9.

11
Obtain a copy of COBIT (available at www.isaca.org), and read the control objectives
that relate to encryption (DS5.8 and DS5.11). What are the essential control
procedures that organizations should implement when using encryption?
COBIT control objective DS5.8 addresses key management policies with respect to
encryption. This should include procedures concerning:

Minimum key lengths

Use of approved algorithms

Procedures to authenticate recipients

Secure distribution of keys

Secure storage of keys

Key escrow

Policies governing when to use encryption and which information should be

encrypted (this probably requires the organization to classify and label all
information assets so that employees can identify the different categories)

Procedures for revoking compromised keys

COBIT control objective DS5.11 addresses the use of encryption during the
transmission of information. This should include procedures concerning:

Procedures to ensure information is encrypted prior to transmission

Specification of approved encryption algorithms

Access controls over incoming encrypted information

Secure storage of encryption keys

10.3
For each of the three basic options for replacing IT infrastructure (cold sites, hot
sites, and real-time mirroring), give an example of an organization that could use
that approach as part of its DRP. Be prepared to defend your answer?
Many solutions are possible. The important point is to justify that the method
yields an appropriate RTO for the organization. Cold sites yield RTOs measured in
days; hot sites result in RTOs measured in hours; and real-time mirroring have RTOs
measured in minutes. Here are some possible examples:

Cold site: smaller businesses, such as a local CPA firm. In most situations, CPA
firms can probably function without their main information system for a day or a
couple of days. Most employees have laptops and could continue to do much of
their work (collecting audit evidence, writing reports, working on spreadsheets) and
then upload their work to the main servers once the cold site is up and running.
Hot site: Many businesses could function for several hours using paper-based
forms until their data center was back up and running. For example, if a retailers
information system went down, new sales orders could be processed on paper and
entered later.
Real-time mirroring: Internet-only companies need this because they can only
earn revenue when their web site is up and running. Nor can airlines and financial
institutions operate using paper-based forms; they need to have a backup system
available at all times.
11.1
You are the director of internal auditing at a university. Recently, you met with
IssaArnita, the manager of administrative data processing, and expressed the desire
to establish a more effective interface between the two departments. Issa wants
your help with a new computerized accounts payable system currently in
development. He recommends that your department assume line responsibility for
auditing suppliers invoices prior to payment. He also wants internal auditing to
make suggestions during system development, assist in its installation, and approve
the completed system after making a final review.
Required
Would you accept or reject each of the following? Why?
a. The recommendation that your department be responsible for the pre-audit
of suppliers invoices?
Internal auditing should not assume responsibility for pre-audit of
disbursements. Objectivity is essential to the audit function, and internal
auditors should be independent of the activities they must review. They
should not prepare records or engage in any activity that could compromise
their objectivity and independence. Furthermore, because internal auditing is
a staff function, involvement in such a line function would be inconsistent
with the proper role of an internal auditor.
b. The request that you make suggestions during system development?
It would be advantageous for internal auditing to make specific
suggestions during the design phase concerning controls and audit trails to
be built into a system. Internal auditing should build an appropriate interface
with the Data Processing Department to help achieve this goal. Neither
objectivity nor independence is compromised if the auditor makes
recommendations for controls in the system under review. For example,
internal auditing may:
Provide a list of control requirements.
Review testing plans.

 Determine that there are documentation standards and that they are being
followed.
Determine that the project itself is under control and that there is a system
for gauging design progress.
Internal auditing must refrain, however, from actual participation in system
design.
c. The request that you assist in the installation of the system and approve the
system after making a final review?
The auditor must remain independent of any system they will
subsequently audit. Therefore, the auditor must refrain from giving overall
approval of the system in final review. The auditor may help in the
installation or conversion of the system by continuing to offer suggestions for
controls, particularly during the implementation period. In this situation, the
auditor may review for missing segments, results of testing, and adequacy of
documentation of program and procedures in order to determine readiness of
the system for installation or conversion. After installation or conversion, the
auditor may participate in a post-installation audit, either alone or as part of a
team.