The IT nits may be distributed according to business donation, geographic location, or both. All or any of the IT functions may be distributed. The degree to which they are distributed will vary depending upon the philosophy and objectives to the organization’s management. 4. What are the advantages and disadvantages of distributed data processing? Response: The advantages of EDP are: a. Cost reductions b. Improved cost control responsibility C. Improved user satisfaction d. Back up flexibility.
The disadvantages (risks) are: a.
Inefficient use Of resources b. Destruction of audit trails c. Inadequate segregation of duties . Difficulty acquiring qualified professionals e. Lack of standards 5. What types of tasks become redundant in a distributed data processing system? Response: Autonomous systems development initiatives distributed throughout the firm can result in each user area reinventing the Wheel rather than benefiting trot the work to others.
For example, application programs created by one user, which could be used with little or no change by others, will be redesigned from scratch rather than shared.
Likewise, data common to many users may be recreated for each, resulting in a high level of data redundancy. This situation has implications for data accuracy and consistency. 6. Explain Why certain duties that are deemed incompatible in a manual system may be combined in a CBS computer-based information system environment. Give an example. Response: The IT (CBS) environment tends to consolidate activities.
A single application may authorize, process, and record all aspects Of a transaction. Thus, the focus of segregation control shifts from the operational level (transaction processing tasks that computers now perform) to higher.
Level organizational relationships within the computer services function. 7. What are the three primary CBS functions that must be separated?
Response: The three primary CBS functions that must be separated are as follows: a. Separate systems development from computer operations, b. Separate the database administrator from other functions , and c. Operate new systems development from maintenance. 8. What exposures do data consolidation in a CSS environment pose? Response: In a CBS environment, data consolidation exposes the data to losses from natural and man-made disasters. Consolidation creates a single point of failure.
The only way to back up a central computer site against disasters is to roved a second computer facility. 9. What problems may occur as a result of combining applications programming and maintenance tasks into one position? Response: One problem that may occur is inadequate documentation.
Documenting is not considered as interesting a task as designing testing, and implementing a new system, thus a systems professional may move on to a new project rather than spend time documenting an almost complete project. Job security may be another reason a programmer may not fully document his or her work. Another problem that may occur is the increased potential for program raid. Fifth original programmer generates fraudulent code during development, then this programmer, through maintenance procedures, may disable the code prior to audits. Thus, the programmer can continue to cover his or her tracks. 10.
Why is poor-quality systems documentation a prevalent problem? Response: Poor-quality systems documentation is a chronic IT problem and a significant challenge for many organizations seeking SOX compliance. At least two explanations are possible for this phenomenon. First, documenting systems is not as interesting as designing, testing, and implementing them. Systems repossession much prefer to move on to an exciting new project rather than document one just complete The second possible reason for poor documentation is job security. When a system is poorly documented, it is difficult to interpret, test, and debug.
Therefore, the programmer who understands the system (the one who coded it) maintains bargaining power and becomes relatively indispensable. When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system. Depending on its complexity, the transition period may be long and costly.
11. What is RAID? Response: RAID (redundant arrays of independent disks) use parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks. 2. What is the role off data librarian? Response: A data librarian, who is responsible for the receipt, storage, retrieval, and custody to data tiles, controls access to the data library.
The librarian issues data files to computer operators in accordance with program requests and takes custody files when processing or backup procedures are completed. The trend in recent years toward real-time processing and the increased use of direct- access files has reduced or even eliminated the role of the data librarian in many organizations, 13.
What is the role off corporate computer services department? How does this differ from other configurations? Response: The role Of a corporate computer services department (IT function) differs in that it is not a completely centralized model: rather, the group plays the role Of provider Of technical advice and expertise to distributed computer services. Tours, it provides much more support than would be received in a impolitely distributed model. A corporate computer services department provides a means for central testing of commercial hardware and software in an efficient manner.
Further, the corporate group can provide users with services such as installation of new software and troubleshooting hardware and software problems. The corporate group can establish systems development, programming, and documentation standards, The corporate group can aid the user groups in evaluating the technical credentials of prospective systems professionals, 14, What are the five risks associated with distributed data processing?
Response: The Five risks associated with distributed data processing are as a. Inefficient use of resources, destruction of audit trails, c. Inadequate segregation of duties, potential inability to hire qualified professionals, and e. Lack of standards. IS List the control features that directly contribute to the security of the computer center environment. A. Physical location controls b. Construction controls c. Access controls d. Air conditioning e. Fire suppression f. Fault tolerance 16. What is data conversion? Response: The data conversion function transcribes transaction data from paper source documents into computer input.
For example, data conversion could be keying sales orders into a sales order application in modern systems or transcribing data into magnetic media (tape or disk) suitable for computer processing in legacy-type systems. 17, What may be contained in the data library? Response: The data library is a room adjacent to the computer center that provides safe storage for the off-line data files, Those files could be backups or current data files. For instance, the data library could store backups on DVD’s, CD-Rooms, tapes, or other storage devices, It could also store live, current data lies on magnetic tapes and removable disk packs.
In addition, the data library could store the original copies of commercial soft. ‘are and their licenses for safekeeping. 18. What is an ORG Response: A recovery operations center (ROCK) or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROCK service providers Offer a range of technical services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications.
, What is a cold site? The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center. In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary user requires to run its essential data processing systems. 20. What is fault tolerance? Response: Fault tolerance is the ability of the system to continue operation when part of the system fails due to hardware failure, application program error, or operator error.
Implementing fault tolerance control ensures that no single mint of potential system failure exists Total failure can occur only in the event of the failure of multiple components, or system-wide failure. 21. What are the often-cited benefits of IT outsourcing? Response: Often-cited benefits Of IT outsourcing include improved core business performance, improved IT performance (because of the vendors expertise), and reduced IT costs. 22. Define commodity IT asset. Response: Commodity IT assets are those assets that are not unique to a particular organization and are thus easily acquired in the marketplace.
These include such things are nonvoter management, systems operations, server maintenance, and help-desk functions. 23. Define specific asset. Response: Specific assets, in contrast to commodity assets, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside of their current use. 24, List five risks associated with IT outsourcing. A. Failure to perform b. Vendor exploitation c. Outsourcing costs exceed benefits d. Reduced security e. Loss Of strategic advantage Discussion Questions 1.
How is pre-SOX IT governance different from post-SOX IT governance? Response: Prior to SOX, the common practice regarding IT investments was to defer all decisions to corporate IT professionals. Modern IT governance, however, follows the philosophy that all corporate stakeholders, including boards of directors, top management, and department users (i. E. Accounting and finance) be active participants in key IT decisions.
Such broad-based involvement reduces risk and increases the likelihood that IT decisions will be in compliance with user needs, corporate policies, strategic initiatives, and internal control requirements under SOX. . Although IT governance is a broad area, only three aspects of IT governance are discussed in the chapter.
Name them and explain why these topics were chosen. Response: Although all IT governance issues are important to the organization, not all of them are matters of internal control under SOX that may potentially impact the financial reporting process. This chapter examined three IT governance issues that are addressed by SOX and the COOS internal control framework. These are: a. Organizational structure of the IT function, b. Computer center operations, and Disaster recovery planning. 3.
What types of incompatible activities are prone to becoming consolidated in a distributed data processing system? HOW can this be prevented? Response: Achieving an adequate segregation of duties may not be possible in some distributed environments. The distribution of the IT services to users may result in the creation of small independent units that do not permit the desired separation of incompatible functions. For example, within a single unit the same person may write application programs, perform program maintenance, enter transaction data into the computer, and operate the computer equipment.
Such a situation would be a fundamental violation of internal control. 4. Why would an operational manager be willing to take on more work in the tort of supervising an information system? Response: Managers are responsible for the success of their divisions, If the benefits to be reaped from a EDP are expected to be great enough, the manager may find it is worth her or his while to expend the extra effort, Some of the benefits the manager may hope will materialize within the divisions are more efficiently run operations, better decision making, and reduced processing costs.
Increased customer satisfaction may also result if the DOPE system is more accommodating. 5. HOW can data be centralized in a distributed data processing system? Response: The data is stored centrally, but updated or processed at the local (remote) site. Thus, data is retrieved from the centralized data store, processed locally, and then sent back to the centralized data store. 6. Should standards be centralized in a distributed data processing environment? Explain. Response: The relatively poor control environment imposed by the EDP model can be improved by establishing some central guidance.
The corporate group can contribute to this goal by establishing and distributing to user areas appropriate standards for systems development, programming, and documentation. 7. How can human behavior be considered one of the biggest potential threats to operating system integrity? Response: The purpose of segregation of duties is to deal with the potential negative aspects of human behavior including errors and fraud. The relationship between systems development (both new systems development and maintenance) and computer operations activities poses a potential risk that can circumvent operating system integrity.
These functions are inherently incompatible. With detailed knowledge of application logic and control parameters and access to the computers operating system and utilities, an individual could make unauthorized changes to the application during its execution. 8. A bank in California has thirteen branches spread throughout northern California, each With its own minicomputer where its data are stored. Another bank has 10 branches spread throughout California, with its data stored on a mainframe in San Francisco. Which system do you think is more vulnerable to unauthorized access?
Excessive losses from disaster? Response: The bank that has the data for all of its branches stored on one mainframe computer is at greater risk of access control. All of the firm’s records are centrally housed. Once a perpetrator gains unauthorized access to the system, the data for all 10 branches are at risk, For the other bank the perpetrator would have to breach security for each of the thirteen branch computers. Thus, the bank with all of data centrally stored on a mainframe is more vulnerable to access control. The primary disasters of concern in California are earthquakes and fires.
The bank with a central mainframe in San Francisco is robbery at the greatest risk of damage from both earthquakes and fires. If that system is destroyed, all of the branches lose their processing capability and, possibly, stored data. 9. End-user computing has become extremely popular in distributed data processing organizations. The end users like it because they feel they can more readily design and implement their own applications. Does this type of environment always foster more efficient development Of applications? Explain your answer. Response: Distributed data processing if not properly managed, may result in duplication of efforts.
Two or more individual end users may develop similar applications While completely unaware Of each Other’s efforts. Such duplication is an inefficient use of human resources. 10. Compare and contrast the following disaster recovery options: mutual aid pact, empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as from most costly to least costly. Response: A mutual aid pact requires two or more organizations to agree to and trust each other to aid the other with data processing needs in the event of a disaster.
This method is the lowest cost, but also somewhat risky. First, the host company must be trusted to scale back its own processing in order to process the transactions of the disaster-stricken company, Second, the firms must not be affected by the same disaster, or the plan fails. The next lowest cost method is internally provided backup. With this method, organizations with multiple data processing centers may invest in internal excess capacity and support themselves in the case of disaster in one data processing center.
This method is not as risky as the mutual aid pact because reliance on another organization is to a factor. In terms of cost, the next highest method is the empty shell where two or more organizations buy or lease space for a data processing center. The space is made ready for computer installation; however, no computer equipment is installed. This method requires lease or mortgage payments as well as payment for air conditioning and raised floors. The risk in this method is that the hardware, software, and technicians may be difficult, if not impossible, to have available in the case Of a natural disaster.
Further, if multiple members’ systems crash simultaneously, an allocation problem exists. The method with lowest risk and also the highest cost is the recovery operations center. This method takes the empty shell concept one step further-?the computer equipment is actually purchased and software may even be installed. Assuming that this site is far enough away from the disaster-stricken area not to be affected by the disaster, this method can be a very good safeguard. 1 1. Who should determine and prioritize the critical applications? How is this done? How frequently is it done?
Response: The critical applications should be identified and prioritize by the seer departments, accountants, and auditors, The applications should be prioritize based upon the impact on the short-run survival of the firm. The frequency with which the priorities need to be assessed depends upon the amount and kinds of changes that are made to systems over time. Firms that make changes frequently should reassess priorities frequently. 12. Why is it easier for programmers to perpetrate a fraud than operators? Response: It is much easier for programmers to perpetrate a fraud because they know the code.
They know how to get around Some, or most, Of the embedded controls. Better yet, some programmers deliberately program code that gets them around controls and allows them to commit fraud. 13. Why should an organization centralize the acquisition, testing, and implementation of software and hardware within the corporate IT function? Response: The corporate IT group is better able to evaluate the merits of competing vendor software and hardware. A central, technically astute group such as this can evaluate systems features, controls, and compatibility with industry and organizational standards most efficiently.
Test results can then be strutted to user areas as standards for guiding acquisition decisions. 14 Organizations sometimes locate their computer centers in the basement of their buildings to avoid normal traffic flows, Comment on this practice. Response: Locating the computer center in the basement to a building can create an exposure to disaster risk such as floods. The Chicago Board of Trade computer centers systems were located in the basement of a multi-storied office building in Chicago. When the century-old water pipelines burst, part of the first floor and the entire basement flooded.
Trade was suspended for several days until system functionality could be restored, causing the loss of millions of dollars. This disaster would have been prevented if the computer center had simply been located on the top floor-?still away from normal traffic flows, but also away from the risk of flood. 15. The 2003 blackout that affected the U. S. Northeast caused numerous computer failures. What Can an organization do to protect itself from such uncontrollable power failures? Response: The decision regarding power controls can be an expensive one and usually requires the advice and analysis of experts.
The following, however, are options that can be employed. Voltage regulators and surge protectors provide regulated electricity. Related to the level of electricity (frequency), and “clean” electricity, related to spikes and other potential hazards. Power outages and brownouts can generally be controlled with a battery backup (known as an uninterruptible power supply). 16. Discuss potential problem with ROCs. Response: Because of the heavy investment involved, ROCS are typically shared among many companies.
The firms either buy shares in or become subscribers to the ROCK, paying monthly fees for rights to its use, That situation does provide mom risk because a widespread natural disaster may affect numerous entities in the same general geographic area, If multiple entities share the same ROCK, some firm or firms will end up queued in a waiting line. 17. Discuss two potential problems associated with a cold site. A. Recovery depends on the timely availability of the necessary computer hardware to restore the data processing function.
Management must obtain assurances from hardware vendors that the vendor will give priority to meeting the organization’s needs in the event Of a disaster. An unanticipated hardware apply problem at this critical juncture could be a fatal blow. B. With this approach there is the potential for competition among users for the shell resources, the same as for a hot site. For example, a widespread natural disaster, such as a flood or earthquake, may destroy the data processing capabilities of several shell members located in the same geographic area.
Those affected by the disaster would be faced with a second major problem: how to allocate the limited facilities of the shell among them. The situation is analogous to a sinking ship that has an inadequate number of lifeboats. 8. Discuss three techniques used to achieve fault tolerance. A. Redundant arrays of inexpensive (or independent) disks (RAID), There are several types to RAID configurations. Essentially, each method involves the use of parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks, b.
Uninterruptible power supplies. In the event of a power outage, short-term backup power (i. E. , battery power) is provided to allow the system to shut down n a controlled manner. This process will prevent the data loss and corruption that would otherwise result from an uncontrolled system crash, lag. Explain the outsourcing risk of failure to perform Response: Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance.
The negative implications Of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Cop. DES). In a cost-cutting effort, DES terminated seven thousand employees, which impacted its ability to serve Other clients. Following an eleven-year low in share prices, DES stockholders filed a class-action lawsuit against the company. Clearly, vendors experiencing such serious financial and legal problems threaten the viability of their clients also. 20. Explain vendor exploitation. Response: Once the client firm has divested itself of specific assets it becomes dependent on the vendor.
The vendor may exploit this dependency by raising service rates to an exorbitant level, As the clients IT needs develop over time beyond the original contract terms, it runs the risk that new or incremental revises will be negotiated at a premium, This dependency may threaten the client’s long-term flexibility, agility, and competitiveness and result in even greater vendor dependency. 21, Explain why reduced security is an outsourcing risk, Response: Information outsourced to off-shore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data.
When corporate financial systems are developed and hosted overseas, and program code is developed through interfaces with the host company’s network, US corporations are at risk of losing control of their information. TO a large degree, US firms are reliant on the outsourcing vendor’s security measures, data-access policies, and the privacy laws of the host country. 22. Explain how IT outsourcing can lead to loss of strategic advantage. Response: Alignment between IT strategy and business strategy requires a close working relationship between corporate management and IT management in the concurrent development of business and IT strategies.
This, however, is difficult to accomplish when IT planning is geographically redeployed off-shore or even domestically. Further, since the financial justification for IT outsourcing upends upon the vendor achieving economies of scale, the vendor is naturally driven toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them, This fundamental underpinning to IT outsourcing is inconsistent with the client’s pursuit of strategic advantage in the marketplace, 23, Explain the role of a ASS 70 report in reviewing internal controls.