30. Controls over IT infrastructure, operating systems security, database access, application development, and program changes that apply to all application systems are reierred to as a. general controls b. application controls c. system controls d. governance controls 31. The IT group within an organization should separate systems development from data processing operations because failure to do so a. weakens data and information security b. could allow programmers access to make unauthorized changes to applications c. results in inadequate documentation of new applications d. results in master files being inadvertently erased 32. Which of the following is not an essential feature of a disaster recovery plan? a. Identification and arrangements for backup processing site b. Off-site storage of backups of data and applications c. Use of a well-defined systems development life cycle d. Identification of business-critical applications 33. All the following tests of controls will provide evidence about the adequacy of the disaster recovery planning process except a. review of the contractual arrangements for use of a backup site and inspection of site. b. review of the composition of the disaster recovery team and their roles. c. review of the list of critical applications and an evaluation of the process for determining those applications. d. all the above tests will provide evidence about the adequacy of the disaster recovery planning process. 35. Audit risk as used in the audit risk model is defined as a. the risk associated with the unique characteristics of the business or industry. b. the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. c. the probability that the auditor will render an unqualified opinion on the financial st tements that are materially misstated. d. the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor's substantive tests. 36. All the following are components of the audit risk model except a. inherent risk b. planning risk c. detection risk d. control risk 37. Appropriate segregation of duties in the IT department include a. separating the application programmers from the database administrator b. preventing management override c. separating the inventory process from the billing process d. performing independent verifications by the computer operator 38. Passwords are codes that users enter to gain access to systems. Security can be compromised by all the following except a. failure to change passwords on a regular basis b. using obscure passwords unknown to others c. recording passwords in obvious places d. selecting passwords that can be easily detected by computer criminals 39. Which of the following statements is not true? a. When management outsources their organization's IT functions, they also outsource overall responsibility for internal control. b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor's performance. c. IT outsourcing may make it more challenging to align a firm's IT strategic planning and its business planning functions. d. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale. 40. Which of the following audit procedures is not directed at obtaining an understanding of controls over user access privileges? a. Review the privileges of a selection of users and user groups to determine if their access rights are appropriate for their job function. b. Review the system documentation to determine that databases are copied at regular intervals. c. Review personnel records to determine whether employees with privileged access rights undergo an adequately extensive background check. d. Review the organization's policies for separating incompatible functions and ensure they promote reasonable security