MULTIPLE CHOICE

1. All of the following are issues of computer security except

a. releasing incorrect data to authorized individuals
b. permitting computer operators unlimited access to the computer room
c. permitting access to data by unauthorized individuals
d. providing correct data to unauthorized individuals

2. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator

3. In a computer-based information system, which of the following duties needs to be separated?

a. program coding from program operations
b. program operations from program maintenance
c. program maintenance from program coding
d. all of the above duties should be separated

4. Participation in system development activities include:

a. system analysts, database designers and programmers
b. managers and operating personnel who work directly with the system
c. accountants and auditors
d. all of the above

5. Adequate backups will protect against all of the following except

a. natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes

6. Which is the most critical segregation of duties in the centralized computer services function?
a. systems development from data processing
b. data operations from data librarian
c. data preparation from data control
d. data control from data librarian
7. Systems development is separated from data processing activities because failure to do so
a. weakens database access security
b. allows programmers access to make unauthorized changes to applications during
execution
c. results in inadequate documentation
d. results in master files being inadvertently erased

8. Which organizational structure is most likely to result in good documentation procedures?

a. separate systems development from systems maintenance
b. separate systems analysis from application programming
c. separate systems development from data processing
d. separate database administrator from data processing
 9. All of the following are control risks associated with the distributed data processing structure except
a. lack of separation of duties
b. system incompatibilities
c. system interdependency
d. lack of documentation standards

10. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified

11. A cold site backup approach is also known as

a. internally provided backup
b. recovery operations center
c. empty shell
d. mutual aid pact

12. The major disadvantage of an empty shell solution as a second site backup is
a. the host site may be unwilling to disrupt its processing needs to process the critical
applications of the disaster stricken company
b. recovery depends on the availability of necessary computer hardware
c. maintenance of excess hardware capacity
d. the control of the shell site is an administrative drain on the company
13. An advantage of a recovery operations center is that
a. this is an inexpensive solution
b. the initial recovery period is very quick
c. the company has sole control over the administration of the center
d. none of the above are advantages of the recovery operations center

14. For most companies, which of the following is the least critical application for disaster recovery
purposes?
a. month-end adjustments
b. accounts receivable
c. accounts payable
d. order entry/billing

15. The least important item to store off-site in case of an emergency is

a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program

16. Some companies separate systems analysis from programming/program maintenance. All of the
following are control weaknesses that may occur with this organizational structure except
a. systems documentation is inadequate because of pressures to begin coding a new program
before documenting the current program
b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long
period of time
 c. a new systems analyst has difficulty in understanding the logic of the program
d. inadequate systems documentation is prepared because this provides a sense of job
security to the programmer

17. All of the following are recommended features of a fire protection system for a computer center
except
a. clearly marked exits
b. an elaborate water sprinkler system
c. manual fire extinguishers in strategic locations
d. automatic and manual alarms in strategic locations

18. All of the following tests of controls will provide evidence about the physical security of the computer
center except
a. review of fire marshal records
b. review of the test of the backup power supply
c. verification of the second site backup location
d. observation of procedures surrounding visitor access to the computer center

19. All of the following tests of controls will provide evidence about the adequacy of the disaster
recovery plan except
a. inspection of the second site backup
b. analysis of the fire detection system at the primary site
c. review of the critical applications list
d. composition of the disaster recovery team

20. The following are examples of commodity assets except

a. network management
b. systems operations
c. systems development
d. server maintenance

21. Which of the following is NOT an example of a specific assets?

a. application maintenance
b. data warehousing
c. highly skilled employees
d. server maintenance

22. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core
business competencies
c. Core competency theory argues that an organization should not outsource specific commodity
assets.
d. Core competency theory argues that an organization should retain certain specific noncore assets
in-house.

23. Which of the following is not true?

a. Large-scale IT outsourcing involves transferring specific assets to a vendor
b. Specific assets, while valuable to the client, are of little value to the vendor
 c. Once an organization outsources its specific assets, it may not be able to return to its pre-
outsource state.
d. Specific assets are of value to vendors because, once acquired, vendors can achieve
economies of scale by employing them with other clients

24. Which of the following is not true?

a. When management outsources their organization’s IT functions, they also outsource
responsibility for internal control.
b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the
vendor’s performance.
c. IT outsourcing may affect incongruence between a firm’s IT strategic planning and its business
planning functions.
d. The financial justification for IT outsourcing depends upon the vendor achieving economies of
scale.

25. Which of the following is not true?

a. Management may outsource their organizations’ IT functions, but they cannot outsource their
management responsibilities for internal control.
b. Section 404 requires the explicit testing of outsourced controls.
c. The SSAE 16 report, which is prepared by the outsourcer’s auditor, attests to the adequacy
of the vendor’s internal controls.
d. Auditors issue two types of SSAE 16 reports: Type I report and Type II report.

26. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator

27. A disadvantage of distributed data processing is

a. the increased time between job request and job completion.
b. the potential for hardware and software incompatibility among users.
c. the disruption caused when the mainframe goes down.
d. that users are not likely to be involved.

28. Which of the following is NOT a control implication of distributed data processing?
a. redundancy
b. user satisfaction
c. incompatibility
d. lack of standards

29. Which of the following disaster recovery techniques may be least optimal in the case of a disaster?
a. empty shell
b. mutual aid pact
c. recovery operation center
d. they are all equally beneficial

30. Which of the following is a feature of fault tolerance control?

 a. interruptible power supplies
b. RAID
c. DDP
d. MDP

31. Which of the following disaster recovery techniques is has the least risk associated with it?
a. empty shell
b. ROC
c. internally provided backup
d. they are all equally risky

32. Cloud computing

a. pools resources to meet the needs of multiple client firms
b. allows clients to expand and contract services almost instantly
c. both a. and b.
d. neither a. not b.

ESSAY
1. Compare and contrast the following disaster recovery options: empty shell, recovery operations
center, and internally provided backup. Rank them from most risky to least risky, as well as
most costly to least costly.
The lowest cost method is internally provided backup. With this method, organizations with multiple
data processing centers may invest in internal excess capacity and support themselves in the case of
disaster in one data processing center. This method is not risky as the mutual aid pact because reliance
on another organization is not a factor. In terms of cost, the next highest method is the empty shell
where two or more organizations buy or lease space for a data processing center. The space is made
ready for computer installation; however, no computer equipment is installed. This method requires
lease or mortgage payments, as well as payment for air conditioning and raised floors. The risk of this
method is that the hardware, software, and technicians may be difficult if not impossible, to have
available in the case of a natural disaster. Further, if multiple members’ systems crash simultaneously,
an allocation problem exists. The method with lowest risk and also the highest cost is the recovery
operations center. This method takes the empty shell concept one step further-the computer equipment
is actually purchased and software may even be installed. Assuming that this site is far enough away
from the disaster stricken area not to be affected by the disaster, this method can be a very good
safeguard.

2. What is a disaster recovery plan? What are the key features?

A disaster recovery plan is a comprehensive statement of all actions to be taken before, during, and
after a disaster, along with documented, tested procedures that will ensure the continuity of
operations. The essential features are: providing second site backup, identifying critical applications,
backup and off-site storage procedures, creating a disaster recovery team, and testing the disaster
recovery plan.

3. Explain the outsourcing risk of failure to perform

Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s
performance. The negative implications of such dependency are illustrated in the financial problems
that have plagued the huge outsourcing vendor Electronic Data Systems Corp. (EDS). In a cost-
cutting
effort, EDS terminated seven thousand employees, which impacted its ability to serve other clients.
Following an eleven-year low in share prices, EDS stockholders filed a class-action lawsuit against
the
company. Clearly, vendors experiencing such serious financial and legal problems threaten the
viability of their clients also.
4. Explain vendor exploitation.
Once the client firm has divested itself of specific assets it becomes dependent on the vendor. The
vendor may exploit this dependency by raising service rates to an exorbitant level. As the client’s IT
needs to develop over time beyond the original contract terms, it runs the risk that new or incremental
services will be negotiated at a premium. This dependency may threaten the client’s long term
flexibility, agility and competitiveness and result in even greater vendor dependency.

5. Explain why reduced security is an outsourcing risk

Information outsourced to off-shore IT vendors raises unique and serious questions regarding internal
control and the protection of sensitive personal data. When corporate financial systems are developed
and hosted overseas, and program code is developed through interfaces with the host company’s
network, US corporations are at risk of losing control of their information. To a large degree US firms
are reliant on the outsourcing vendor’s security measures, data-access policies and the privacy laws of
the host country.

6. Explain how IT outsourcing can lead to loss of strategic advantage

Alignment between IT strategy and business strategy requires a close working relationship between
corporate management and IT management in the concurrent development of business IT strategies.
This, however, is difficult to accomplish when IT planning is geographically redeployed off-shore or
even domestically. Further, since the financial justification for IT outsourcing depends upon the
vendor achieving economies of scale, the vendor is naturally driven to toward seeking common
solutions that may be used by many clients rather than creating unique solutions for each of them.
This fundamental underpinning of IT outsourcing is inconsistent with the client’s pursuit of strategic
advantage in the marketplace.