Certified Internal Auditor Part III Information Technology II Test Prep Part 3 Unit9.pdf · 1...

1

Certified Internal Auditor Part III

Information Technology IICertified Internal Auditor Part III Certified Internal Auditor Part III

Information Technology IIInformation Technology II

2

Agenda:Agenda:

• Functional Areas of IT Operations

• Encryption

• Information Protection

• Investment in IT

• Enterprise-Wide Resource Planning (ERP)

• System Software

• Application Development

• Program Change Control

• End-User Computing (EUC)

3

1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:1. Functional Areas of IT Operations:

Organizational Control

• Segregation of duties within the IT environment is an IT general

control that ensures the efficiency and effectiveness of IT operations.

• Typical IT organizational structure.

IT DevelopmentIT Infrastructure &

OperationIT Security

• System analyst

• Programmer

• IT Operator

• Helpdesk

• System Administrator

• Network Administrator

• Database Administrator

• Security Administrator

Chief Information Technology (CIO)

• Webmaster

• End User

4


Responsibilities of IT Personnel:

1. System analysts:

• Analyze and design computer information systems.

• Survey existing system.

• Analyze the organization’s information requirement.

• Design new systems to meet the requirement.

• Design specification will be used to guide the preparation of

programs.

• They are usually involved during the initial phase of the system

development life cycle (SDLC)

• System analysts should not have access to the computer operation

center, production programs, or data files.

5


Responsibilities of IT Personnel: (cont.)

2. Programmers:

• Design, write, test, and document programs according to

specification.

• Programmers (as well as analysts) may be able to modify programs,

data files, and controls. Thus, they should not have access to the

computer operation center, production programs, or data files.

3. IT Operators:

• Responsible for the day-to-day functioning of the computer center �

load data, mount storage devices, and operate the equipment.

• They should not be assigned programming duties or system design.

• Ideally, operator should not have programming knowledge.

6



4. Help Desks:

• Usually a responsibility of IT operations.

• Responsible for:

� Logging reported problems,

� Resolving minor problem,

� Forward more difficult problems to the appropriate IT resources

(e.g. technical support unit or vendor assistance).

5. System Administrator / System Programmer:

• Install, support, and maintain servers or other computer systems.

• Responsible for documenting the configuration of the system.

• Plan for and respond to service outages and other problems.

7



6. Network Administrator / Network Technician:

• Maintain network devices (bridges, hubs, routers, etc.).

• Responsible for maintaining the organization’s connection to other

network � e.g. Internet.

7. Database administrator (DBA):

• Responsible for developing and maintaining the database.

• Establish controls to protect its integrity.

• Only the DBA should be able to update data dictionaries.

• (In large applications) DBA uses a DBMS as a primary tool.

8



8. Security Administrator:

• Develop and periodically review the IT security policy

• Perform issuing and maintaining of authorized user IDs and

passwords.

• Prepare and monitor the security awareness program for all

employees.

• Monitor security violation and take corrective action.

9. Webmaster:

• Responsible for the content of the organization’s website.

• Work closely with programmers and network technicians.

• Ensure the appropriate content is displayed and the site is reliably

available to users.

10. End Users

• Need access to applications data and functions only.

9

Question:1. The practice of maintaining a test program library separate from the

production program library is an example of

A. An organizational control.

B. Physical security.

C. An input control.

D. A concurrency control.


10

Question:2. An organization’s computer help-desk function is usually a responsibility

of the

A. Applications development unit.

B. Systems programming unit.

C. Computer operations unit.

D. User departments.


11

Question:3. When a new application is being created for widespread use in a large

organization, the principal liaison between the IT function and the rest of

an organization is normally a(n)?

A. End user.

B. Application programmer.

C. Maintenance programmer.

D. System analyst.


12

Question:4. In the organization of the information systems function, the most

important separation of duties is

A. Not allowing the data librarian to assist in data processing operations.

B. Assuring that those responsible for programming the system do not

have access to data processing operations.

C. Having a separate information officer at the top level of the

organization outside of the accounting function.

D. Using different programming personnel to maintain utility programs

from those who maintain the application programs.


13

Question:5. The duties properly assigned to an information security officer could

include all of the following except

A. Developing an information security policy for the organization.

B. Maintaining and updating the list of user passwords.

C. Commenting on security controls in new applications.

D. Monitoring and investigating unsuccessful access attempts.


14

Question:6. Which of the following represents an internal control weakness in a

computer-based system?

A. Computer programmers write and revise programs designed by

analysts.

B. The end users are responsible for reconciling reports and other

output.

C. The computer librarian maintains custody and record keeping for

computer application programs.

D. Computer operators have access to operator instructions and the

authority to change programs.


15

Question:7. In a large organization, the biggest risk in not having an adequately

staffed information center help desk is?

A. Increased difficulty in performing application audits.

B. Inadequate documentation for application systems.

C. Increased likelihood of use of unauthorized program code.

D. Persistent errors in user interaction with systems.


16

2. Encryption:2. Encryption:2. Encryption:

2.1 Overview:

• Definition �Converts data into code.

�A program codes data prior to transmission.

�Another program decodes it after transmission.

• Unauthorized users may still be able to access the data, but, without

the encryption key, they will be unable to decode the information.

• Encryption technology may be either HW and SW based.

• Date encryption increase in system overhead (20%-30%).

• Encryption SW uses (1) a fixed algorithm to manipulate plaintext and

(2) an encryption key to introduce variation.

DATA 04012001

Plain text Cipher text Plain text

Key & Algorithm Key & Algorithm

DATA

17


2.1 Overview: (cont.)

• Basic algorithm

A = 01

B = 02

C = 03

D = 04

E = 05

F = 06

G = 07

H = 08

I = 09

J = 10

K = 11

L = 12

M = 13

N = 14

0 = 15

P = 16

Q = 17

R = 18

S = 19

T = 20

U = 21

V = 22

W = 23

X = 24

Y = 25

Z = 26

Algorithm

DATA

01200104

ATAD

04012001

Plain Text

Cipher Text

Encryption Decryption

ATAD

01200104

DATA Plain Text

04012001 Cipher Text

Encryption without key:

18


2.1 Overview: (cont.)

• Basic algorithm

A = 01

B = 02

C = 03

D = 04

E = 05

F = 06

G = 07

H = 08

I = 09

J = 10

K = 11

L = 12

M = 13

N = 14

0 = 15

P = 16

Q = 17

R = 18

S = 19

T = 20

U = 21

V = 22

W = 23

X = 24

Y = 25

Z = 26

Algorithm DATA

06032203

Plain Text

Cipher Text


DATA Plain Text (Decrypted with key)


Key �� +10:

DATA

01200104

11041114

ATAD

14110411

Plain Text

Cipher Text DATA Plain Text



Key �� +2 :

01200104

03220306

ATAD

01200104

ATAD

03220306

01200104

ATAD

11041114

FCVC Plain Text

(Decrypted without key)

19


2.2 Types of Encryption:

• 2 major types of encryption SW �

I.

Symmetric-key

(Secret-key / Private-key)

• Data Encryption Standard (DES)

• Triple Data Encryption Standard

(3DES)

• Advanced Encryption Standard (AES)

II.

Asymmetric-key

(Public-key & Private-key)

• RSA (Rivest, Shamir, and Adelman)

20



Symmetric-key (Secret-key)

• Refers to encryption methods in which both the sender and receiver

share the same key.

• Less secure than public-key encryption.

• Examples:

Data Encryption Standard (DES)

• Developed by the U.S. government.

• Most prevalent secret-key method.

• Based on numbers with 56 binary digits.

Triple Data Encryption Standard (3-DES)

• When it was found that a 56 bits key of DES is not

enough to guard against brute force attacks, TDES was

chosen as a simple way to enlarge the key space

without a need to switch to a new algorithm.

Advanced Encryption Standard (AES)

• Replace 3DES

• Developed to protect sensitive information.

21



Symmetric-key (Secret-key)

• Key generation

• Send message

Sender

(A)

Receiver

(B)

Private key - A

DATA

(Plain text)

Sender Receiver

DATA

(Plain text)

04012001

(Cipher text)

04012001

(Cipher text)

Private key - A Private key - A

22



Asymmetric-key (Public-key/Private-key)

• Public-key /private key (asymmetric) encryption requires 2 keys:

� Public key � for coding messages is widely known

� Private key � for decoding messages is kept secret by the recipient.

• Advantages:

� The message is encoded using one key and decoded using another.

� Neither party knows the other’s private key.

• These pairs of keys are issued by a certificate authority (e.g.,

VeriSign, Thawte, GoDaddy).

• Asymmetric-key is more secure than a single-key system.

• Example is RSA (Rivest, Shamir, and Adelman), the most commonly

used public-key/private key method.

23




• Public-key /private key (asymmetric) encryption requires 2 keys:

� Public key � for coding messages is widely known

� Private key � for decoding messages is kept secret by the recipient.

• Advantages:

� The message is encoded using one key and decoded using another.

� Neither party knows the other’s private key.

• The related public key and private key pair is issued by a certificate

authority (e.g., VeriSign, Thawte, GoDaddy).

• The private key is issued only to one party.

• Key management in a public key/private key system is more secure

than in a secret-key system.

• Example is RSA (Rivest, Shamir, and Adelman), the most commonly

used public-key/private key method.

24




• Key generation

Public key - ASender

(A)

Private key - A

Receiver

(B)

Private key - B

Public key - B

• Send message

DATA

(Plain text)

Sender (A) Receiver (B)

DATA

(Plain text)

04012001

(Cipher text)

04012001

(Cipher text)

Public key - B Private key - B

25



Digital signature:

• A public key/private key system is used to create digital signatures �

fingerprints.

• It is means of authentication of an electronic document e.g., validity of

purchase order, acceptance of a contract, or financial information.

• One variation is to send the message in both plaintext and cyphertext. If

the decoded version matches the plaintext version, no alteration has

occurred.

• The sender uses it private key to encode all or part of the message, and

the recipient uses the sender’s public key to decode it.

Message @%$&*#$% Message

Sender - Plain text Cipher text Recipient Plain text

Sender’s Private Key Sender’s Public Key

26



Digital Certificate:

• It is another means of authentication used in e-business to provide

assurance to customers that a website is genuine.

• The certificate authority (CA) issues a coded electronic certificate

that contains the

� Holder’s name

� A copy of its public key

� A serial number,

� An expiration date

• The certificate verifies the holder’s identity.

27



Digital Certificate:

• The recipient of coded

message uses the certificate

authority’s public key

(available on the

Internet/web browser) to

decode the certificate

included in the message.

• The recipient then

determines that the

certificate was issued by the

certificate authority.

• Moreover, the recipient can

use the sender’s public key

and identification data to

send a coded response.

• Such methods might be used

for transactions between

sellers and buyers using

credit cards.

28



Digital Certificate: (cont.) – HTTPS or SSL

29



Digital Certificate: (cont.) – Certificate

30



Digital Certificate: (cont.) – Certificate

31



Public Key Infrastructure:

• The public key infrastructure (PKI) permits secure monetary and

information exchange over the Internet.

Protocol:

• Protocol commonly used is SSL (Secure Sockets Layer), TLS (Transport

Layer Security), and HTTPS (Hypertext Transfer Protocol Secure).

Digital Time Stamping Services:

• They are used to verify the time (and possibly the place) of a

transaction.

• For example, a document may be sent to a service (Time Stamping

Authority), which applies its digital stamp and then forwards the

document.

32

Question:1. A controller became aware that a competitor appeared to have access to

the company’s pricing information. The internal auditor determined that

the leak of information was occurring during the electronic transmission of

data from branch offices to the head office. Which of the following

controls would be most effective in preventing the leak of information?

A. Asynchronous transmission.

B. Encryption.

C. Use of fiber-optic transmission lines.

D. Use of passwords.


33

Question:2. The use of message encryption software

A. Guarantees the secrecy of data.

B. Requires manual distribution of keys.

C. Increases system overhead.

D. Reduces the need for periodic password changes.


34

Question:3. Which of the following is an encryption feature that can be used to

authenticate the originator of a document and ensure that the message is

intact and has not been tampered with?

A. Heuristic terminal.

B. Perimeter switch.

C. Default settings.

D. Digital signatures.


35

Question:4. The encryption technique that requires two keys, a public key that is

available to anyone for encrypting messages and a private key that is

known only to the recipient for decrypting messages, is

A. Rivest, Shamir, and Adelman (RSA).

B. Data encryption standard (DES).

C. Modulator-demodulator.

D. A cypher lock.


36

Question:5. To ensure privacy in a public key encryption system, knowledge of which

of the following keys would be required to decode the received message?

I. Private

II. Public

A. I.

B. II.

C. Both I and II.

D. Neither I nor II.


37

Question:6. A client communicates sensitive data across the Internet. Which of the

following controls would be most effective to prevent the use of the

information if it were intercepted by an unauthorized party?

A. A firewall.

B. An access log.

C. Passwords.

D. Encryption.


38

3. Information Protection:3. Information Protection:3. Information Protection:

3.1 Malicious Software (Malware) & Controls:

• Malware is a hostile, intrusive, or annoying software or program code

designed to secretly access a computer system without the owner’s

informed consent.

• Malware may exploit a known hole or weakness in application or

operating system program to evade security measures.

• Such a vulnerabilities may have been caused by a programming error.

• It also may have been intentionally (but not maliciously) created to

permit a programmer simple access (a back door) for correcting the

code.

• Having bypassed security controls, the intruder can do immediate

damage to the system or install malicious software.

39


3.1 Malicious Software (Malware) & Controls:

• Malware includes

� Trojan horse

� Computer viruses

� Worms

� Logic bomb

� Backdoor

� Spyware

40


3.1 Malicious Software (Malware):

• Malware includes:

1.

Trojan Horse

• A Trojan horse, or Trojan, is malware that appears to be innocent

program that perform a desirable function for the user prior to

run or install, but instead facilitates unauthorized access of the

user’s computer system.

• It is a harmful piece of software that looks legitimate. Users are

typically tricked into loading and executing it on their systems.

2.

Computer Virus

• A program code that have the reproductive ability to copy itself

from file to file.

• A true virus can spread from one computer to another (in some

form of executable code) when its host is taken to the target

computer; for instance because a user sent it over a network or

the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.

• The virus may corrupt, destroy, or modify data, files or programs

on a targeted computer.

41




3.

Worm

• Worm is a self-replicating malware that can copy itself not from

file to file, but from computer to computer.

• It uses a computer network to send copies of itself to other

computers on the network, and it may do so without any user

intervention.

• Repeated replication overloads a system by depleting memory or

disk space (denial of service).

4.

Logic bomb

• A logic bomb is a piece of code intentionally inserted into a

software system that will set off a malicious function when

specified conditions are met.

• For example, a programmer may hide a piece of code that starts

deleting files, should they ever be terminated from the company.

• Software that is inherently malicious, such as viruses and worms,

often contain logic bombs that execute a certain code at a pre-

defined time or when some other condition is met.

42




5.

Backdoor

• A backdoor is a malicious computer program or particular means

that provide the attacker with unauthorized remote access to a

compromised system exploiting vulnerabilities of installed

software and bypassing normal authentication.

• A backdoor in a login system might take the form of a hard coded

user and password combination which gives access to the system.

6.

Spyware

• Spyware is a type of malware that can be installed on computers,

and which collects small pieces of information about users

without their knowledge.

• The presence of spyware is typically hidden from the user, and

can be difficult to detect.

43


3.2 Controls:

To prevent or detect infection by malware are particularly significant

for file servers in large networks. The following are broad control

objectives:

• Policies:

� Require use only of authorized software.

� Required adherence to licensing agreements.

� Create accountability for the persons authorized to maintain software.

� Require safeguards when data or programs are obtained by means of

external media.

• Antivirus software � continuously monitor, upgraded.

• Software and data for critical systems � regular reviewed.

• Investigation of unauthorized files.

• E-mail attachments and downloads should be checked.

44


3.2 Controls: (cont.)

• Procedures:

� If another organization that has repeatedly transmitted malware-

infected material, termination of agreements or contracts may be

indicated.

� Should be documented, and employee must understand the reasons for

them.

• BCP � data and software backup.

• Information about malware should be verified and appropriate alert

given.

• Qualified personnel to distinguish hoaxes from malicious SW.

45


3.3 Response to threats:

• Purchases should be of evaluated products from trusted suppliers.

• Purchase should be in sourced code so that it is verifiable.

• Access to and changes in code should be restricted after it is put in

use.

• The availability of security patches for bugs in programs should be

monitored constantly.

• Trusted employees should be assigned to key systems.

• Know Trojan houses can be detected by scanning.

• Reviewing data outflows � through the firewall

46


3.5 Types of Attacks:

3.5.1 Password Attacks:

• Brute-force attack � uses password cracking SW to try large numbers of

letter and number combinations to access.

• Spoofing � is identity misrepresentation in cyberspace e.g. by using a

false website to obtain information about visitors.

• Sniffing � is use of SW to eavesdrop on information sent by a user to the

host computer of a website.

• Methods of thwarting password attacks are one-time password and

cryptographic authentication.

47


3.5 Types of Attacks:

3.5.2 Man-in-the-middle Attack:

• Takes advantage of networking packet sniffing and routing and transport

protocols.

• Cryptography is the effective response to man-in-the-middle attacks.

• Theses attacks may be used to

• Steal data

• Obtain access to the network during a rightful user’s active session

• Analyze the traffic on the network to learn about its operations and

users

• Manipulate data being transmitted

• Deny service

48


3.5 Type of Attacks:

3.5.3 Denial-of-service (DOS):

• Attempt to overload a system (e.g., a network or Web server) with

false messages so that it cannot function.

• A distributed DOS (DDOS) attack comes form multiple sources, for

example, the machines of innocent parties infected by Trojan horse.

• Intrusion detection systems

and penetration testing may

prevent a system from being

used to make a DOS attack.

• Internet service provider

(ISP) can establish rate limits

on transmissions to the

target’s website (best

protection).

49


3.6 Intrusion Detection Systems (IDS):

• External connections require IDS to respond to security breaches.

• IDS is a device or software application that monitors network and/or

system activities for malicious activities or policy violations and

produces reports to a Management Station.

• IDS complements the firewalls that responds to attacks on network

infrastructure and servers.

• Type of IDS & Detection

� Network intrusion detection system (NIDS)

� Host-based intrusion detection system (HIDS)

� Knowledge-based detection

� Behavior-based detection

50



• Type of IDS

1.

Network-based IDS

• Using sensors to examine packets traveling on the

network.

• Each sensor monitors only the segment of the network to

which it is attached.

• A packet is examined if it matches a signature.

2.

Host-based IDS

• IDS software has to be installed on each computer.

• It monitors every call on the operating system and

application as it occurs.

• Access log files are provided to identify questionable

processes and verify the security of system files.

• Less effective method of preventing attacks is analysis of

access log files.Note:

• Combination of network-based and host-based IDS is preferable.

• Host-based IDS has greater potential for preventing a specific attack.

• Network-based IDS provides a necessary overall perspective.

51



• Type of Detection

3.

Knowledge-based

Detection

• It is based on information about the system’s weaknesses and

searches for intrusion.

• It depends on frequent and costly updating of information about

intrusion methods.

• It is specialized with respect to operating system methods.

• Problems are compounded when different versions of the

operating system are in place.

4.

Behavior-based

Detection

• It presumes that an attack will cause an observable anomaly.

• Actual and normal behavior are compared. A discrepancy results

in an alert.

• This approach is more complete than the knowledge-base

approach because every attack should be detected.

• Level of accuracy is lower, and false alarms may be generated.

• Advantages are that:

� Knowledge of new intrusion technique is not necessary.

� Less specific to particular operating system.

52



• Response to Detection of an Intrusion

1.

Automatically Acting IDS

It can responds without the presence of humans.

• Disconnecting the entire network from outside access.

• Locking access to all or part of the system.

• Slowing the system’s activity.

• Validating the external user.

• Sending console, email, pager, or phone message to

appropriate personnel.

2.

Alarmed Systems Resources

It traps for intruder using dummy file or administrator accounts

with default password.

• Access to a dummy resource results in automatic action or

notice to appropriate employees.

• The advantage of this method is that it is uncomplicated

and expensive.

• The disadvantage is that authorized persons may

inadvertently cause an alarm.

53

Question

1. Which of the following is a computer program that appears to be legitimate

but performs some illicit activity when it is run?

A. Hoax virus

B. Web crawler

C. Trojan horse

D. Killer application


54

Question

2. The best preventive measure against a computer virus is to

A. Compare SW in use with authorized versions of the SW.

B. Execute virus exterminator programs periodically on the system.

C. Allow only authorized software from known sources to be used on

the system.

D. Prepare an test a plan for recovering from the incidence of a virus.


55

Question

3. Which of the following is an indication that a computer virus is present?

A. Frequent power surges that harm computer equipment.

B. Unexplainable losses of or changes to data.

C. Inadequate backup, recovery, and contingency plans.

D. Numerous copyright violations due to unauthorized use of

purchased software.


56

Question

4. Which of the following operating procedures increases an organization’s

exposure to computer viruses?

A. Encryption of data files

B. Frequent backup of files

C. Downloading public-domain SW from websites

D. Installing original copies of purchased SW on hard disk drives


57

Question

5. An organization’s computer system should have an intrusion detection

system (IDS) if it has external connections. An IDS

A. Must monitor every call on the system as it occurs

B. May examine only packets with certain signatures

C. Uses only knowledge-based detection

D. Uses only behavior-based detection


58

Question

6. An organization installed antivirus software on all its personal computers.

The software was designed to prevent initial infections, stop replication

attempts, detect infections after their occurrence, mark affected system

components, and remove viruses from infected components. The major risk

in relying on antivirus software is that antivirus software may

A. Not detect certain viruses.

B. Make software installation overly complex.

C. Interfere with system operations.

D. Consume too many system resources.


59

4. Investment in IT:4. Investment in IT:4. Investment in IT:

4.1 Overview:

• Full costs of the investment, and choosing whether to own or lease

the technology should be decides.

• Hosting websites with many users should consider capacity planning

and scalability.

• Capacity planning � determine current and future HW resources

relative to its priorities are, and will continue to be, sufficient.

� Maximum volume of transactions that can be simultaneously processed.

� The effect of SW developments.

� Performance measures e.g. response time.

� Changes in capacity needs.

• Scalability � permits system capacity to be increased to meet

greater demands without a system failure.

60


4.2 Costs of Ownership of IT Assets:

• Rational economic decisions about HW and SW acquisition require an

analysis of full costs of all factors involved.

• Failing to consider total long-term costs may seriously underestimate

the economic effects of IT decisions.

• (1) Total cost of ownership model (TCO) � factors to be considered:

� Capital costs of HW � computers, terminals, storage,

� Capital costs of SW,

� Installation costs of HW and SW,

� Training costs of IT specialists and end users,

� Support costs incurred for help desks, R&D, documentation,

� Maintenance costs for HW and SW upgrades,

� Infrastructure costs � obtaining, supporting, maintaining networks,

back-up, storage,

� Costs of unproductive time (downtime) resulting from HW or SW failure.

61


4.2 Costs of Ownership of IT Assets: (cont.)

� Utility and real property costs of computer installations

� Costs of nonstandard personal computer configurations

� Costs of transferring end users � reinstallation and testing application

and access

• (2) Managed systems

� (In large entities) Centralized acquisition policies save costs � subunits

are not allowed to purchase incompatible or redundant HW and SW. �

Standardized IT resources improve operations and decrease costs of

administration.

62


Question

1. Inefficient use of excess computer equipment can be controlled by

A. Contingency planning

B. System feasibility studies

C. Capacity planning

D. Exception reporting

63


Question2. An automobile and personal property insurer has decentralized its information

processing to the extent that headquarters has less processing capacity than any of

its regional processing centers. These centers are responsible for initiating policies,

communicating with policyholders, and adjusting claims. The company uses leased

lines from a national telecommunications company. Initially, the company thought

there would be little need for interregion communication, but that has not been the

case. The company underestimated the number of customers that would move

between regions and the number of customers with claims arising from accidents

outside their regions. The company has a regional center in an earthquake-prone

area and is planning how to continue processing if that center, or any other single

center, were unable to perform its processing.

The company considered mirroring the data stored at each regional center at another

center. A disadvantage of such an arrangement is

A. Lack of awareness at headquarters of the state or processing.

B. Increased cost and complexity of network traffic.

C. Interface of the mirrored data with original source data.

D. Confusion on the part of insurance agents about where customer data are

stored.

64


Question

3. The best plan for responding to quickly changing information requirements

is to foster

A. Greater online access to information systems

B. Competitive pressures for enhanced functions in systems

C. Closer linkage between organizational strategy and information

D. More widespread use of automated controls

65


Question

4. Which of the following statements about desktop computers, servers, and

mainframe computers is true?

A. Desktop computers usually cost more than servers but less than

mainframes.

B. Because of the increased use of desktop computers, there will be little

need for mainframes in the near future.

C. Servers must be programmed directly in machine language while

mainframes use higher-level language.

D. The cost per transaction to process on each type of computer has

decreased in recent years.

66

5. Enterprise-wide Resource Planning (ERP):5. Enterprise5. Enterprise--wide Resource Planning (ERP):wide Resource Planning (ERP):

5.1 Introduction:

• ERP intended to integrate enterprise-wide information systems by

creating one database linked to all of an organization’s applications.

• ERP connects all functional subsystems e.g. HR, Accounting,

Production, Marketing, Distribution, Purchasing, Receiving, and also

suppliers and customers.

• Disadvantage � complexity which make customization of the SW

difficult and costly.

• ERP is usually installed by the largest or mid-size enterprises because

if is costly and complex.

• Implementing ERP system may encounter with significant resistance

because employees have to learn to use new technology.

• Successful implementation requires effective change management.

• Example � SAP R/3, Oracle (PeopleSoft, J.D. Edwards

EnterpriseOne).

67


5.2 ERP & Business Process Reengineering:

• Subunits in the organization are forces to redesign and improve their

processes, and to conform to one standard.

• A reengineering project may be undertaken before choosing ERP

software.

• If the organization is not especially unique, the reengineering project

may not be needed because the software probably is already based

on industry best practices.

• Processes of each organizations may be different. Then changing

business processes is better than customizing core ERP software.

• Customizing is expensive and difficult, and may result in bugs and

awkwardness in adopting upgrades.

68


5.3 Materials requirements planning (MRP):

MRP I

• Early attempt to create an integrated

compute-based information system,

• Designed to plan and control materials

used in a production setting.

MRP II

• Continued the evolution begun with

MRP I,

• Integrates all facets of a manufacturing

business including production, sale,

inventories, schedules, budgeting and

cash flows.

69


5.4 Enterprise-wide Resource Planning (ERP):

Traditional ERP

• Subsystems share data and coordinate their activities,

• E.g. if marketing receives an order, it can quickly verify that

inventory is sufficient to notify shipping to process the order,

• The subsystems in a traditional ERP system are internal to the

organization. They are often called back-office functions.

Current ERP

• Added front-office functions,

• These connect the organization with customers, suppliers,

shareholders or other owners, creditors, and strategic allies.

70


5.4 Enterprise-wide Resource Planning (ERP): (cont.)

71



Main Architecture of an ERP

• Current ERP system have a client-server configuration.

� Thin clients (little processing ability) or Fat clients (substantial

processing power).

� Single or multiple servers to run application and contain databases.

� May be in the form of a LAN, WAN or the Internet.

� May use almost any of the available Operating systems and DBMS.

• Central Database� Advantage of an ERP is the elimination of data redundancy through the

use of central database.

� Information about an item of data is stored once and all functions have

access to it.

72



Main Architecture of an ERP (cont.)

• May take years and cost millions.

• Poor implementation may cause the project to fail regardless of the

quality of the software.

• More rapid and less costly implementation, if no customization done.

• Implementation step

� Strategic planning

� Project team

� ERP software choosing and consulting firm selection

� Pre-implementation � process design & data conversion & testing

� Go-live

� Training

73



Costs of an ERP system

• Losses from an unsuccessful implementation,

• Purchasing HW, SW, and services,

• Data conversion from legacy systems to new integrated system,

• Training,

• Design of interfaces and customization,

• SW maintenance and upgrades,

• Salaries of employees working on the implementation.

74



Benefit of an ERP system

• Lower inventory costs,

• Better management of liquid assets,

• Reduced labor costs and greater productivity,

• Enhanced decision making,

• Elimination of data redundancy and protection of data integrity,

• Avoidance of the costs of other means of addressing need IT changes,

• Increased customer satisfaction,

• More rapid and flexible responses to changed circumstances,

• More effective supply chain management,

• Integration of global operations.

75


Question

1. An enterprise resource planning (ERP) system integrates the organization’s

computerized subsystems and may also provide links to external parties. An

advantage of ERP is that

A. The reengineering needed for its implementation should improve

business processes

B. Customizing the software to suit the unique needs of the organization

will facilitate upgrades

C. It can be installed by organizations of all sizes

D. The comprehensiveness of the system reduces resistance to change

76


Question

2. A manufacturing resource planning (MRP II) system

A. Performs the same back-office functions for a manufacturer as an ERP

system

B. Uses a master production schedule

C. Lacks the forecasting and budgeting capabilities typical of an ERP

system

D. Performs the same front-office functions for a manufacturer as an ERP

system

77


Question

3. In a traditional ERP system, the receipt of a customer order may result in

I. Customer tracking of the order’s progress

II. Automatic replenishment of inventory by a supplier

III. Hiring or reassigning of employees

IV. Automatic adjustment of output schedules

A. I, II, and IV only

B. I and III only

C. III and IV only

D. I, II, III, and IV

78


Question

4. A principal advantage of an ERP system is

A. Program-data dependence

B. Data redundancy

C. Separate data updating for different functions

D. Centralization of data

79


Question

5. The current generation of ERP software (ERP II) has added such front-office

functions as

A. Inventory control

B. Human resources

C. Purchasing

D. Customer service

80

6. Systems Software:6. Systems Software:6. Systems Software:

6.1 Introduction

• System software is any computer software that provides the

infrastructure over which programs can operate, i.e. it manages and

controls computer hardware so that application software can

perform.

• Systems software performs the fundamental tasks needed to manage

computer resources.

• Examples of system software may include

�Operating system

�Utility program

�Databases

81


6.2 Operating System:

• An interface between users, application

software, and the computer’s hardware

(CPU, disk drives, printers, communications

devices).

• OS may be categorized into 3 types:

� Mainframe computers

� Servers

� Workstations

• To communicate with the user, the O/S of a

PC may include a graphical user interface

(GUI) or text-based commands.

82


6.2 Operating System: (cont.)

Mainframe computers:

• Mainframe computers are computers used mainly

by large organizations for critical applications, typically bulk data processing such as census,

industry and consumer statistics, enterprise resource planning, and financial transaction

processing

• The most recent OS for the very successful IBM

mainframe is “Z/OS”

• Other OS are OS/360, MVS, OS/390, VM (IBM).

83


6.2 Operating System: (cont.)

Server:

• Server OS include Unix,

Microsoft Windows Server, and

Apple MacOS X Server.

• Inherent networking

capabilities are an important

part of server operating

systems.

Desktop computers / Clients:

• Microsoft Windows and Apple

MacOS are operating systems

for desktop computers.

84


6.3 Utility programs:

• Utilities perform basic data maintenance tasks, such as:

� Sorting, e.g., arranging all the records in a file by invoice

number.

� Merging, meaning combining the data from two files into one.

� Copying and deleting entire files.

• Utilities are extremely powerful. Their use should be restricted to

appropriate personnel, and each occurrence should be logged.

• This SW may have privileged access and be able to bypass normal

security measures.

85


Question:1. Regardless of the language in which an application program is written, its

execution by a computer requires that primary memory contain?

A. A utility program.

B. An operating system.

C. Complier.

D. Assembly.

86

Question:2. Auditors often make use of computer programs that perform routine

processing functions, such as sorting and merging. These programs are made

available by computer companies and others and are specifically referred to

as?

A. Complier programs.

B. Supervisory programs.

C. Utility programs.

D. User programs.


87

Question:3. A control feature designed to negate the use of utility program to read

files that contain all authorized access user codes for the network is

A. Internally encrypted passwords.

B. A password hierarchy.

C. Logon passwords.

D. A peer-to-peer network.


88

7. Application Development:7. Application Development:7. Application Development:

7.1 Build or Buy:

• When an organization acquires a new system by purchasing from an outside

vendor, contract management personnel oversee the process.

• The future end-users of the system as well as IT personnel are also

involved, drawing up specifications and requirements.

• However, when a new system is to be created in-house, planning and

managing the development process is one of the IT function’s most

important tasks.

• The needs of the end-users must be balanced with budget and time

constrains; the decision to use existing hardware vs. the purchase of new

platforms must be weighted.

• Having a well-governed methodology for overseeing the development

process is vital.

• End-users and IT management must approve progress toward the

completion of the system at the end of each of the stages (implementation

control).

89


7.2 Systems Development Life Cycle (SDLC):

• SDLC approach is the traditional methodology applied to the

development of large, highly structured application systems.

• Major advantage of the SDLC approach is enhanced management

and control of the development process.

• Once the need for a new system has been recognized, the 5 phases

(each with multiple steps) of the SDLC proceed.

• Feedback gathered during the maintenance of a system provides

information for developing the next generation of systems.

Definition Design Development Implementation Maintenance

Need for new

system

recognized

90



7.2.1 Definition:

• A proposal for a new system is submitted to the IT steering

committee describing the need for the application and the business

function that it will affect.

• Feasibility studies are conducted to determine:

� What technology the new system will require.

� What economic resources must be committed to the new

system.

� How the new system will affect current operations.

• The steering committee gives its go-ahead for the project.

91



7.2.2 Design: � 1) Logical design and 2) Physical design

• Logical design:

� Consists of mapping the flow and storage of the data elements

that will be used by the new system and the new program

modules that will constitute the new system.

� Examples are Data flow diagrams (DFDs) and structured

flowcharts.

� Some data elements may already be stored in existing

database. Good logical design ensures that they are not

duplicated.

92



7.2.2 Design: � 1) Logical design and 2) Physical design

• Physical design

� Involves planning the specific interactions of the new program

code and data elements with the hardware platform (existing

or planned for purchase) on which the new system will

operate.

� Systems analysts are heavily involved in these 2 steps.

93



7.2.3 Development:

• The actual program code and database structures that will be used

in the new system are written.

• The data used in testing new programs is never the organization’s

actual production data; such testing would be far too risky to the

organization’s business.

• A carefully designed test database is filled with both good and bad

data to test how well the new system deals with bad input.

• Testing is the most crucial step of the process:

Unit

testing

The testing of an individual program or module. Unit testing uses a set

of test cases that focus on the control structure of the procedural design. These tests ensure that the internal operation of the program

performs according to specification.

94



7.2.3 Development:

• Testing is the most crucial step of the process: (cont.)

System

testing

A series of tests, designed to ensure that modified programs,

objects, database schema, etc., which collectively constitute a

new or modified system, function properly. These test procedures are

often performed in a nonproduction test/development environment by

software developers designated as a test team. System testing includes

security testing, stress testing.

Interface

or

Integration

testing

A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The

objective is to take unit-tested modules and build an integrated

structure dictated by design. The term integration testing is also used to

refer to tests that verify and validate the functioning of the application under test with other systems, where a set of data is transferred from

one system to another.

95



7.2.3 Development:

• Testing is the most crucial step of the process: (cont.)

Final

acceptance

testing

• User acceptance testing (UAT) is the final step before placing the

system in live operation.

• IT must demonstrate to the user department that submitted the

original request that the system performs the functionality that was

designed.

• Once the user department is satisfied with the new system, they

acknowledge formal acceptance and implementation begins.

96



7.2.4 Implementation:

• There are 4 strategies for converting to new system:

• With parallel operation, the old and new systems both are run at full

capacity for a given period.

• This strategy is the safest since the old system is still producing

output, but it is also the most expensive and time-consuming.

Parallel

Operation

• With cutover conversion, the old system is shut down and the new one

takes over processing at once.

• This is the least expensive and least time-consuming strategy, but it is

also the riskiest.

Cutover

Conversion

• One branch, department, or division at a time is fully converted to

the new system.

• Experience gained from each installation is used to benefit the next

one.

• One disadvantage of this strategy is the extension of the conversion

time.

Pilot

Conversion

97




• There are 4 strategies for converting to new system: (cont.)

• One function of the new system at a time is placed in operation.

• For instance, if the new system is an integrated accounting

application, accounts receivable could be installed, then accounts

payable, cash management, materials handing, etc.

• The advantage of this strategy is allowing the uses to learn one part

of the system at a time.

Phase

Conversion

98




• Training and documentation are critical

� The users must be made to feel comfortable with the new

system and have plenty of guidance available, either hardcopy

and online.

� Documentation consists of more than just operations manuals

for the users. Layouts of the program code and database

structures must also be available for the programmers who

must modify and maintain the system.

• Systems follow-up or post-audit evaluation is a subsequent review

of the efficiency and effectiveness of the system after it has

operated for a substantial time (e.g., 1 year).

99



7.2.5 Maintenance:

• The final phase of the SDLC, to be discussed in “Program change

control”

7.2.6 Other Topics:

• Prototyping

� An alternative approach to application development.

� Creating work model of the system requested, demonstrating it for

the user, obtaining feedback, and making changes to the underlying

code.

� This process repeats through several iterations until the user is

satisfied with system’s functionality.

100



7.2.6 Other Topics: (cont.)

• Application authentication

� A means of taking a user’s identify from the operating system on

which the user is working and passing it to an authentication server

for verification.

� This can be designed into an application from its inception.

• Computer-aided software engineering (CASE)

� Provide the capacity to maintain on the computer all of the system

documentation, e.g. data flow diagram, data dictionaries, and pseudo

code; to develop executable input and output screens; and to

generate program code in at least skeletal form.

� CASE facilitates the creation, organization, and maintenance of

documentation and permits some automation of the coding process.

101



7.2.6 Other Topics: (cont.)

• Rapid application development (RAD)

� A software development process involving iterative development, the

construction of prototypes, and the use of CASE tools.

� The RAD process usually involves compromises in usability, features,

and/or execution speed; increased speed of development occurs

through rapid prototyping, virtualization of system related routines,

and other techniques. However, there is usually decreased end-user

utility.

102

Question:1. A system development approach used to quickly produce a model of user

interfaces, user interactions with the system, and process logic is called?

A. Neural networking.

B. Prototyping.

C. Reengineering.

D. Application generation.


103

Question:2. A major disadvantage of the life cycle approach to system development is

that it is not well-suited for projects that are?

A. Structured.

B. Large.

C. Complex.

D. Unstructured.


104

Question:3. Program documentation is a control designed primarily to ensure that

A. Programmers have access to production programs.

B. Programs do not make mathematical errors.

C. Programs are kept up to date and perform as intended.

D. No one has made use of the computer hardware for personal reasons.


105

Question:4. Rejection of unauthorized modifications to application systems could be

accomplished through the user of

A. Programmed checks.

B. Batch controls.

C. Implementation controls.

D. One-for-one checking.


106

8. Program Change Control:8. Program Change Control:8. Program Change Control:

• The process of managing these changes is referred to as systems

maintenance, and the relevant controls are called program change

controls.

• Once a change to a system has been approved, the programmer

should save a copy of the production program in a test area of the

computer, sometimes called a “sandbox”

• Except in emergencies, and then only under close supervision,

should a change be made directly to the production version of a

computer program.

• Source code � English-like statements and commands. A computer

program in this from, i.e., readable by humans.

• Object code � Form that the computer can execute. The resulting

machine-ready program is referred to as object code, or more

precisely, executable code.

107


• Program languages that are transformed from source into

executable one line of code at a time are said to be interpreted.

• Program languages that are transformed in entire modules of code

are said to be complied.

• Once programmer has the executable version of the changed

program, (s)he tests it to see if it performs the new task as

expected.

• This testing process must absolutely not be run against production

data.

• Programmer demonstrates the new program, or the programmer

can go back and make further changes.

• Once program is in a form acceptable to user, the programmer

moves it to holding area.

• Programmers (except in emergencies) should never be able to put

programs directly into production.

108


• The programmer’s supervisor reviews the new program, approves it,

and authorizes its move into production, generally carried out by

operation personnel.

• The compensating control is that operators generally lack the

programming knowledge to put fraudulent code into production.

109

Question:1. The process of monitoring, evaluating, and modifying a system as needed

is referred to as systems

A. Analysis.

B. Feasibility study.

C. Maintenance.

D. Implementation.


110

Question:2. Change control typically includes procedures for separate libraries for

production programs and for test versions of programs. The reason for this

practice is to

A. Promote efficiency of system development.

B. Segregate incompatible duties.

C. Facilitate user input on proposed changes..

D. Permit unrestricted access to programs.


111

Question:3. After using the mainframe report writer for several months, the

marketing analysts gained confidence in using it, but the marketing

department manager became concerned. Whenever analysts revised

reports they had written earlier, the coding errors kept reappearing in

their command sequences. The manager was sure that all the analysts

knew what the errors were and how to avoid them. The most likely

cause of the reappearance of the same coding errors is inadequate

A. Backups.

B. Change control.

C. Access control.

D. Testing.


112

9. End-User Computing (EUC):9. End9. End--User Computing (EUC):User Computing (EUC):

9.1 End-user vs. Centralized computing:

• End-user computing involves user-created or user-acquired systems

that are maintained and operated outside of traditional information

system control.

• Risk concerned for EUC:

� Environmental control risks � copyright violations

� Access � lack of controls (physical and logical)

� Inadequate backup, recovery, and contingency planning

� Lack of Centralized control � program development, documentation,

and maintenance.

� Segregation of duties are eliminated � user is often programmer and

operator.

� Audit trail is diminished.

� Available security features for PC are limited.

113


9.1 End-user vs. Centralized computing: (cont.)

• The auditors should determine that the EUC applications contain

controls that allow uses to rely on the information produced.

• Identification of applications is more difficult than in a traditional

centralized computing environment because few people know about

and use them.

• The auditor’s should

Risk

assessment

Review

controls

Discovery their

existence & intended

functions

• Organization-wide inventory

of major EUC applications.

• Review major EUC

applications with major

users.

114


9.2 Basic architectures for desktop computing:

• 3 types of end-user computing environment are in common use.

� Client-server model

� Dummy terminal model

� Application server model

Client-server model:

• Process application between a client machine on a network and a

server.

• User interaction � perform data entry, queries, and receipt of

reports.

• Server �manages peripheral HW and control access to shared DB.

• Security � Security setting is more difficult than in mainframe-

based resulting in risk of unauthorized access.

115



Client-server model: (cont.)

2 tier client-server

client server

(Application and

Database)

3 tier client-server

client application

server

database

server

116



Dummy terminal model:

• Desktop machines that lack stand-alone processing power have

access to remote computers in a network.

• To run an application, programs are downloaded to the terminal.

• These machines are relatively inexpensive because they have not

disk drives.

Application server model:

• Involves a 3 tiered or distributed network application.

• The middle (application) tier translates data between the database

(back-end) server and the user’s (front-end) server.

117



Application server model: (cont.)

• The application server also performs the following:

� Business logic functions � interpret transactions and

determine how they will be processed, e.g. application

discounts, shipping methods.

� Transaction management � keeps track of all of the steps in

transaction processing to ensure completion, editing, and/or

deletion.

� Load balancing � is a process to distribute data and data

processing among available servers, e.g., evenly to all servers

or the next available server.

118

Question:1. The marketing department’s proposal was finally accepted, and the

marketing employees attended a class in using the report writer. Soon,

the marketing analyst found that it was easier to download the data and

manipulate it on their own desktop computers in spreadsheets than to

perform all the data manipulation on the server. One analyst became

highly skilled at downloading and wrote downloading command sequences

for the other employees. When the analyst left the company for a better

job, the department had problems making modification to these

command sequences. The department’s problems are most likely due to

inadequate

A. Documentation.

B. Data backup.

C. Program testing.

D. Anti-virus software.


119

Question:2. Traditional information systems development and operational procedures

typically involve four functional areas. The systems analysis function

focuses on identifying and designing systems to satisfy organizational

requirements. The programming function is responsible for the design,

coding, testing, and debugging of computer programs necessary to

implement the systems designed by the analysis function. The computer

operations function is responsible for data preparation, program/job

execution, and system maintenance. The user function provides the input

and receives the output of the system. Which of these four functions is

often poorly implemented or improperly omitted in the development of a

new end-user computing (EUC) application?

A. System analysis function.

B. Programming function.

C. Computer operations function.

D. User function.


120

Question:3. Responsibility of the control of end-user computing (EUC) exists at the

organizational, departmental, and individual user level. Which of the

following should be a direct responsibly of the individual users?

A. Acquisition of hardware and software.

B. Taking equipment inventories.

C. Strategic planning of end-user computing.

D. Physical security of equipment.


Date post:	01-Nov-2018
Category:	Documents
Upload:	lamthuy
View:	223 times
Download:	1 times

Certified Internal Auditor Part III Information Technology II Test Prep Part 3 Unit9.pdf · 1...

Documents