Internal Auditors and Change Management

Questions and Answers

What are the roles of internal auditors in change management? (Select all that apply)

Understanding the organization's IT objectives (correct)

Understanding the controls used to manage risks and carry risk responses (correct)

Assessing whether such risks are aligned with the organization's risk appetite and tolerances (correct)

Promoting a culture of effective change management (correct)

Assisting in deciding the appropriate risk management response (e.g., avoid, accept, reduce, or share) (correct)

Assisting in identifying risks to IT objectives (correct)

Which of the following are internal audit engagements associated with systems and application development? (Select all that apply)

A post-implementation review (correct)

An access control review (correct)

A system design review (correct)

An application control review (correct)

A source code review (correct)

Rapid Application Development (RAD) typically involves creating a working model of the system, demonstrating it, obtaining feedback, and making changes iteratively until user satisfaction is achieved.

True

Computer-aided software engineering (CASE) focuses on manual documentation of system designs.

False

What are some potential risks associated with end-user computing (EUC)? (Select all that apply)

Inadequate backup, recovery, and contingency planning

Which of the following challenges are associated with end-user application development? (Select all that apply)

End-user applications may not receive independent testing.

What are organizational levels of responsibility for control of end-user computing (EUC)? (Select all that apply)

Organizational

What is the primary function of systems software?

Systems software performs fundamental tasks to manage computer resources.

What is the purpose of an operating system?

An operating system coordinates the actions of a computer, including its peripheral devices and memory.

Which of the following are controls over operating systems? (Select all that apply)

Error notification for failed hardware

What is the role of internal auditors in reviewing controls over operating systems?

Internal auditors should monitor change procedures, ensure that system programmers have sufficient training, and verify that the operating system is up to date.

What is a computer program?

A computer program is a set of instructions that directs a computer to perform specific tasks and produce intended results.

Utility programs are sometimes considered privileged software because they can potentially access sensitive data or system configurations.

True

What are some examples of basic data maintenance tasks performed by utility programs? (Select all that apply)

Sorting

It is essential to encrypt passwords before storing them in a file to safeguard against unauthorized access.

True

Access to utility programs should be restricted to authorized personnel.

True

What is a graphical user interface (GUI)?

A graphical user interface (GUI) allows users to interact with a system through icons, buttons, windows, and menus, simplifying interactions.

How does a GUI simplify data transfer between applications?

GUIs facilitate copying data, such as charts, from one application, like a spreadsheet, and pasting it into another application, like a word processing document.

What is optical character recognition (OCR)?

Optical character recognition (OCR) is a technology used to scan printed documents and convert them into editable text, making it easier to digitize information.

What are the two main components of networks? (Select all that apply)

Transmission medium

What is a network interface card (NIC)?

A network interface card (NIC) is a hardware component that allows a device to connect to a network, communicating using a specific protocol (language).

What is a local area network (LAN)?

A local area network (LAN) connects devices within a single office or building, typically owned and managed by a single organization.

What is a peer-to-peer network?

A peer-to-peer network connects devices directly without a central server, enabling direct communication and sharing of resources between connected devices.

Peer-to-peer networks become easier to manage as more devices are added.

False

Describe the client-server network model.

In the client-server model, clients (devices or software) request services from centralized servers that provide specific functions or resources.

Which of the following are examples of servers in a client-server network? (Select all that apply)

Internet server

What is the key advantage of the client-server model?

The client-server model optimizes processing tasks by running processes on the platform most appropriate for each task, minimizing network traffic.

Client-server systems often have specialized equipment from multiple vendors.

True

What are the primary benefits of using cloud computing? (Select all that apply)

Fast access to software

Cloud computing poses no security risks.

False

What are the three primary types of cloud services? (Select all that apply)

Software-as-a-Service (SaaS)

The rise of smartphones and tablets has had no impact on cloud computing.

False

What is the role of a network administrator?

A network administrator manages data and network communication, encompassing LANs, MANs, WANs, and internet systems.

What are the responsibilities of a system administrator?

System administrators manage the entire computer system, encompassing hardware and software, data backup and recovery, and system maintenance.

System administrator responsibilities never overlap with network administrator responsibilities.

False

What is a protocol? (Select all that apply)

A method of communication between devices on a network

What is the most successful protocol for LAN transmission?

Ethernet is the most successful LAN transmission protocol.

The Ethernet protocol uses a collision-detection method for communication.

True

What is the main advantage of a switched network? (Hint: Consider the limitations of a LAN with numerous users)

Switched networks address the limitations of traditional collision-detection based LANs by using switching devices that forward packets to their destination based on their addresses, allowing for efficient transmission in networks with many users and high data traffic

What is a router, and how does it work?

A router is a networking device that forwards packets based on their destination address, intelligently determining the most efficient path for transmission based on network conditions.

What is the purpose of TCP/IP?

TCP/IP is a suite of protocols that enables communication between devices connected across the internet.

Dynamic Host Configuration Protocol (DHCP) helps ensure that each device on a network has a unique IP address.

True

What is a Wi-Fi network, and what are its key features?

A Wi-Fi network is a wireless local area network that uses radio waves to connect devices within a range of about 300 feet, enabling mobility and flexibility for device connectivity.

Bluetooth operates over a larger range than Wi-Fi.

False

What are some common applications of RFID technology? (Select all that apply)

Tollbooth collection

Describe the bus network topology and its strengths and weaknesses.

In a bus network, devices are connected to a single shared cable (bus). It's simple to set up but vulnerable to interruptions. If the cable fails, the entire network goes down.

Shareware is a type of software that is always free of charge.

False

What is the main purpose of a software licensing agreement?

A software licensing agreement defines the terms of use for software, specifying what the user can do with the software, such as number of copies, usage locations, and reproduction restrictions.

What measures should be taken to avoid legal liability related to the use of unlicensed software?

Organizations should implement controls to prevent unauthorized use of unlicensed software. This might include using only licensed software, tracking software licenses, and educating employees on software licensing rules.

What is the purpose of a diskless workstation?

A diskless workstation enhances security by eliminating the possibility of copying software to removable storage devices, preventing unauthorized software distribution and protecting sensitive data.

What are the primary benefits of using electronic software distribution (ESD)?

Electronic software distribution (ESD) speeds up software installation by eliminating the need for physical media, enabling centralized control and reducing installation time from weeks to hours or days.

What is a management information system (MIS)?

A management information system (MIS) aggregates data from transaction processing systems, providing reports that are useful for middle management to make informed decisions.

What are the key functions of an accounting information system (AIS)?

An AIS processes routine financial and transactional data, generating reports for both financial and managerial accounting. It tracks transactions with external parties and internal activities, ensuring accurate financial reporting and cost control.

An enterprise resource planning (ERP) system is the most comprehensive integrated system.

True

Study Notes

Internal Auditors and Change Management

• Internal auditors assist in change management by understanding the organization's IT objectives.
• They assist in identifying risks to IT objectives.
• Auditors assess whether risks are aligned with the organization's risk appetite and tolerances.
• They assist in deciding the appropriate risk management response (e.g., avoid, accept, reduce, or share).
• Internal auditors understand the controls used to manage risks and carry out risk responses.
• They promote a culture of effective change management.

Internal Audit Engagements

• Internal audit engagements associated with systems and application development include access control reviews, application control reviews, source code reviews, system design reviews, and post-implementation reviews.
• An access control review evaluates whether controls effectively prevent and detect unauthorized access.
• An application control review evaluates whether application controls effectively manage related risks.
• A source code review evaluates whether the program's source code is effectively managed and controlled.
• A system design review evaluates whether the system to be developed meets business requirements.
• A post-implementation review evaluates whether the system or application meets expectations.

Rapid Application Development (RAD)

• Rapid application development (RAD) enables programmers to develop software with minimal planning and without beginning from scratch.
• Prototyping is an alternative approach to application development that involves creating a working model, demonstrating it to the user, obtaining feedback, and making changes to the underlying code.
• This process repeats until the user is satisfied with the system's functionality.
• Computer-aided software engineering (CASE) is another form of RAD.
• CASE applies the computer to software design and development.
• CASE maintains system documentation like data flow diagrams, data dictionaries, and pseudocode.
• It develops executable input and output screens and generates program code.

End-User vs. Centralized Computing

• End-user computing (EUC) involves user-created or user-acquired systems maintained outside of traditional information systems controls.
• EUC has environmental control risks like copyright violations from unauthorized copies of software or unauthorized access to application programs and related data.
• EUC lacks physical access controls, application-level controls, and other controls found in mainframe or networked environments.
• EUC may lack adequate backup, recovery, and contingency planning.

Program Development

• Program development, documentation, and maintenance can lack centralized control.
• Allowing end-users to develop their own applications may decentralize control.
• These applications may not be subject to appropriate standards, controls, and quality assurance procedures.
• End-user applications may not receive independent testing or adequate documentation.
• Segregation of duties may be insufficient if the same person performs programmer and operator functions.
• End-user applications often do not follow a structured and controlled development life cycle.
• User needs analysis may be insufficient when user and analyst functions are combined.

IT Infrastructure - Functional Areas of IT Operations

• Controls should ensure efficiency and effectiveness of IT operations.
• Control includes appropriate segregation of duties: systems analysts, programmers, operators, file librarians, and the control group.
• Segregation of duties is vital, but may not be feasible in an IT environment.
• Certain activities, like computer check printing and reconciliation, are customarily segregated in manual systems, but may co-exist in an IT environment.
• Compensating controls may be necessary in IT environments such as library controls, computer logs, effective supervision, and rotation of personnel.

IT Infrastructure - Web Infrastructure

• The Internet is a network of networks.
• A network is a collection of hardware devices interconnected for communication and data sharing.
• Internet facilitates inexpensive communication and information transfer among computers.
• Gateways allow mainframe computers to interface with personal computers.
• Internet backbones carry signals globally.
• Web-crawlers (spiders or bots) access and read webpage information.
• Internet users connect through Internet Service Providers (ISPs).
• Internet topology is complex, resembling a network rather than a simple spine.
• The Internet consists of servers (holding information), clients (viewing information), and the TCP/IP protocol suite for connectivity.
• A gateway allows communication between dissimilar networks.
• A bridge connects similar networks.

IT Infrastructure - Increasing Decentralization

• Improvements in technology have led to the decentralization of information processing.
• Mainframe computers were the primary arrangement in early data processing.
• Distributed processing arose as minicomputers evolved, decentralizing processing and data storage.
• Remote locations have processing units linked to a central server.
• This distributes processing tasks.
• Data needed locally can reside locally, reducing communications traffic.

IT Infrastructure - Servers

• A server is a dedicated computer/device managing resources.
• File servers function as librarians in a network.
• Web servers host websites.
• Enterprise servers handle organization-wide programs.
• Centrally located data might be subject to unauthorized changes without proper documentation or user awareness.
• Staff may not know when data needs to be updated.

IT Infrastructure - Languages and Protocols

• Tim Berners-Lee developed Hypertext Markup Language (HTML) and Hypertext Transfer Protocol (HTTP).
• HTML uses codes (tags) to describe web page structure and presentation.
• XML is an extensible variation of HTML, using tags to define data content.
• XML tags allow for computer interpretation of data content.
• HTML formatting describes how items are arranged on a page while XML tags define the content itself.

IT Infrastructure - Uses

• Locating specific information from numerous Internet resources is a common challenge.
• An organization's site on the Web is its website.
• Websites are composed of a home page and subsidiary pages.
• Every resource on the Web has a Uniform Resource Locator (URL), a unique address.
• Some URLs may not be accessible to every user due to security features.
• Domain names are used in URLs, with suffixes like .gov or .com reflecting different categories.
• Cookies are small text files used to recognize users and track preferences on websites.
• An intranet uses Internet connectivity standards within an organization.
• Intranets often restrict access to those within the organization except with identification.
• An extranet links the intranets of multiple organizations, often using the public Internet with passwords.

IT Infrastructure - Cloud Computing

• Cloud computing provides on-demand access to resources on the Internet.
• Cloud computing offers advantages, such as fast access to software, reduced IT infrastructure investment, and pay-as-you-go services.
• Security concerns can arise with the convenience and ease of access in cloud computing.
• Cloud services are categorized as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).

IT Infrastructure - Software Systems

• Management Information Systems (MIS) receive input from Transaction Processing Systems (TPS), aggregating it to provide reports to mid-level managers.
• MIS are categorized by functions like Accounting (general ledger, accounts receivables), Finance (capital budgeting), Manufacturing (production planning), Logistics (inventory management), Marketing (sales analysis).
• Integrated systems, like Enterprise Resource Planning (ERP) systems, link multiple business activities across the entire enterprise.
• Accounting Information Systems (AIS) process routine financial and transactional data for managerial and financial accounting.
• AIS processes data for transactions with external parties and internal activities like cost accounting.

IT Infrastructure - Systems Software

• Systems software manages computer resources, with the operating system being a central component.
• Operating systems coordinate computer actions, including peripherals and memory.
• Controls over operating systems are crucial because they can affect the database.
• Controls include segregation of duties, testing procedures, and log maintenance.
• Utility programs perform common data maintenance tasks, such as sorting and merging data, copying or deleting files.

Description

This quiz explores the vital role of internal auditors in change management within organizations. It covers how auditors assess risks related to IT objectives and determine appropriate risk management responses. Additionally, it delves into engagement processes involved in system and application development.