15 - III: IT auditing Flashcards
Is the objective different compared to the non-IT auditing?
No.
What are disadvantages?
Segregation of duties, lack of audit trails.
Advantage?
Uniform processing of transactions.
If IT is a major part in the entity, are substantive procedures alone sufficient to obtain sufficient appropriate audit evidence?
Maybe no. The auditor may not be able to limit audit risk to acceptable level if evidence is only available in IT.
What are 2 major categories of computer-related controls?
- General controls - widespread impact on various specific applications.
- Application controls - affect particular data processing tasks (ex: payroll, cash disbursement, so on).
What are 5 categories of general controls?
- Organization and operation.
- Systems development, maintenance, and documentation.
- Hardware and software (built-in controls).
- Access.
- Data and procedures.
General controls: what is the emphasis on organization and operation? What are 5 examples of duties?
Segregation of duties within the company and IT dept.
System analyst: design the system,
Programmer: develops the code to run the system
Operator: actually run the system.
Librarian: keeps trac of programs and data.
Security: safeguards system.
General controls: what must be done in systems development and doc?
Must adequately doc the initial system.
Must doc any changes - all changes must be authorized.
General controls: what are checks/functions under hardware and software?
- Parity check: interaction between hardware components.
- Echo check: transmission over phone lines.
- Diagnostic routines: affecting hardware.
- Boundary protection: separating multiple jobs.
- Operating system: built into systems software.
General controls: what is data and procedures?
Physical safeguards to protect the data files.
File labels - internal and external labels to avoid misuse.
File protection rings - protect magnetic tapes.
File protection plans - backup plans to provide for data recovery.
Application controls: What are 3 types and 2 emphasis for audit?
Input, processing, output.
Accuracy and authorization.
Application: Input: what are procedures to prevent errors?
Preprinted forms. Keypunch verification/duplication. Control totals. Logic checks Error resolution procedures.
Application: Input: What are 3 control totals and which one is meaningful?
Hash totals (not meaningful). Record count. Batch totals (meaningful).
Application: Input: What are 4 types of logic checks?
Limit tests - within predetermined rage.
Validity check - a legitimate code (ex: M or F).
Missing data checks - any omissions?
Check digits - an arithmetic manipulation (added on at the end of a numeric field).
Application: Processing: procedure to prepare for case of crash? Other to prevent errors?
Checkpoint/restart for long applications.
Logic checks - limit on processing time (upper limit).
Internal/external labels.
Control totals.
Error resolution procedures.
Application: Output: procedures?
Logic checks - output limits: upper limit for printing time or the maximum # of pages permitted.
Control totals.
Error resolution procedures.
What can audit software be used for?
Substantive audit purposes to access electronic files, perform routine tasks, data mining, etc.
What are 2 types of audit softwares?
- Generalized audit software: expensive, but can be used for multiple clients.
- Customized audit software: less expensive, but can be used only for one client.
What are 3 types to test I/C (after the fact)?
- Test data: include known errors and check the result.
- Integrated test facility: dummy division.
- Parallel simulation: run, compare output w/ client’s result.
What are 2 types to test I/C (during process)?
- Tagging: electronic tag attached to data and observe the process.
- Embedded audit modules (built-in audit routines) and audit hooks (built in points where an audit module can be added later).
What is hardware?
The central processing units and related equip.
What is software?
- Operating system: runs hardware.
* Compiler: converts the source program (particular language) into machine readable form (object program).
What are 2 types of transaction processing modes?
Bath processing: periodic processing.
Online (in direct communication w/CPU) - real time (updated immediately) processing.
What is distributed systems?
A network of remote computers linked to the main system (host server). Each location has input, processing output.
What are 2 structures of data base system?
Hierarchical and relational.
What are 3 types of networks?
- Local area network (LAN): interconnected throughout a building/campus.
- Wide are network (WAN):interconnected throughout a whole city or country.
- Value added network (VAN): an independent network that facilities EDI (electronic data interchange) transactions between buyers and seller.
Does paperwork exist for electronic commerce?
no.
Electronic commerce: what is point-to-point (point of sale)?
Involves direct computer-to-computer communication.
What is a concern for internet-based? What did AICPA develop to address security issues?
Security.
WebTrust
