• Salaries of employees working on the implementation.
74
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
5.4 Enterprise-wide Resource Planning (ERP): (cont.)
Benefit of an ERP system
• Lower inventory costs,
• Better management of liquid assets,
• Reduced labor costs and greater productivity,
• Enhanced decision making,
• Elimination of data redundancy and protection of data integrity,
• Avoidance of the costs of other means of addressing need IT changes,
• Increased customer satisfaction,
• More rapid and flexible responses to changed circumstances,
• More effective supply chain management,
• Integration of global operations.
75
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
Question
1. An enterprise resource planning (ERP) system integrates the organization’s
computerized subsystems and may also provide links to external parties. An
advantage of ERP is that
A. The reengineering needed for its implementation should improve
business processes
B. Customizing the software to suit the unique needs of the organization
will facilitate upgrades
C. It can be installed by organizations of all sizes
D. The comprehensiveness of the system reduces resistance to change
76
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
Question
2. A manufacturing resource planning (MRP II) system
A. Performs the same back-office functions for a manufacturer as an ERP
system
B. Uses a master production schedule
C. Lacks the forecasting and budgeting capabilities typical of an ERP
system
D. Performs the same front-office functions for a manufacturer as an ERP
system
77
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
Question
3. In a traditional ERP system, the receipt of a customer order may result in
I. Customer tracking of the order’s progress
II. Automatic replenishment of inventory by a supplier
III. Hiring or reassigning of employees
IV. Automatic adjustment of output schedules
A. I, II, and IV only
B. I and III only
C. III and IV only
D. I, II, III, and IV
78
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
Question
4. A principal advantage of an ERP system is
A. Program-data dependence
B. Data redundancy
C. Separate data updating for different functions
D. Centralization of data
79
5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):
Question
5. The current generation of ERP software (ERP II) has added such front-office
functions as
A. Inventory control
B. Human resources
C. Purchasing
D. Customer service
80
6. Systems Software:6. Systems Software:6. Systems Software:
6.1 Introduction
• System software is any computer software that provides the
infrastructure over which programs can operate, i.e. it manages and
controls computer hardware so that application software can
perform.
• Systems software performs the fundamental tasks needed to manage
computer resources.
• Examples of system software may include
�Operating system
�Utility program
�Databases
81
6. Systems Software:6. Systems Software:6. Systems Software:
6.2 Operating System:
• An interface between users, application
software, and the computer’s hardware
(CPU, disk drives, printers, communications
devices).
• OS may be categorized into 3 types:
� Mainframe computers
� Servers
� Workstations
• To communicate with the user, the O/S of a
PC may include a graphical user interface
(GUI) or text-based commands.
82
6. Systems Software:6. Systems Software:6. Systems Software:
6.2 Operating System: (cont.)
Mainframe computers:
• Mainframe computers are computers used mainly
by large organizations for critical applications, typically bulk data processing such as census,
industry and consumer statistics, enterprise resource planning, and financial transaction
processing
• The most recent OS for the very successful IBM
mainframe is “Z/OS”
• Other OS are OS/360, MVS, OS/390, VM (IBM).
83
6. Systems Software:6. Systems Software:6. Systems Software:
6.2 Operating System: (cont.)
Server:
• Server OS include Unix,
Microsoft Windows Server, and
Apple MacOS X Server.
• Inherent networking
capabilities are an important
part of server operating
systems.
Desktop computers / Clients:
• Microsoft Windows and Apple
MacOS are operating systems
for desktop computers.
84
6. Systems Software:6. Systems Software:6. Systems Software:
6.3 Utility programs:
• Utilities perform basic data maintenance tasks, such as:
� Sorting, e.g., arranging all the records in a file by invoice
number.
� Merging, meaning combining the data from two files into one.
� Copying and deleting entire files.
• Utilities are extremely powerful. Their use should be restricted to
appropriate personnel, and each occurrence should be logged.
• This SW may have privileged access and be able to bypass normal
security measures.
85
6. Systems Software:6. Systems Software:6. Systems Software:
Question:1. Regardless of the language in which an application program is written, its
execution by a computer requires that primary memory contain?
A. A utility program.
B. An operating system.
C. Complier.
D. Assembly.
86
Question:2. Auditors often make use of computer programs that perform routine
processing functions, such as sorting and merging. These programs are made
available by computer companies and others and are specifically referred to
as?
A. Complier programs.
B. Supervisory programs.
C. Utility programs.
D. User programs.
6. Systems Software:6. Systems Software:6. Systems Software:
87
Question:3. A control feature designed to negate the use of utility program to read
files that contain all authorized access user codes for the network is
A. Internally encrypted passwords.
B. A password hierarchy.
C. Logon passwords.
D. A peer-to-peer network.
6. Systems Software:6. Systems Software:6. Systems Software:
88
7. Application Development:7. Application Development:7. Application Development:
7.1 Build or Buy:
• When an organization acquires a new system by purchasing from an outside
vendor, contract management personnel oversee the process.
• The future end-users of the system as well as IT personnel are also
involved, drawing up specifications and requirements.
• However, when a new system is to be created in-house, planning and
managing the development process is one of the IT function’s most
important tasks.
• The needs of the end-users must be balanced with budget and time
constrains; the decision to use existing hardware vs. the purchase of new
platforms must be weighted.
• Having a well-governed methodology for overseeing the development
process is vital.
• End-users and IT management must approve progress toward the
completion of the system at the end of each of the stages (implementation
control).
89
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
• SDLC approach is the traditional methodology applied to the
development of large, highly structured application systems.
• Major advantage of the SDLC approach is enhanced management
and control of the development process.
• Once the need for a new system has been recognized, the 5 phases
(each with multiple steps) of the SDLC proceed.
• Feedback gathered during the maintenance of a system provides
information for developing the next generation of systems.
Definition Design Development Implementation Maintenance
Need for new
system
recognized
90
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.1 Definition:
• A proposal for a new system is submitted to the IT steering
committee describing the need for the application and the business
function that it will affect.
• Feasibility studies are conducted to determine:
� What technology the new system will require.
� What economic resources must be committed to the new
system.
� How the new system will affect current operations.
• The steering committee gives its go-ahead for the project.
91
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.2 Design: � 1) Logical design and 2) Physical design
• Logical design:
� Consists of mapping the flow and storage of the data elements
that will be used by the new system and the new program
modules that will constitute the new system.
� Examples are Data flow diagrams (DFDs) and structured
flowcharts.
� Some data elements may already be stored in existing
database. Good logical design ensures that they are not
duplicated.
92
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.2 Design: � 1) Logical design and 2) Physical design
• Physical design
� Involves planning the specific interactions of the new program
code and data elements with the hardware platform (existing
or planned for purchase) on which the new system will
operate.
� Systems analysts are heavily involved in these 2 steps.
93
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.3 Development:
• The actual program code and database structures that will be used
in the new system are written.
• The data used in testing new programs is never the organization’s
actual production data; such testing would be far too risky to the
organization’s business.
• A carefully designed test database is filled with both good and bad
data to test how well the new system deals with bad input.
• Testing is the most crucial step of the process:
Unit
testing
The testing of an individual program or module. Unit testing uses a set
of test cases that focus on the control structure of the procedural design. These tests ensure that the internal operation of the program
performs according to specification.
94
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.3 Development:
• Testing is the most crucial step of the process: (cont.)
System
testing
A series of tests, designed to ensure that modified programs,
objects, database schema, etc., which collectively constitute a
new or modified system, function properly. These test procedures are
often performed in a nonproduction test/development environment by
software developers designated as a test team. System testing includes
security testing, stress testing.
Interface
or
Integration
testing
A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The
objective is to take unit-tested modules and build an integrated
structure dictated by design. The term integration testing is also used to
refer to tests that verify and validate the functioning of the application under test with other systems, where a set of data is transferred from
one system to another.
95
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.3 Development:
• Testing is the most crucial step of the process: (cont.)
Final
acceptance
testing
• User acceptance testing (UAT) is the final step before placing the
system in live operation.
• IT must demonstrate to the user department that submitted the
original request that the system performs the functionality that was
designed.
• Once the user department is satisfied with the new system, they
acknowledge formal acceptance and implementation begins.
96
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.4 Implementation:
• There are 4 strategies for converting to new system:
• With parallel operation, the old and new systems both are run at full
capacity for a given period.
• This strategy is the safest since the old system is still producing
output, but it is also the most expensive and time-consuming.
Parallel
Operation
• With cutover conversion, the old system is shut down and the new one
takes over processing at once.
• This is the least expensive and least time-consuming strategy, but it is
also the riskiest.
Cutover
Conversion
• One branch, department, or division at a time is fully converted to
the new system.
• Experience gained from each installation is used to benefit the next
one.
• One disadvantage of this strategy is the extension of the conversion
time.
Pilot
Conversion
97
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.4 Implementation:
• There are 4 strategies for converting to new system: (cont.)
• One function of the new system at a time is placed in operation.
• For instance, if the new system is an integrated accounting
application, accounts receivable could be installed, then accounts
payable, cash management, materials handing, etc.
• The advantage of this strategy is allowing the uses to learn one part
of the system at a time.
Phase
Conversion
98
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.4 Implementation:
• Training and documentation are critical
� The users must be made to feel comfortable with the new
system and have plenty of guidance available, either hardcopy
and online.
� Documentation consists of more than just operations manuals
for the users. Layouts of the program code and database
structures must also be available for the programmers who
must modify and maintain the system.
• Systems follow-up or post-audit evaluation is a subsequent review
of the efficiency and effectiveness of the system after it has
operated for a substantial time (e.g., 1 year).
99
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.5 Maintenance:
• The final phase of the SDLC, to be discussed in “Program change
control”
7.2.6 Other Topics:
• Prototyping
� An alternative approach to application development.
� Creating work model of the system requested, demonstrating it for
the user, obtaining feedback, and making changes to the underlying
code.
� This process repeats through several iterations until the user is
satisfied with system’s functionality.
100
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.6 Other Topics: (cont.)
• Application authentication
� A means of taking a user’s identify from the operating system on
which the user is working and passing it to an authentication server
for verification.
� This can be designed into an application from its inception.
• Computer-aided software engineering (CASE)
� Provide the capacity to maintain on the computer all of the system
documentation, e.g. data flow diagram, data dictionaries, and pseudo
code; to develop executable input and output screens; and to
generate program code in at least skeletal form.
� CASE facilitates the creation, organization, and maintenance of
documentation and permits some automation of the coding process.
101
7. Application Development:7. Application Development:7. Application Development:
7.2 Systems Development Life Cycle (SDLC):
7.2.6 Other Topics: (cont.)
• Rapid application development (RAD)
� A software development process involving iterative development, the
construction of prototypes, and the use of CASE tools.
� The RAD process usually involves compromises in usability, features,
and/or execution speed; increased speed of development occurs
through rapid prototyping, virtualization of system related routines,
and other techniques. However, there is usually decreased end-user
utility.
102
Question:1. A system development approach used to quickly produce a model of user
interfaces, user interactions with the system, and process logic is called?
A. Neural networking.
B. Prototyping.
C. Reengineering.
D. Application generation.
7. Application Development:7. Application Development:7. Application Development:
103
Question:2. A major disadvantage of the life cycle approach to system development is
that it is not well-suited for projects that are?
A. Structured.
B. Large.
C. Complex.
D. Unstructured.
7. Application Development:7. Application Development:7. Application Development:
104
Question:3. Program documentation is a control designed primarily to ensure that
A. Programmers have access to production programs.
B. Programs do not make mathematical errors.
C. Programs are kept up to date and perform as intended.
D. No one has made use of the computer hardware for personal reasons.
7. Application Development:7. Application Development:7. Application Development:
105
Question:4. Rejection of unauthorized modifications to application systems could be
accomplished through the user of
A. Programmed checks.
B. Batch controls.
C. Implementation controls.
D. One-for-one checking.
7. Application Development:7. Application Development:7. Application Development:
106
8. Program Change Control:8. Program Change Control:8. Program Change Control:
• The process of managing these changes is referred to as systems
maintenance, and the relevant controls are called program change
controls.
• Once a change to a system has been approved, the programmer
should save a copy of the production program in a test area of the
computer, sometimes called a “sandbox”
• Except in emergencies, and then only under close supervision,
should a change be made directly to the production version of a
computer program.
• Source code � English-like statements and commands. A computer
program in this from, i.e., readable by humans.
• Object code � Form that the computer can execute. The resulting
machine-ready program is referred to as object code, or more
precisely, executable code.
107
8. Program Change Control:8. Program Change Control:8. Program Change Control:
• Program languages that are transformed from source into
executable one line of code at a time are said to be interpreted.
• Program languages that are transformed in entire modules of code
are said to be complied.
• Once programmer has the executable version of the changed
program, (s)he tests it to see if it performs the new task as
expected.
• This testing process must absolutely not be run against production
data.
• Programmer demonstrates the new program, or the programmer
can go back and make further changes.
• Once program is in a form acceptable to user, the programmer
moves it to holding area.
• Programmers (except in emergencies) should never be able to put
programs directly into production.
108
8. Program Change Control:8. Program Change Control:8. Program Change Control:
• The programmer’s supervisor reviews the new program, approves it,
and authorizes its move into production, generally carried out by
operation personnel.
• The compensating control is that operators generally lack the
programming knowledge to put fraudulent code into production.
109
Question:1. The process of monitoring, evaluating, and modifying a system as needed
is referred to as systems
A. Analysis.
B. Feasibility study.
C. Maintenance.
D. Implementation.
8. Program Change Control:8. Program Change Control:8. Program Change Control:
110
Question:2. Change control typically includes procedures for separate libraries for
production programs and for test versions of programs. The reason for this
practice is to
A. Promote efficiency of system development.
B. Segregate incompatible duties.
C. Facilitate user input on proposed changes..
D. Permit unrestricted access to programs.
8. Program Change Control:8. Program Change Control:8. Program Change Control:
111
Question:3. After using the mainframe report writer for several months, the
marketing analysts gained confidence in using it, but the marketing
department manager became concerned. Whenever analysts revised
reports they had written earlier, the coding errors kept reappearing in
their command sequences. The manager was sure that all the analysts
knew what the errors were and how to avoid them. The most likely
cause of the reappearance of the same coding errors is inadequate
A. Backups.
B. Change control.
C. Access control.
D. Testing.
8. Program Change Control:8. Program Change Control:8. Program Change Control:
112
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
9.1 End-user vs. Centralized computing:
• End-user computing involves user-created or user-acquired systems
that are maintained and operated outside of traditional information
system control.
• Risk concerned for EUC:
� Environmental control risks � copyright violations
� Access � lack of controls (physical and logical)
� Inadequate backup, recovery, and contingency planning
� Lack of Centralized control � program development, documentation,
and maintenance.
� Segregation of duties are eliminated � user is often programmer and
operator.
� Audit trail is diminished.
� Available security features for PC are limited.
113
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
9.1 End-user vs. Centralized computing: (cont.)
• The auditors should determine that the EUC applications contain
controls that allow uses to rely on the information produced.
• Identification of applications is more difficult than in a traditional
centralized computing environment because few people know about
and use them.
• The auditor’s should
Risk
assessment
Review
controls
Discovery their
existence & intended
functions
• Organization-wide inventory
of major EUC applications.
• Review major EUC
applications with major
users.
114
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
9.2 Basic architectures for desktop computing:
• 3 types of end-user computing environment are in common use.
� Client-server model
� Dummy terminal model
� Application server model
Client-server model:
• Process application between a client machine on a network and a
server.
• User interaction � perform data entry, queries, and receipt of
reports.
• Server �manages peripheral HW and control access to shared DB.
• Security � Security setting is more difficult than in mainframe-
based resulting in risk of unauthorized access.
115
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
9.2 Basic architectures for desktop computing:
Client-server model: (cont.)
2 tier client-server
client server
(Application and
Database)
3 tier client-server
client application
server
database
server
116
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
9.2 Basic architectures for desktop computing:
Dummy terminal model:
• Desktop machines that lack stand-alone processing power have
access to remote computers in a network.
• To run an application, programs are downloaded to the terminal.
• These machines are relatively inexpensive because they have not
disk drives.
Application server model:
• Involves a 3 tiered or distributed network application.
• The middle (application) tier translates data between the database
(back-end) server and the user’s (front-end) server.
117
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
9.2 Basic architectures for desktop computing:
Application server model: (cont.)
• The application server also performs the following:
� Business logic functions � interpret transactions and
determine how they will be processed, e.g. application
discounts, shipping methods.
� Transaction management � keeps track of all of the steps in
transaction processing to ensure completion, editing, and/or
deletion.
� Load balancing � is a process to distribute data and data
processing among available servers, e.g., evenly to all servers
or the next available server.
118
Question:1. The marketing department’s proposal was finally accepted, and the
marketing employees attended a class in using the report writer. Soon,
the marketing analyst found that it was easier to download the data and
manipulate it on their own desktop computers in spreadsheets than to
perform all the data manipulation on the server. One analyst became
highly skilled at downloading and wrote downloading command sequences
for the other employees. When the analyst left the company for a better
job, the department had problems making modification to these
command sequences. The department’s problems are most likely due to
inadequate
A. Documentation.
B. Data backup.
C. Program testing.
D. Anti-virus software.
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
119
Question:2. Traditional information systems development and operational procedures
typically involve four functional areas. The systems analysis function
focuses on identifying and designing systems to satisfy organizational
requirements. The programming function is responsible for the design,
coding, testing, and debugging of computer programs necessary to
implement the systems designed by the analysis function. The computer
operations function is responsible for data preparation, program/job
execution, and system maintenance. The user function provides the input
and receives the output of the system. Which of these four functions is
often poorly implemented or improperly omitted in the development of a
new end-user computing (EUC) application?
A. System analysis function.
B. Programming function.
C. Computer operations function.
D. User function.
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):
120
Question:3. Responsibility of the control of end-user computing (EUC) exists at the
organizational, departmental, and individual user level. Which of the
following should be a direct responsibly of the individual users?
A. Acquisition of hardware and software.
B. Taking equipment inventories.
C. Strategic planning of end-user computing.
D. Physical security of equipment.
9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):