KRISTEL FAYE A.

CRUZ
BSA II B
BA10

Chapter 14 Auditing IT Controls Part 1: Sarbanes-Oxley and IT Governance

Multiple-Choices Questions
1. B.
2. A.
3. D.
4. E.
5. A.
6. A.
7. B.
8. A.
9. B.
10. D.

Problems
1. PHASES OF AN AUDIT: COMPENSATING GENERAL CONTROLS
What compensating controls are most likely in place?
 A compensating control helps organization minimize the risk by identifying
how the requirements affect its framework. It is an activity that is
conducted wherever there is lack of segregation of duties. This would
likely to occur during improper internal controls, the internal control
provided a comprehensive strategy for achieving Proper segregation of
duties so that no employee will controls all phases of a transaction. Thus
this will avoid any possible error that will occur during the planning phase
of a financial audit.

2. DATA CENTER SECURITY

a. What risk currently exist that are concern to the auditors?
 The company’s data center is in the basement of rented building,
the risk that will likely to occur here is the occurrence of natural
hazard like flood plains, gas and water mains, high crime areas and
geological faults.
  The server are housed in a room that has smoke detectors and
associated with sprinkles, risk here is the possible fire incident that
will cause halt to the functions that are performed by the computer.
 Client investment and account information are stored on these
server. The possible risk here is what we called Database
management fraud that includes altering, deleting, corrupting,
destroying and stealing an organizations data, the files that are
stored in the server might be copied and disclose to the
competitors.

b. Describe control features that contribute to the physical security of the

computer center.
 A computer center should be located in a single story building of
solid controlled access.
 The implementation of an effective fire suppression like smoke
detectors and sprinkles, can dispense the appropriate type of
suppressant.
 The access to the computer s center must be limited to the
operators and other employees who work there.

c. Discuss some options open to the company that may reduce their
operating cost and provide the security the auditors seeks.
 The physical location for a computer server should be located away
from human made and natural disaster.
 The organization must implement effective fire suppression system
like automatic and manual fire alarms, fire extinguishers, building
should be sound construction to withstand water damage that fire
suppression equipment cause. And last is there should be a fire exit
that is clearly mark and illuminated during a fire.
 To achieve a higher level of security, closed circuit cameras and
video recording system should monitor access.
7. DISASTER RECOVERY PLAN
a. Describe the internal control weaknesses present at Hexagon.
 The architects retained the wooden shingled exterior and the exposed
wooden beams throughout the interior.
 The data processing center, which contained the servers and
networked terminals, was situated in a large open area with high
ceilings and skylights.
 The center was made accessible to the rest of the staff.
b. List the components that should be included in a disaster recovery plan for a
company like hexagon.
  Providing second site back up provides a duplicate data processing
facilities following a disaster
 Internally provided backup this permit firms to develop standardized
hardware and software configurations, which ensure functional
compatibility among their data processing centers and minimize
cutover problems in the event of compatibility.
 Recovery operations center fully equipped backup data center that
many companies share.
 Empty shell an arrangement wherein the company buys or lease a
building that will serve as a data center.

d. What factors, other than those included in the plan itself, should a
company considers when formulating a disaster recovery plan?
o Creating a disaster recovery team, recovering from a disaster
depends on timely corrective action. Failure to perform essential
task prolong the recovery period, so to avoid this serious omission
or duplication of effort , Hexagon needs to create a disaster
recovery team, individual task responsibility must be clearly defined
and communicated to the personnel involve.