Page 169 - CITP Review
P. 169

10.
                a.  Incorrect. A preventive control would prevent an error from occurring and is generally not
                    intended to make sure data is complete.
                b.  Correct. The purpose of the described control is to detect incomplete data. Therefore,
                    this control is a detective one.

                c.  Incorrect. Corrective controls address data after it is entered and an error has been
                    detected. Therefore, this scenario is not corrective in nature.

                d.  Incorrect. Access controls apply to access to networks or applications, and not the
                    completeness of data entered.


            11.
                a.  Correct. This situation demonstrates multifactor access control where it takes not only
                    an authorization (the debit card) but also some separate level of authorization or
                    authentication to gain access (the PIN).
                b.  Incorrect. This situation is not about simple access control or else it would ask only for
                    login credentials, such as the card’s magnetic strip.
                c.  Incorrect. Although the ATM software is programmed to ask for both the card and a PIN,
                    the question is about the card and PIN as inputs, authorization, and authentication type
                    functions.
                d.  Incorrect. Although the data in the system would verify the card number and PIN, in
                    combination, the question is about the card and PIN as inputs.

            12.
                a.  Incorrect. ITGC is the body of general controls. This situation involves only one area of
                    SDLC within change management. It is not appropriate to assess the entire body of ITGC
                    based on this information.
                b.  Incorrect. The operating effectiveness of the staging area is not directly relevant to the
                    presence or absence of SDLC and application development controls regarding the other
                    phases of SDLC. Those could not be assessed by examining only the testing aspect and
                    staging area.
                c.  Incorrect. The control environment is a different segment of ITGC from change
                    management and SDLC. It would not be appropriate to make a judgment on the
                    effectiveness of the control environment based on SDLC practices.
                d.  Correct. The next thing the IT auditor needs to do is to verify the operating effectiveness
                    by taking a sample of programs and examining the documentation. This process would
                    confirm or disaffirm the fact staff are following best practices in SDLC regarding
                    application development.










            © 2019 Association of International Certified Professional Accountants. All rights reserved.    Solutions 11
   164   165   166   167   168   169   170   171   172   173   174