15 - III: IT auditing

Question 1

Is the objective different compared to the non-IT auditing?

Answer 1

No.

Question 2

What are disadvantages?

Answer 2

Segregation of duties, lack of audit trails.

Question 3

Advantage?

Answer 3

Uniform processing of transactions.

Question 4

If IT is a major part in the entity, are substantive procedures alone sufficient to obtain sufficient appropriate audit evidence?

Answer 4

Maybe no. The auditor may not be able to limit audit risk to acceptable level if evidence is only available in IT.

Question 5

What are 2 major categories of computer-related controls?

Answer 5

1. General controls - widespread impact on various specific applications.
2. Application controls - affect particular data processing tasks (ex: payroll, cash disbursement, so on).

Question 6

What are 5 categories of general controls?

Answer 6

1. Organization and operation.
2. Systems development, maintenance, and documentation.
3. Hardware and software (built-in controls).
4. Access.
5. Data and procedures.

Question 7

General controls: what is the emphasis on organization and operation? What are 5 examples of duties?

Answer 7

Segregation of duties within the company and IT dept.
System analyst: design the system,
Programmer: develops the code to run the system
Operator: actually run the system.
Librarian: keeps trac of programs and data.
Security: safeguards system.

Question 8

General controls: what must be done in systems development and doc?

Answer 8

Must adequately doc the initial system.

Must doc any changes - all changes must be authorized.

Question 9

General controls: what are checks/functions under hardware and software?

Answer 9

• Parity check: interaction between hardware components.
• Echo check: transmission over phone lines.
• Diagnostic routines: affecting hardware.
• Boundary protection: separating multiple jobs.
• Operating system: built into systems software.

Question 10

General controls: what is data and procedures?

Answer 10

Physical safeguards to protect the data files.
File labels - internal and external labels to avoid misuse.
File protection rings - protect magnetic tapes.
File protection plans - backup plans to provide for data recovery.

Question 11

Application controls: What are 3 types and 2 emphasis for audit?

Answer 11

Input, processing, output.

Accuracy and authorization.

Question 12

Application: Input: what are procedures to prevent errors?

Answer 12

Preprinted forms.
Keypunch verification/duplication.
Control totals.
Logic checks
Error resolution procedures.

Question 13

Application: Input: What are 3 control totals and which one is meaningful?

Answer 13

Hash totals (not meaningful).
Record count.
Batch totals (meaningful).

Question 14

Application: Input: What are 4 types of logic checks?

Answer 14

Limit tests - within predetermined rage.
Validity check - a legitimate code (ex: M or F).
Missing data checks - any omissions?
Check digits - an arithmetic manipulation (added on at the end of a numeric field).

Question 15

Application: Processing: procedure to prepare for case of crash? Other to prevent errors?

Answer 15

Checkpoint/restart for long applications.
Logic checks - limit on processing time (upper limit).
Internal/external labels.
Control totals.
Error resolution procedures.

Question 16

Application: Output: procedures?

Answer 16

Logic checks - output limits: upper limit for printing time or the maximum # of pages permitted.
Control totals.
Error resolution procedures.

Question 17

What can audit software be used for?

Answer 17

Substantive audit purposes to access electronic files, perform routine tasks, data mining, etc.

Question 18

What are 2 types of audit softwares?

Answer 18

1. Generalized audit software: expensive, but can be used for multiple clients.
2. Customized audit software: less expensive, but can be used only for one client.

Question 19

What are 3 types to test I/C (after the fact)?

Answer 19

• Test data: include known errors and check the result.
• Integrated test facility: dummy division.
• Parallel simulation: run, compare output w/ client’s result.

Question 20

What are 2 types to test I/C (during process)?

Answer 20

• Tagging: electronic tag attached to data and observe the process.
• Embedded audit modules (built-in audit routines) and audit hooks (built in points where an audit module can be added later).

Question 21

What is hardware?

Answer 21

The central processing units and related equip.

Question 22

What is software?

Answer 22

• Operating system: runs hardware.

* Compiler: converts the source program (particular language) into machine readable form (object program).

Question 23

What are 2 types of transaction processing modes?

Answer 23

Bath processing: periodic processing.

Online (in direct communication w/CPU) - real time (updated immediately) processing.

Question 24

What is distributed systems?

Answer 24

A network of remote computers linked to the main system (host server). Each location has input, processing output.

Question 25

What are 2 structures of data base system?

Answer 25

Hierarchical and relational.

Question 26

What are 3 types of networks?

Answer 26

• Local area network (LAN): interconnected throughout a building/campus.
• Wide are network (WAN):interconnected throughout a whole city or country.
• Value added network (VAN): an independent network that facilities EDI (electronic data interchange) transactions between buyers and seller.

Question 27

Does paperwork exist for electronic commerce?

Answer 27

no.

Question 28

Electronic commerce: what is point-to-point (point of sale)?

Answer 28

Involves direct computer-to-computer communication.

Question 29

What is a concern for internet-based? What did AICPA develop to address security issues?

Answer 29

Security.

WebTrust