80%(5)4 out of 5 people found this document helpful
This preview shows page 40 - 43 out of 48 pages.
libraries. (Ensure authorized changes to programs through separation of duties.)2. Correct. A formal systems development methodology should be used to ensurethat the system delivers as expected and according to standards.3. Incorrect. Access to program documentation should be restricted to applicationprogrammers. Users of application systems should not have free access to thedocumentation, because this increases the risk of unauthorized transactions throughexploitation of system weaknesses.4. Incorrect. Emergency changes cannot be subject to the same control procedures asplanned changes. Because emergency changes often arise due to program failure,corrective action is taken immediately and the change is subsequently reviewed andapproved.d. 1. Correct. This is a computer-assisted control procedure that combines computer-produced data with manual user procedures.2. Incorrect. This is a manual procedure.3. Incorrect. This is a general (business continuity) control.4. Incorrect. This is a physical access (general) control.e. 1. Incorrect. Application controls are specific to the flow of transactions.2. Correct. Organizational control concerns the proper segregation of duties andresponsibilities within the information systems department. These duties arespecified by the policies and procedures for the various information systemCourse ScheduleCourse ModulesReview and PracticeExam PreparationResources
functions such as end-user computing.3. Incorrect. Environmental controls influence the effective operation of all internalcontrols.4. Incorrect. Systems control is not a sufficiently specific response.
Self-test 7Solution 2CASE STUDY T7-1: Auditing personal computer environmentsNote:The purpose of this case is to show how the purchase and use of personal computers can be lessbeneficial than expected by a company. It helps to highlight the importance of assigning appropriateresponsibilities to systems staff, management, and auditors in order to improve the effectiveness of thecompany’s personal computer systems. It puts you in the position of the internal auditor who is expected torecommend changes to alleviate the problems identified. A number of valid approaches to this case arepossible. One such approach follows.If the responsibilities for the development, acquisition, implementation, use, and maintenance of personalcomputer systems are shared, the organization will probably optimize its investment in personal computingresources. Users need help in acquiring and developing new applications, and require guidance in operatingand maintaining existing ones. Central control by IT professionals over system development generally does notwork because the users can easily program personal computers.It is recommended that the delegation of authority to the IT group gives the group responsibility for thefollowing:Providing policies and standards to guide users when developing systems, maintaining programs,and operating equipmentMaintaining specialized software