Please answer the following:

1. Data processing controls help ensure that data is validly processed, and that any exceptions noted while processing
will be detected and corrected. What are some of the key questions managers ask in order to address unusual events,
failures, or errors resulting from data being processed?
Errors in data processing usually relate to job scheduling and actual monitoring of the job processing. In fact, an
important element of any set of policies and procedures should be the requirement that IS operators maintain logs on
which any unusual events or failures resulting from the processing of data are recorded, according to time and in detail.
These logs can be used to identify unfavorable trends, detect unauthorized access, and provide a data source for
determining the root cause of system failures. Further, to address unusual events, failures, or errors, managers should
ask the following key questions:
1. Are there appropriate controls configured to reduce data processing errors and maintain the integrity of data
processed?
2. Is there an automated tool used to execute regularly scheduled jobs related to applications, databases, and operating
systems, such as scheduled interfaces of data, data purges, table updates, etc.?
3. What are the types of jobs scheduled?
4. How are changes, such as adding, modifying, and deleting jobs and schedules made, and who can make those
changes?
5. Does the system use processing checks to detect errors or erroneous data during data processing? If so, which
checks?
6. What is the process used to monitor the successful completion of job processing?
7. How the monitoring and review process ensures that exceptions or failures identified during job processing are timely
resolved?
8. Are techniques available for detecting erroneous reprocessing of data?
9. Who is responsible for the review and exception tracking of erroneous reprocessing of data?
10. Which reports are reviewed, and what notification systems and mechanisms are currently in place?
2. Why are physical security and access controls important to organizations? List at least six examples of physical
security and access controls.
Physical security and access controls protect and restrict access to data centers (computer rooms) and EUC areas where
intruders could access information resources (i.e., office and network equipment). Physical security and access controls
usually include:
 Traditional locks
 Personnel badge-entry systems
 Magnetic doors with security code for the server room
 Closed-circuit television and video surveillance equipment
 Biometric authentication (e.g., retinal scans, fingerprints, etc.)
 Security alarms
 Visitors logs
 Security guards and receptionists to screen visitors
3. List potential areas that backup policies, procedures, standards, and/or guidance should cover to ensure the
availability of data significant to the operation of the organization.
Establishing backup policies, procedures, standards, and/or guidance ensures the availability of data significant to the
operation of the organization. The policies, procedures, standards, and/or guidance should cover areas such as:
Storage and retention of programs and data
Backup scheduling and rotation
Protection of backup media
Backup monitoring, review, and resolution of exceptions
4. What is the risk to organizations of not having a comprehensive business continuity plan in place in the event of an
emergency?
The objective of a business continuity plan (BCP) is to describe processes, steps, and/or procedures to be carried out in
the event of an emergency (i.e., natural disaster or an unplanned interruption to normal business operations) to achieve
a timely recovery and availability of all essential business processes, including the information systems. The BCP
normally addresses:
 Key computer processing locations
 Application systems and user requirements for key business processes
 End-user activities for key business processes
 Telecommunications and networks
 Key databases, information warehouses, etc.
 Human resources
 Personal safety of employees and others
The lack of a comprehensive BCP in the event of an emergency may translate into delayed restoration of business
processes and information systems. This may result in the inability of the organization to continue operations; loss of
revenues and incurring in unnecessary expenses; loss of competitive advantage; loss of customer confidence and market
share; and fines and sanctions; among others. In the event of an emergency, degraded services may be acceptable for
some period of time. Nonetheless, the goal is to restore the affected systems and services to their optimum levels as
immediate as possible.
5. As the Senior IT auditor, you are having a planning meeting with the client’s IT management. The IT manager is in
the process of creating a disaster recovery plan (DRP) to put the organization in a better position when responding to
(and recovering from) threats that may disrupt normal business operations. The IT manager asks you about the
components that should be included in a DRP. Provide your response.
The DRP should be acquainted by all members of the organization. It would be simple for staff members to carry out
their duties in the plan in the event of an emergency. The plan's execution ensures that no efforts are repeated and that
all relevant procedures are done. Testing also provides the opportunity to practice the recovery procedures and identify
missing elements that may need to be added. The DRP should address components, such as:
1. Objectives and mission statement
2. Key personnel involved
3. Full and incremental program and data backups
4. Tests and drills
5. Program and data backups stored off-site
6. Disaster recovery chairperson and committee appointed
7. Emergency telephone numbers
8. List of all critical hardware and software applications
9. Insurance coverage
10. Communication plans
11. Up-to-date system and operation documentation
12. Employee relocation plans to alternate work sites
6. One of the recommendations you made during last year’s IT audit was the implementation of a disaster recovery
plan. In performing the IT audit for this year, you find that although a plan was in place, it has not been tested.
Document your reasons why the disaster recovery plan should be tested
A DRP must be based on the assumption that any computer system is subject to several different types of failures. In
particular, procedures must exist and be tested for recovery from failures or losses of equipment, programs, or data
files. In the case of equipment failures, each installation might have a contractual agreement covering the use of an
alternate site with a comparable computer configuration. Examples of these are cold sites and hot sites. A cold site is an
empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors
to provide all necessary equipment within a specified period of time. A hot site, on the other hand, refers to a facility
that is not only prewired for telephone and Internet access, but also contains all the computing and office equipment
the organization needs to perform its essential business activities. Before assembling a DRP, the assets of the
organization (e.g., hardware, software, facilities, personnel, administrative, data, etc.) and their replacement values
should be identified. Specific risks that would result in temporary or permanent loss of assets (say from fire, flood,
sabotage, viruses, etc.) should also be recognized. Next, the impact of these losses (e.g., modification, destruction, DoS,
etc.) must be assessed. Finally, the value of the asset should be compared against the frequency of loss to justify the
disaster recovery solution. Following completion of the above, a DRP can be assembled.
7. Mention potential areas a company policy related to End-user Computing groups should cover.
EUC groups have grown rapidly in pervasiveness and importance. The knowledge worker’s application of technology to
help business solve problems has been one of the major forces of change in business today. User dominance will prevail.
Auditors, as knowledge workers and users, can assist departments in identifying sensitive or critical PC applications that
require special attention. In organizations where controls are inadequate or nonexistent, auditors can play a key role in
developing these controls for EUC groups. Once controls are in place, auditors can examine them for adequacy and
effectiveness. IT should have policies or guidelines that cover EUC groups. These should be designed to protect company
data. IT should also have standards to ensure that end users are not using hardware or software that is not supported by
them. There should be an EUC policy that encompasses and is applicable to all EUC groups. If only departmental policies
exist, each policy should be similar to ensure continuity between departmental policies. A companywide policy related
to EUC groups should cover:
 Assignment of ownership of data
 User accountability
 Backup procedures
 Physical access controls to PCs
 Appropriate documentation of all EUC groups’ applications and adequate documentation changes and
modifications
 Segregation of duties