Thinking from the perspective of risk to an information system, explain why each of the following combination of tasks should or should not, be separated to achieve adequate internal control.

a. Recording cash receipts in the journal and posting to the account receivable subsidiary ledger.

b. Preparation of accounts payable and distribution of payroll checks to employees (paymaster).

c. Posting of amounts from both the cash receipts and the cash disbursements journals to the general ledger.

d. Distribution of payroll checks to employees and approval of time cards.

e. Approval of bad debt write-offs and the reconciliation of accounts payable subsidiary ledger and the general ledger control account.

f. Opening the mail, preparing a list of checks received and maintaining the accounts receivable records.

g. Defining of permissions and assigning permissions to individuals

h. Designing a security system, and testing and validating it.

Q2. Based on the case-study, answer the questions below. Explain your answer choices.

Case Study:

The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management's review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation.

Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.

1. What should the IS auditor do FIRST?

A. Perform an IT risk assessment.

B. Perform a survey audit of logical access controls.

C. Revise the audit plan to focus on risk-based auditing.

D. Begin testing controls that the IS auditor feels are most critical

2. When testing program change management, how should the sample be selected?

A. Change management documents should be selected at random and examined for appropriateness.

B. Changes to production code should be sampled and traced to appropriate authorizing documentation.

C. Change management documents should be selected based on system criticality and examined for appropriateness.

D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change