Information Systems Control - Chapter 8

Questions and Answers

Which type of control primarily focuses on ensuring data is delivered accurately and consistently to users?

Physical Component Controls

Communication Controls

Output Controls (correct)

Cryptographic Controls

What is the primary purpose of using cryptographic controls in data processing?

To prevent accidental data loss on storage media

To manage physical access to IT equipment

To secure transaction data before it's processed (correct)

To validate file integrity during data transfers

What category of controls is designed to mitigate risks associated with the hardware and physical aspects of data processing?

Communication Controls

Software Controls

Physical Component Controls (correct)

Output Controls

What is the main aim of implementing software controls in data processing?

To validate checks and maintain data integrity (B)

What is the purpose of line error controls within communication systems?

To detect and correct errors of data transmissions (D)

Which of the following is NOT a primary function of incident response?

Modifying system reboot procedures. (A)

In what context are 'rerun procedures' usually categorized?

Contingency planning (C)

What is the primary purpose of directive controls?

To provide specific directions to staff. (C)

Which action best describes a directive control in practice?

Providing guidelines for handling a security breach (B)

Which of these characteristics is NOT typical of directive controls?

They are complex to implement as it involves decision making (A)

What is a key step for management when implementing directive controls?

Ensuring that directives are approved for compliance (C)

How do corrective controls differ from directive controls?

Corrective controls aim to rectify damage, whereas directives give instructions (D)

What would be an immediate response that directive controls help facilitate?

Responding to a detected risk event (B)

Which of the following is NOT a primary objective of controls within an information system?

Predictive (C)

Which control type primarily focuses on preventing errors or irregularities from occurring in the first place?

Preventive (D)

Which of the following control classifications is related to how information systems resources are physically accessed?

Physical Access (D)

Which of the following is considered a management control framework?

Management Control Framework (B)

According to the provided information, which type of software did ABC Multispecialty Hospital start using in the early 90s?

Specific software for recording daily financial transactions (C)

What is the approximate number of total employees, including doctors and administrative staff, at ABC Multispecialty Hospital?

3000 (C)

What is the term used for the type of controls that focus on taking actions to minimize or eliminate the impact of an error after it has been identified?

Corrective controls (C)

Besides critical care, what other two service lines are mentioned as areas where ABC Multispecialty Hospital has been a market leader?

Ambulatory care and home health care (A)

Which method provides the most secure user authentication based on risk assessment?

Biometric Authentication and/or Digital Certificates (D)

What is a critical security measure for managing stored passwords in an operating system?

Using one-way hashing algorithms and encrypting the password file (B)

Which user should primarily have access to system utilities?

System administrator only (A)

What is the primary function of a duress alarm in a system?

To alert authorities when a user is forced to perform an action (D)

What is the purpose of a 'terminal time out' security measure?

To log out a user if their terminal is inactive for a period to prevent misuse (D)

What is the main control provided by 'Limitation of connection time'?

To limit or deny system access outside specific schedules (B)

How does an application's menu interface contribute to information access restriction?

It limits access to specific functions and information based on user roles. (D)

What should be the primary consideration when designing a duress alarm?

It must be simple enough to operate under stressful conditions. (A)

What is a significant risk associated with portable computers in an organization?

Theft of data from the hard drive. (A)

Which of the following security measures is NOT mentioned as critical for portable computing devices?

GPS tracking of devices. (C)

Why is implementing a Virtual Private Network (VPN) recommended for employees working from home?

To establish a secure channel for data sharing with remote workers. (B)

What is the primary focus of the Management Control Framework in IT?

Reviewing and securing management functions for information systems. (C)

According to the provided text, what is the responsibility of top management regarding IT controls?

To determine the sufficiency of IT controls in meeting business objectives. (C)

What does the scope of control include for Top Management, as outlined in the text?

Formulating high-level IT policies and procedures to establish a sound internal control framework. (A)

Which of these options BEST describes the role of the Management Control Framework?

To ensure management functions are reviewed and controlled in a planned manner. (A)

What is the primary goal of having top management controls on IT systems?

To ensure IT functions correctly and meets strategic objectives. (B)

What is the primary purpose of an emergency power-off switch in a data center?

To allow quick and safe shutdown of equipment in emergency situations. (C)

Why are redundant power links important for data centers?

To ensure a consistent supply of power to all equipment even when one source fails. (C)

Where should water detectors typically be placed in a computer room?

Under raised floors, near drain holes, and around unattended equipment. (D)

Why is it generally not advisable to place a computer room in the basement of a multi-story building?

To reduce vulnerability to floods and water damage. (D)

Apart from physical barriers, what is another method to protect an installation from water damage in flood-prone areas?

Locating the installation on upper floors while avoiding the top floor. (D)

What is the most significant pollutant within a computer installation, which can cause physical damage to the hardware?

Dust accumulation on storage devices. (C)

Why are eating, drinking, and smoking typically prohibited within an information processing facility?

To keep the environment free from potential pollutants that can harm the equipment. (A)

What are Physical Access Controls Primarily intended to safeguard?

The physical and digital assets of an information processing facility. (B)

Study Notes

UNIT - III INFORMATION SYSTEMS' CONTROLS

• Information systems controls are a crucial aspect of any organization
• Understanding the Internal Control Framework and its components is essential
• Various control types exist, categorized by different parameters
• Controls are classified based on the 'Objective of Controls', 'Nature of information system resources', and 'Audit Perspective'
• Auditors play a key role in inspecting and evaluating these controls
• A detailed understanding of control activities is vital

CHAPTER 8 INFORMATION SYSTEMS' CONTROL AND ITS CLASSIFICATION

• Learning Outcomes:
  • Establish an understanding of Internal Control Framework and its components
  • Build a detailed understanding of various control types
  • Comprehend controls based on 'Objective of Controls'
  • Classify controls based on 'Nature of information system resources'
  • Understand controls based on 'Audit perspective'
  • Understand controls based on 'Control Activities'
  • Know the role of auditors while inspecting controls

CHAPTER OVERVIEW

• Objectives of Controls:
  • Preventive
  • Detective
  • Corrective
  • Directive
• Nature of IS Resources:
  • Environmental
  • Physical Access
  • Logical Access
• Classification Criteria
• Audit Perspective
• Application Control Framework
• Management Control Framework
• Information Technology
• Control Activities
• Physical Activities

ILLUSTRATION: ABC MULTISPECIALTY HOSPITAL

• ABC Multispecialty Hospital is a prominent national hospital and medical college
• Has 250 patient beds and over 3000 employees
• Market leader in critical care, ambulatory care, and home health care
• Used specific software for daily financial transactions, upgraded regularly
• Faced challenges in regulatory compliances and market factors leading to falling annual profits
• Implemented a Business Process Re-engineering effort to reduce operating costs by 10%

PROBLEM RAISED

• Falling annual profits due to regulatory changes and market factors
• Increasing competition, pressure to reduce operating costs

SOLUTION FOUND

• Formed ten groups (finance, information systems, nursing, ancillary services, laboratory, administrative, pharmacy, radiology, supportive services, and physician services) to review overall hospital operations
• Conducted a three-day orientation and training session for the groups, with a management consulting company
• The Accounts department studied and improved the Financial Accounting System; Reduced staff by removing unnecessary positions
• Resolved vendor payment issues and resolved conflict over slow payments
• Found a qualified candidate to fill a vacant position, who was the son of existing hospital staff

ISSUES FOUND BY STAKE HOLDERS

• Internal audit department (CISA) conducts internal audits on various hospital business processes, including finance
• This identified that Mr. Mahesh's father worked in hospital as well
• The situation in the accounts department conflicted with the hospital's policy against nepotism

DISCOVERY OF FRAUD

• CFO discovered six cash disbursements totaling ₹80,000 made to Mr. Mahesh
• Internal Audit Manager, Mr. Pankaj, investigated
• Mr. Mahesh had forged six cash disbursement forms, including vendor invoices
• Mr. Mahesh input fraudulent data into the accounts payable module under his own vendor account
• Assigned responsibility for semi-weekly cash disbursement and created fraudulent cheques
• Successfully performed this fraud by utilizing hospital’s standard operating procedure for all employees in the IT and Finance departments

Description

Dive into Chapter 8 of Information Systems' Control and its Classification. This quiz will test your understanding of the Internal Control Framework and the various types of controls based on purpose, resources, and audit perspectives. Get ready to explore the essential role of auditors in evaluating control activities.