1

BSAC 117 COMPUTER AUDIT

WEEK 4 SEATWORK

ANSWER SHEET

AUGUST 24, 2020 (7pm-9PM)

SURNAME: Medina FIRST NAME: Leoreyn Faye M.I. Y

Case Problem 1: Internal Control

During its preliminary review of the financial statements of Barton, Inc., Simon and Associates, CPA
discovered a lack of proper segregation of duties between the programming and operating functions in
Barton’s data center. They discovered that some new systems development programmers also filled in as
operators on occasion. Simon and Associates extended the internal control review and test of controls
and concluded in its final report that sufficient compensating general controls provided reasonable
assurance that the internal control objectives were being met.

Required: What compensating controls are most likely in place?

ANSWER:

The compensating controls that are most likely in place are that the operators are not allowed to run the
systems that they developed. There is also enough supervision of all operators. There is no system
documentation that is stored in the data center. There is an access log wherein there you can see the
when and how long a program was used or accessed. There is also a constant checking to check about
when and how long operators ran the programs.

Case Problem 2: Physical Security

United Financials, Inc., is a financial services firm located in Makati City. The company keeps client
investment and account information on a server at its Makati Avenue data center. This information
includes the total value of the portfolio, type of investments made, the income structure of each client, and
associated tax liabilities. The company has recently upgraded its Web site to allow clients to access their
investment information. The company’s data center is in the basement of a rented building. Company
management believes that the location is secure enough to protect their data from physical threats. The
servers are housed in a room that has smoke detectors and associated sprinklers. It is enclosed, with no
windows, and has temperature-controlled air conditioning. The company’s auditors, however, have
expressed concern that some of the measures at the current location are inadequate and that newer
alternatives should be explored. Management has expressed counter concerns about the high cost of
purchasing new equipment and relocating its data center.
 2

Required:
1. Why are United Financials’ auditors stressing the need to have a better physical environment for the
server?
2. Describe six control features that contribute to the physical security of the computer center.
3. United Financials management is concerned about the cost of relocating the data center. Discuss
some options open to them that could reduce their operating costs and provide the security the auditor’s
seek.

REQUIRE ANSWERS
D

Physical environment is not just about the potential threats of physical intruders and
sabotage, it also talks about other factors like power fires, earthquake and flood. These
don’t happen most of the time but they should still be accounted for since it can result to
problems. It will lose a lot to the company, like its data. Software checks cannot prevent
losses from force majeur The company should have a workable disaster discovery plan.

a. Physical Location: The physical location of the computer center affects the risk of

disaster directly. The computer center should be away from human-made and natural

hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood

plains, and geological faults.

b. Construction: Ideally, a computer center should be located in a single-store building

of solid concrete with controlled access. Utility and communication lines should be

underground. The building windows should not be open. An air filtration system should

be in place that is capable of excluding dust, pollen, and dust mites.

c. Access: Access should be limited to operators and other employees who work there.

Programmers and analysts who need access to correct program errors should be required

to sign in and out. The computer center should maintain accurate records of all such

events to verify access control. The main entrance to the computer center should be
 3

through a single door, though fire exists with alarms are important. Lose circuit camera

with video recording is also highly advisable.

d. Air Conditioning: Mainframes and servers, as in the case with Avatar, have heavy

processing volumes. These are designed to work at their optimal levels only within a

narrow range of conditions, most importantly the temperature. Computers operate best in

a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent.

Logic errors and static electricity risks can be mitigated by proper use of air conditioning.

e. Fire Suppression: The major features should include automatic and manual alarms

(placed in strategic locations connected to fire stations), an automatic fire extinguishing

system (not water sprinklers, rather carbon dioxide or halon extinguishers should be

used), a manual fire extinguisher, and clearly marked and illuminated fire exists.

f. Fault Tolerance Controls: Commercially provided electrical power presents several

problems that can disrupt the computer centers operations including total power failures,

brownouts, and power fluctuation. The company should look into the use of surge

protectors, generators, batteries, and voltage regulators in order to protect their computer

system from the negative effects associated with these disruptions.

The company should consider outsourcing. This may be the traditional one or the more
flexible cloud computing approach. SaaS and IaaS options are readily available for
financial services firms. The vendors that are SSAE16 certified will have an adequate
disaster recovery and security features in place. The cost is lower compare to the company
doing it independently.
 4

Case Problem 3: Disaster Recovery Plans

The headquarters of Hill Crest Corporation, a private company with $15.5 million in annual sales, is
located in California. Hill Crest provides for its 150 clients an online legal software service that includes
data storage and administrative activities for law offices. The company has grown rapidly since its
inception 3 years ago, and its data processing department has expanded to accommodate this growth.
Because Hill Crest’s president and sales personnel spend a great deal of time out of the office developing
new clients, the planning of the IT facilities has been left to the data processing professionals.

Hill Crest recently moved its headquarters into a remodeled warehouse on the outskirts of the city. While
remodeling the warehouse, the architects retained much of the original structure, including the wooden-
shingled exterior and exposed wooden beams throughout the interior. The distributive processing
computers and servers are situated in a large open area with high ceilings and skylights. The openness
makes the data center accessible to the rest of the staff and promotes a team approach to problem
solving. Before occupying the new facility, city inspectors declared the building safe; that is, it had
adequate fire extinguishers, sufficient exits, and so on. In an effort to provide further protection for its
large database of client information, Hill Crest instituted a tape backup procedure that automatically backs
up the database every Sunday evening, avoiding interruption in the daily operations and procedures. All
tapes are then labeled and carefully stored on shelves reserved for this purpose in the data processing
department. The departmental operator’s manual has instructions on how to use these tapes to restore
the database, should the need arise. A list of home phone numbers of the individuals in the data
processing department is available in case of an emergency. Hill Crest has recently increased its liability
insurance for data loss from $50,000 to $100,000. This past Saturday, the Hill Crest headquarters
building was completely ruined by fire, and the company must now inform its clients that all of their
information has been destroyed.

Required:
1. Describe the computer security weaknesses present at Hill Crest Corporation that made it possible for
a disastrous data loss.
2. List the components that should have been included in the disaster recovery plan at Hill Crest
Corporation to ensure computer recovery within 72 hours.
3. What factors, other than those included in the plan itself

REQUIRE ANSWERS
D

1. Not housing the data-processing facility in a building constructed of fire-retardant

materials, and instead using one with exposed wooden beams and a wooden-shingled

exterior.

2. The absence of a sprinkler (halon) system and a fire-suppression system under a

raised floor; fire doors.

3. An on-line system with infrequent (weekly) tape backups. Backups, with

checkpoints and restarts, should be performed at least daily. “Grandfather” and

“Father” backup files should be retained at a secure off-site storage location.

4. Data and programs should have been kept in a library separate from the data
processing room, with the library area constructed of fire-retardant materials.
5. Lack of a written disaster recovery plan with arrangements in place to use an

alternate off-site computer center in the event of a disaster or an extended service

interruption. There was a phone list of DP personnel, but without assigned

responsibilities as to actions to be taken when needed.

6. Lack of complete systems documentation kept outside the data-processing area.

The components that should have been included in the disaster recovery plan at Hill

Crest Corporation to ensure computer recovery within 72 hours include the following:

1. A written disaster recovery plan should be developed with review and approval by

senior management, data-processing management, end-user management, and

internal audit.

2. Backup data and programs should be stored at an off-site location that will quickly

accessible in the event of an emergency.

3. The disaster recovery team should be organized. Select the disaster recovery

manager, identify the tasks, segregate into teams, develop an organizational chart for

disaster procedures, match personnel to team skills and functions, and assign duties

and responsibilities to each member.

4. The duties and responsibilities of the recovery team include:

activating the backup system and network, and

b) Retrieving backup data files and programs, restoring programs and data,

processing critical applications, and reconstructing data entered into the

system subsequent to latest saved backup/ restart point.

Factors, other than those included in the disaster recovery plan itself, that should be

considered when formulating the plan include:

1. Arranging business interruption insurance in addition to liability insurance.

easily accessible for use in case of a disaster.

3. Performing a risk/ cost analysis to determine the level of expense that may be

justified to obtain reasonable, as opposed to certain, assurance that recovery can be

accomplished in 72 hours.

Case Problem 4: Segregation of Duties

Arcadia Plastics follows the philosophy of transferring people from job to job within the organization
Management believes that job rotation deters employees from feeling that they are stagnating in their jobs
and promotes a better understanding of the company. A computer services employee typically works for
six months as a data librarian, one year as a systems developer, six months as a database administrator,
and one year in systems maintenance. At that point, he or she is assigned to a permanent position.

Required:
Discuss the importance of separation of duties within the information systems department.
How can Arcadia Plastics have both job rotation and well-separated duties?
 7

ANSWER:

There are duties that should not be done by a single person only or internal control/ The company needs
to employ strong password access controls and frequent password changing for its employees. They
need it to make sure to avoid any conflict. Strong control is very important to prevent employee fraud.