Information technology auditing 3rd edition solutions

There is no need to provide us with your own physical shipping address, instead, we will need only your own email address in which we are going to attach the files for you. We sell potential questions and answers that instructors and teachers based on when making exams and tests. All orders are kept anonymous and safe.

We do not record not share client details for any reason. You get what you paid for securely and anonymously…. We implement instant payment and instant file delivery methods. Clients can pay for their materials directly from the online store using either credit cards or PayPal and then download the purchased file by logging into their accounts or getting an email attachment.

Clients who use PayPal are going to receive a payment invoice into their email which they sign up with. If the email you sign up with is different from your own PayPal one, you can simply let us know by using the contact us form. Always check both your Spam and Junk mail if you did not see incoming emails in your inbox. We provide free samples for any required Textbook solution or test bank to check and evaluate before making the final purchase for customer satisfaction.

By visiting our site, you agree to our privacy policy regarding cookies, tracking statistics, etc. Read more. Accept X. Hall quantity. Hall , Solution manual for Information Technology Auditing. Hall IT AUDITING is an innovative and cutting edge text, which provides students with a solid background in traditional auditing as well as in the auditing of accounting information systems. If you require any further information, let me know.

A central, technically astute group such as this can evaluate systems features, controls, and compatibility with industry and organizational standards most efficiently. Test results can then be distributed to user areas as standards for guiding acquisition decisions. Organizations sometimes locate their computer centers in the basement of their buildings to avoid normal traffic flows. Comment on this practice. Response: Locating the computer center in the basement of a building can create an exposure to disaster risk such as floods.

When the century-old water pipelines burst, part of the first floor and the entire basement flooded. Trade was suspended for several days until system functionality could be restored, causing the loss of millions of dollars.

This disaster would have been prevented if the computer center had simply been located on the top floor—still away from normal traffic flows, but also away from the risk of flood. The blackout that affected the U. What can an organization do to protect itself from such uncontrollable power failures? Response: The decision regarding power controls can be an expensive one and usually requires the advice and analysis of experts.

The following, however, are options that can be employed. Power outages and brownouts can generally be controlled with a battery backup known as an uninterruptible power supply. Discuss a potential problem with ROCs. Response: Because of the heavy investment involved, ROCs are typically shared among many companies. The firms either buy shares in or become subscribers to the ROC, paying monthly fees for rights to its use. That situation does provide some risk because a widespread natural disaster may affect numerous entities in the same general geographic area.

If multiple entities share the same ROC, some firm or firms will end up queued in a waiting line. Discuss two potential problems associated with a cold site. Recovery depends on the timely availability of the necessary computer hardware to restore the data processing function. An unanticipated hardware supply problem at this critical juncture could be a fatal blow.

With this approach there is the potential for competition among users for the shell resources, the same as for a hot site. For example, a widespread natural disaster, such as a flood or earthquake, may destroy the data processing capabilities of several shell members located in the same geographic area. Those affected by the disaster would be faced with a second major problem: how to allocate the limited facilities of the shell among them.

The situation is analogous to a sinking ship that has an inadequate number of lifeboats. Discuss three techniques used to achieve fault tolerance. Redundant arrays of inexpensive or independent disks RAID. There are several types of RAID configurations. Essentially, each method involves the use of parallel disks that contain redundant elements of data and applications.

Uninterruptible power supplies. In the event of a power outage, short-term backup power i. This process will prevent the data loss and corruption that would otherwise result from an uncontrolled system crash.

Explain the outsourcing risk of failure to perform. The negative implications of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Cop. In a cost-cutting effort, EDS terminated seven thousand employees, which impacted its ability to serve other clients.

Following an eleven-year low in share prices, EDS stockholders filed a class-action lawsuit against the company. Clearly, vendors experiencing such serious financial and legal problems threaten the viability of their clients also. Explain vendor exploitation. Response: Once the client firm has divested itself of specific assets it becomes dependent on the vendor.

The vendor may exploit this dependency by raising service rates to an exorbitant level. Explain why reduced security is an outsourcing risk. Response: Information outsourced to off-shore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data. Explain how IT outsourcing can lead to loss of strategic advantage. Response: Alignment between IT strategy and business strategy requires a close working relationship between corporate management and IT management in the concurrent development of business and IT strategies.

This, however, is difficult to accomplish when IT planning is geographically redeployed off-shore or even domestically. Further, since the financial justification for IT outsourcing depends upon the vendor achieving economies of scale, the vendor is naturally driven toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them.

Explain the role of a SAS 70 report in reviewing internal controls. Problems 1. Internal Control In reviewing the processes, procedures, and internal controls of one of your audit clients, Steeplechase Enterprises, you notice the following practices in place. Steeplechase has recently installed a new EDP system that affects the accounts receivable, billing, and shipping records.

A specifically identified computer operator has been permanently assigned to each of the functions of accounts receivable, billing, and shipping. Each of. In order to prevent any one operator from having exclusive access to the tapes and documentation, these three computer operators randomly rotate the custody and control tasks every two weeks over the magnetic tapes and the system documentation.

Access controls to the computer room consist of magnetic cards and a digital code for each operator. Access to the computer room is not allowed to either the systems analyst or the computer operations supervisor. The documentation for the EDP system consists of the following: record layouts, program listings, logs, and error listings. The billing clerk receives the shipping notice and accounts for the manual sequence of the shipping notices. Any missing notices are investigated. The billing clerk also manually enters the price of the item, and prepares daily totals supported by adding machine tapes of the units shipped and the amount of sales.

The shipping notices and adding machine tapes are sent to the computer department for data entry. The computer output generated consists of a two-copy invoice and remittance advice and a daily sales register. The invoices and remittance advice are forwarded to the billing clerk, who mails one copy of the invoice and remittance advice to the customer and files the other copy in an open invoice file, which serves as an accounts receivable document. The daily sales register contains the total of units shipped and sales amounts.

The computer operator compares the computer-generated totals to the adding machine tapes. Required: Identify the control weaknesses present and make a specific recommendation for correcting each of them.

The numerical sequence of shipping notices should be checked by the computer and any missing numbers reported. Billing and cash collections should be separate from accounts receivable. The invoices should not be forwarded to the billing clerk; they should be forwarded to someone else, such as the mailroom clerk, for mailing to the customers.

The billing clerk should maintain a copy of the adding machine tapes to reconcile with the daily sales register. Comet owns its own computing facilities. Gustave, CPA, diligently intensified the internal control study and assessment tasks relating to the computer facilities. Gustave concluded in its final report that sufficient compensating general controls provided reasonable assurance that the internal control objectives were being met. Required: What compensating controls are most likely in place?

Physical Security Avatar Financials, Inc. Its primary operations are in wealth management and financial advice. Each client has an account where basic personal information is stored on a server within the main office in New York City.

The company also keeps the information about the amount of investment of each client on a separate server at its data center in Bethlehem, Pennsylvania. This information includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities. In the last few years, larger commercial banks have started providing such services and are competing for the same set of customers. Avatar, which prides itself in personal consumer relations, is now trying to set up additional services to keep its current customers.

It has recently upgraded its Web site, which formerly only allowed clients to update their personal information. Now clients can access information about their investments, income, and tax liabilities that is stored at the data center in Pennsylvania.

As a result of previous dealings, Avatar has been given free access to use the computer room of an older production plant. The company feels believes that this location is secure enough and would keep the data intact from physical intruders.

The servers are housed in a room that the production plant used to house its legacy system. The room has detectors for smoke and associated sprinklers. It is enclosed, with no windows, and has specialized temperature- controlled air ducts. Management has recently started looking at other alternatives to house the server as the plant is going to be shut down. Management has major concerns about the secrecy of the location and the associated measures. It wants to incorporate newer methods of physical data protection.

Required: 1. Why are the auditors of Avatar stressing the need to have a better physical environment for the server? If Avatar has proper software controls in place, would that not be enough to secure the information? Name the six essential control features that contribute directly to the security of the computer server environment. Response: 1. When talking of the physical environment, the auditors are not just talking of the potential threat of physical intruders and sabotage, but also of environmental hazards such as fires, floods, wind, earthquakes, or power outages.

Though these occurrences are relatively rare, they still should be accounted for, as they can seriously hamper operations. The company would not only just lose the investment in the serves and computer systems but also the data and ability to do business.

As is evident software checks cannot prevent such losses. Physical Location: The physical location of the computer center affects the risk of disaster directly. The computer center should be away from human-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults.

Construction: Ideally, a computer center should be located in a single-store building of solid concrete with controlled access. Utility and communication lines should be underground.

The building windows should not be open. An air filtration system should be in place that is capable of excluding dust, pollen, and dust mites. Access: Access should be limited to operators and other employees who work there. Programmers and analysts who need access to correct program errors should be required to sign in and out.

The computer center should maintain accurate records of all such events to verify access control. The main entrance to the computer center should be.

Lose circuit camera with video recording is also highly advisable. Air Conditioning: Mainframes and servers, as in the case with Avatar, have heavy processing volumes.

These are designed to work at their optimal levels only within a narrow range of conditions, most importantly the temperature. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors and static electricity risks can be mitigated by proper use of air conditioning. Fire Suppression: The major features should include automatic and manual alarms placed in strategic locations connected to fire stations , an automatic fire extinguishing system not water sprinklers, rather carbon dioxide or halon extinguishers should be used , a manual fire extinguisher, and clearly marked and illuminated fire exists.

Fault Tolerance Controls: Commercially provided electrical power presents several problems that can disrupt the computer centers operations including total power failures, brownouts, and power fluctuation.

The company should look into the use of surge protectors, generators, batteries, and voltage regulators in order to protect their computer system from the negative effects associated with these disruptions. Hill Crest provides for its clients an online legal software service that includes data storage and administrative activities for law offices.

The company has grown rapidly since its inception 3 years ago, and its data processing department has expanded to accommodate this growth. Hill Crest recently moved its headquarters into a remodeled warehouse on the outskirts of the city. While remodeling the warehouse, the architects retained much of the original structure, including the wooden-shingled exterior and exposed wooden beams throughout the interior.

The minicomputer distributive processing hardware is situated in a large open area with high ceilings and skylights. The openness makes the data processing area accessible to the rest of the staff and encourages a team approach to problem solving. Before occupying the new facility, city inspectors declared the building safe; that is, it had adequate fire extinguishers, sufficient exits, and so on. In an effort to provide further protection for its large database of client information, Hill Crest instituted a tape backup procedure that automatically backs up the database every Sunday evening, avoiding interruption in the daily operations and procedures.

All tapes are then labeled and carefully stored on shelves reserved for this purpose in the data processing department. A list of home phone numbers of the individuals in the data processing department is available in case of an emergency. This past Saturday, the Hill Crest headquarters building was completely ruined by fire, and the company must now inform its clients that all of their information has been destroyed.

Required: a. Describe the computer security weaknesses present at Hill Crest Corporation that made it possible for a disastrous data loss. List the components that should have been included in the disaster recovery plan at Hill Crest Corporation to ensure computer recovery within 72 hours. What factors, other than those included in the plan itself Response: a. An on-line system with infrequent weekly tape backups. Backups, with checkpoints and restarts, should be performed at least daily.

Data and programs should have been kept in a library separate from the dataprocessing room, with the library area constructed of fire-retardant materials. Lack of a written disaster recovery plan with arrangements in place to use an alternate off-site computer center in the event of a disaster or an extended service interruption.

There was a phone list of DP personnel, but without assigned responsibilities as to actions to be taken when needed.

Lack of complete systems documentation kept outside the data-processing area. Select the disaster recovery manager, identify the tasks, segregate into teams, develop an organizational chart for disaster procedures, match personnel to team skills and functions, and assign duties and responsibilities to each member.

Separation of Duties Arcadia Plastics follows the philosophy of transferring people from job to job within the organization. Management believes that job rotation deters employees from feeling that they are stagnating in their jobs and promotes a better understanding of the company. A computer services employee typically works for six months as a data librarian, one year as a systems developer, six months as a database administrator, and one year in systems maintenance.

At that point, he or she is assigned to a permanent position. Required: Discuss the importance of separation of duties within the information systems department. How can Arcadia Plastics have both job rotation and well-separated duties?

Response: Because the employee will have performed several highly incompatible tasks, this company needs to employ strong password access controls and constantly require its employees to change their passwords. This is especially necessary because these employees have either designed or viewed authorization access tables. Strong controls over program maintenance, such as program modification reports, are also a necessity.

The key is that when an employee transfers from one job to another, she or he should have absolutely no access to any functions in previous positions. DDP Risks Write an essay discussing the primary risks associated with the distributed processing environment. Response: Potential risks associated with DDP include the inefficient use of resources, the destruction of audit trails, inadequate segregation of duties, an increased potential for programming errors and systems failures, and the lack of standards.

Inefficient use of resources. There are several risks associated with inefficient use of organizational resources in the DDP environment. Some argue that when organization-wide resources exceed a threshold amount, perhaps 5 percent of the total operations budget, they should be controlled and monitored centrally. Distributing the responsibility for hardware and software purchases to end-users may result in uncoordinated and poorly conceived decisions. For example, decision makers in different organizational units working independently may settle on dissimilar and incompatible operating systems, technology platforms, database programs and office suites.

Autonomous systems development throughout the firm can result in each user area reinventing the wheel. For example, application programs created by one user, which could be used with little or no change by others, will be designed from scratch rather than shared. Destruction of audit trail. The use of DDP can adversely affect the audit trail. Because audit trails in modern systems tend to be electronic, it is not unusual for the electronic audit trail to exist in part, or in whole, on end-user computers.

Should the end user inadvertently delete the audit trail, it could be lost and unrecoverable. Or if an end user inadvertently inserted uncontrolled errors into the audit log, the audit trail could effectively be destroyed.

Numerous other risks are associated, including care of the hardware itself. Inadequate segregation of duties. The distribution of IT services to users may result in the creation of many small units that do not permit the necessary separation of incompatible functions.

For example, within a single unit, the same person may write application programs, perform program maintenance, enter transaction data into the computer, and operate the computer equipment. This condition would be a fundamental violation of internal control. Hiring qualified professionals. End-user managers may lack the knowledge to evaluate the technical credentials and relevant experience of candidates applying for positions as computer professionals.

Also, if the organizational unit into which a new employee is entering is small, the opportunity for personal growth, continuing education, and promotion may be limited. For these reasons, managers may experience difficulty attracting highly qualified personnel.

The risk of programming errors and system failures increases directly with the level of employee incompetence. Lack of standards. Because of the distribution of responsibility in the DDP environment, standards for developing and documenting systems, choosing programming languages, acquiring hardware and software, and evaluating performance may be unevenly applied or nonexistent.

Write a report of your findings. Response: The goal of high availability is to ensure the ongoing availability of information, to eliminate exposure to lost information, to reduce overall business risk, and to help ensure that the revenue stream will stay intact. Many companies rely on redundant storage to ensure the availability of information under uncertainty.

If data is damaged or erased, the company can use the backup information to recover lost records and continue normal processing. This exposes backup files to the same risks as the information system. To remedy this problem SunGard offers a data mirroring system where data from a clients information system is sent directly to a SunGard location for backup and storage. Within minutes after a disaster occurs, clients can access up-to-date information that was lost or damaged.

These teams use a process called Silhouette OS to understand and repair individual systems. Silhouette OS. The profile is created using the following information: operating system data, hardware configuration, storage devices, performance tuning parameters, networks, system boot files, and configuration files. The server can then be rebuilt any time in a reliable, repeatable manner at a SunGard site. This reduces recovery time and financial losses from downtime.

End-user recovery is dedicated to maintain employee productivity until systems are repaired and functional. One technique used is to provide a disaster recovery center. Each center is secure and maintains a backup power supply. Similar to the disaster recovery center is the mobile recovery. SunGard maintains a fleet of over 40 mobile recovery centers that provide the same benefits as the traditional recovery center, but can be brought directly to the client.

Together, the disaster recovery center and the mobile center will reduce employee downtime during a disaster and minimize losses. Among the twelve microcomputers in the organization, there are three different hardware manufacturers. In addition, there are four to five different software vendors for spreadsheets, word processing, and database applications, along with some networking applications for clusters of microcomputers. Microcomputers were acquired in the operating departments to allow employees in each department to conduct special analyses.

Many of the departments also wanted the capability to download data from the mainframe. Therefore, each operating department had requested guidance and assistance from the data processing services department. Data processing, however, responded that it was understaffed and must devote full effort to its main priority, the mainframe computer system. In response to the internal audit report, the director of data processing services, Stan Marten, has issued the following memorandum.

The first step is to specify the spreadsheet software that should be used by all personnel. From now on, everyone will use Micromate. During the next month, we will also select the standard software for word processing and database applications. You will use only the user packages that are prescribed by the data processing services department. In the future, any new purchases of microcomputers, hardware, or software must be approved by the director of data processing services. Apparently, before issuing this memorandum, Marten had not consulted with any of the microcomputer users regarding their current and future software needs.

When acquiring microcomputers for various departments in an organization, describe the factors related to: i. Discuss the benefits of having standardized hardware and software for microcomputers in an organization. Discuss the concerns that the memorandum is likely to create for the microcomputer users at Hastone Manufacturing.

Computer hardware factors that need to be considered during the initial design and set-up phase when acquiring microcomputers for various departments in an organization include understanding the primary applications for which the equipment will be used. The memorandum is likely to create the following concerns for Hastone. Current data files and applications may be incompatible with the new requirements.

End-User Computing CMA Adapted 5-Y6 List the problems inherent in the use, by others, of spreadsheet models developed by users who are not trained in the procedural controls of system design and development. Because the microcomputer is considered a personal tool, there is a tendency to forgo the normal written procedures for spreadsheets, documentation that would be procedurally demanded in a mainframe computer environment.

A single individual can complete a project or report from start to finish, which often leads to a lack of documented procedures for another individual to use. Due to the ease of use of spreadsheets in the microcomputer environment, auditing procedures and internal controls that would typically be normal operating procedures in a mainframe environment are often omitted or incompletely followed when reports are produced.

Official reporting and documents should require the same degree of checking, cross-footing, recalculation, testing, and verification against the source as is required in manually prepared documents or by operational procedures in a mainframe environments.

All spreadsheet cells should be verified in the initial design and testing. The ease of spreadsheet use, prompted by self-instructional system manuals, may cause a lack of appropriate and uniform training, leading to non-standardized spreadsheets.

The fact that a user can inadvertently overwrite critical actual or budget files is disastrous to the financial reporting process.

The reports and spreadsheets are in a computerized report format; unaware users of reports tend to give an unwarranted measure of acceptance and trust to these reports.

Internal Control and Distributed System Until a year ago, Dagwood Printing Company had always operated in a centralized computer environment. Now, 75 percent of the office employees have a PC. Outline a plan of action for Dagwood Printing Company to ensure that the proper controls over hardware, software, data, people, procedures, and documentation are in place. Discuss any exposures the company may face if the devised plan is not implemented. Data encryption techniques for the sending of sensitive data from one files to another over the LAN.

Access controls for files on the LAN file server. Access controls for data on hard drives of the personal computers. Backup policy and procedures for data on the file server and the PCs. Software support policy. Output policy regarding which documents may be printed on the server printer. Sensitive files may be intercepted as they are traveling around the LAN cabling devices.

Unauthorized access to sensitive files on the file server and user PCs. Data loss from poor backup iv.