Look at the attached Access Control questionnaire from ASU. Does the document in

ID: 3857567 • Letter: L

Question

Look at the attached Access Control questionnaire from ASU. Does the document include everything? Are there questions you would add? Take the survey using your own company or a company you frequent. Can you answer all the questions? What suggestions would you have for the questionnaire writer? Discuss your findings in a single document.
This assignment should be at least one page long (double spaced, APA format where applicable)

IT - General Controls Questionnaire

Internal Control Questionnaire

Systems development is the process of creating new computerized applications in-house (i.e., within the organization). The development life cycle consists of several phases. Each phase has objectives, processes, products and reviews. The reviews provide a mechanism for determining at each phase whether user needs are being met and whether cost, control, and audit objectives are being achieved. Systems acquisition is the process of purchasing and implementing an

Question

Yes

N/A

Remarks

application that has been developed by a third-party software vendor. The effective implementation of purchased applications also requires the entity to adopt a formal methodology to control the process. This methodology closely resembles that of in-house developed systems

1. Interview IT management to determine whether any new financial applications were either: 1.) developed in-house or acquired from a vendor or 2.) are being planned or investigated during the current audit period.

If no planning related to the development or acquisition of new financial systems was performed during the audit period, do not complete this control module.

2. Did the university's procedures for developing new applications include:

a. System requirements analysis?

b. System specifications?

c. Technical design?

d. Technical procedure development?

e. User procedure development?

f. System and acceptance testing?

g. Transition?

3. *Were user personnel involved in new systems development (acquisition), particularly during design, development, testing, and conversion?

4. *Were audit and security concerns considered during the initial analysis phase? (If university has an internal audit staff, were internal auditors involved in new systems development (acquisition)?)

Question

Yes

N/A

Remarks

5. Did IT management adequately document:

a. Systems documentation?

b. Program documentation?

c. Operations documentation?

d. Users documentation?

G5. COMPUTER OPERATIONS CONTROLS

Computer operations controls are designed to ensure that systems continue to function consistently, as planned. They include controls over the use of the correct data, programs, and other resources, and the proper performance of this function by operators, particularly when a problem occurs.

1. Does the university maintain general operational documentation relating to the following procedures for which the operations staff are responsible?

a. System start-up procedures

b. Backup assignments

c. Emergency procedures

d. System shutdown procedures

e. Error message debugging instructions

f. System and job status reporting instructions

2. Does the university maintain application-specific operational instructions including:

Question

Yes

N/A

Remarks

a. Definitions of input sources, input data, and data formats?

b. Descriptions of restart procedures and checkpoints?

c. Descriptions of data storage requirements?

d. Types of console message instructions?

e. Copies of system flowcharts?

3. *Are operating logs maintained, retained and reviewed on an ongoing basis?

4. Are workloads properly managed by using manual or automated processing schedules to ensure that all jobs are processed and that deadlines and priorities are considered?

G6. DATABASE CONTROLS

A database is a collection of related data organized in a manner intended to be accessed by multiple users for varied purposes. Database controls are designed to ensure that activities related to the security, integrity, accountability and recoverability of the database are controlled.

1. Does the university have a Database Administrator (DBA)? Is the DBA responsible for managing the entity’s databases, including the following:

a. Design and implementation?

b. Monitoring and availability?

c. Integrity and security?

Question

Yes

N/A

Remarks

2. *Are Database Management Systems (DBMS) security features used to protect data against unauthorized access or manipulation?

3. *Are DBMS utilities and commands restricted to those responsible for the maintenance of the DBMS (usually a designated DBA)?

4. *For change control procedures for the Data Dictionary and

DBMS:

a. Is proper authorization obtained prior to modification?

b. Are modifications tested?

c. Are modifications reviewed and approved?

d. Are changes documented?

5. Is the database and its data backed-up on a regular basis, and are backups secured off-site?

G7. TELECOMMUNICATION CONTROLS

Telecommunication controls relate to the risk and control considerations for the transmission media, hardware and software that compose a communication system, as well as the management of a communication system. Complete this section only if the university processes material financial activity using this technology.

1. Does the university have written telecommunication policies and procedures? Do policies and procedures include:

a. Methodology to implement telecommunication projects (hardware and software)?

Question

Yes

N/A

Remarks

b. Construction and software change management controls?

c. Security controls?

d. Problem/incident reporting?

e. Contingency planning?

*Has telecommunication software (VTAM) been defined to the access control software and is access restricted to only authorized users?

Is communication equipment physically secured and adequately protected from environmental concerns?

*Are data transmissions logged to provide for an audit trail and to provide the ability to recover all activity, which may have failed to be properly sent or received?

*Are data transmission errors reported to management for problem analysis and corrective action?

*Is there a process of data communications change management (e.g., changes in configuration)?

Do requests for changes in the telecommunications configuration include:

a. Proper authorization prior to the change?

b. Testing of changes?

c. Review and approval of changes?

Question

Yes

N/A

Remarks

d. Documentation of changes?

8. Are there recovery procedures for a failure of data communications equipment or software?

9. Do the back-up and recovery procedures include:

a. Back-up copies of communications software?

b. Alternate line/carrier facilities (public or private)?

c. Multiple paths to critical sites on the network?

d. Responsive reconfiguration procedures?

G8. NETWORK CONTROLS

Network controls address the threats and risks to sensitive and critical data that are accessed and transmitted through networks. Network controls ensure proper security performance and reliability of all network components. Complete this section only if the university processes material financial activity using this technology.

1. Do the LAN administrator's responsibilities include support for:

a. User training?

b. Policies and procedures?

c. Security?

Explanation / Answer

Hi,

Below is the survey Answer-

Question Yes No N/A Remarks application that has been developed by a third-party software vendor. The effective implementation of purchased applications also requires the entity to adopt a formal methodology to control the process. This methodology closely resembles that of in-house developed systems Yes 1. Interview IT management to determine whether any new financial applications were either: 1.) developed in-house or acquired from a vendor or 2.) are being planned or investigated during the current audit period. No If no planning related to the development or acquisition of new financial systems was performed during the audit period, do not complete this control module. 2. Did the university's procedures for developing new applications include: a. System requirements analysis? Yes b. System specifications? Yes c. Technical design? Yes d. Technical procedure development? Yes e. User procedure development? Yes f. System and acceptance testing? Yes g. Transition? Yes 3. *Were user personnel involved in new systems development (acquisition), particularly during design, development, testing, and conversion? Yes 4. *Were audit and security concerns considered during the initial analysis phase? (If university has an internal audit staff, were internal auditors involved in new systems development (acquisition)?) No Question Yes No N/A Remarks 5. Did IT management adequately document: a. Systems documentation? No b. Program documentation? Yes c. Operations documentation? No d. Users documentation? No G5. COMPUTER OPERATIONS CONTROLS Computer operations controls are designed to ensure that systems continue to function consistently, as planned. They include controls over the use of the correct data, programs, and other resources, and the proper performance of this function by operators, particularly when a problem occurs. 1. Does the university maintain general operational documentation relating to the following procedures for which the operations staff are responsible? Yes a. System start-up procedures Yes b. Backup assignments No c. Emergency procedures No d. System shutdown procedures No e. Error message debugging instructions No f. System and job status reporting instructions Yes 2. Does the university maintain application-specific operational instructions including: Question Yes No N/A Remarks a. Definitions of input sources, input data, and data formats? Yes b. Descriptions of restart procedures and checkpoints? Yes c. Descriptions of data storage requirements? Yes d. Types of console message instructions? Yes e. Copies of system flowcharts? NA 3. *Are operating logs maintained, retained and reviewed on an ongoing basis? 4. Are workloads properly managed by using manual or automated processing schedules to ensure that all jobs are processed and that deadlines and priorities are considered? No G6. DATABASE CONTROLS A database is a collection of related data organized in a manner intended to be accessed by multiple users for varied purposes. Database controls are designed to ensure that activities related to the security, integrity, accountability and recoverability of the database are controlled. 1. Does the university have a Database Administrator (DBA)? Is the DBA responsible for managing the entity’s databases, including the following: No a. Design and implementation? Yes b. Monitoring and availability? No c. Integrity and security? No Question Yes No N/A Remarks 2. *Are Database Management Systems (DBMS) security features used to protect data against unauthorized access or manipulation? Yes 3. *Are DBMS utilities and commands restricted to those responsible for the maintenance of the DBMS (usually a designated DBA)? Yes 4. *For change control procedures for the Data Dictionary and DBMS: a. Is proper authorization obtained prior to modification? Yes b. Are modifications tested? Yes c. Are modifications reviewed and approved? Yes d. Are changes documented? No 5. Is the database and its data backed-up on a regular basis, and are backups secured off-site? No G7. TELECOMMUNICATION CONTROLS Telecommunication controls relate to the risk and control considerations for the transmission media, hardware and software that compose a communication system, as well as the management of a communication system. Complete this section only if the university processes material financial activity using this technology. 1. Does the university have written telecommunication policies and procedures? Do policies and procedures include: No a. Methodology to implement telecommunication projects (hardware and software)? Yes Question Yes No N/A b. Construction and software change management controls? Yes c. Security controls? Yes d. Problem/incident reporting? Yes e. Contingency planning? Yes 2 *Has telecommunication software (VTAM) been defined to the access control software and is access restricted to only authorized users? Yes 3 Is communication equipment physically secured and adequately protected from environmental concerns? Yes 4 *Are data transmissions logged to provide for an audit trail and to provide the ability to recover all activity, which may have failed to be properly sent or received? Yes 5 *Are data transmission errors reported to management for problem analysis and corrective action? No 6 *Is there a process of data communications change management (e.g., changes in configuration)? No 7 Do requests for changes in the telecommunications configuration include: No a. Proper authorization prior to the change? Yes b. Testing of changes? Yes c. Review and approval of changes? Yes Question Yes No N/A Remarks d. Documentation of changes? No 8. Are there recovery procedures for a failure of data communications equipment or software? No 9. Do the back-up and recovery procedures include: a. Back-up copies of communications software? No b. Alternate line/carrier facilities (public or private)? No c. Multiple paths to critical sites on the network? No d. Responsive reconfiguration procedures? No G8. NETWORK CONTROLS Network controls address the threats and risks to sensitive and critical data that are accessed and transmitted through networks. Network controls ensure proper security performance and reliability of all network components. Complete this section only if the university processes material financial activity using this technology. 1. Do the LAN administrator's responsibilities include support for: a. User training? Yes b. Policies and procedures? Yes c. Security? Yes

Navigate

Look at the attached Access Control questionnaire from ASU. Does the document in

Look at the beta of Apple, Google, Sirius XM, Pandora, and Live Nation, and rank

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.

Look at the attached Access Control questionnaire from ASU. Does the document in

Question

Explanation / Answer

Related Questions

Navigate